1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI sockets. */
26 #include <linux/compat.h>
27 #include <linux/export.h>
28 #include <linux/utsname.h>
29 #include <linux/sched.h>
30 #include <linux/unaligned.h>
31
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/hci_mon.h>
35 #include <net/bluetooth/mgmt.h>
36
37 #include "mgmt_util.h"
38
39 static LIST_HEAD(mgmt_chan_list);
40 static DEFINE_MUTEX(mgmt_chan_list_lock);
41
42 static DEFINE_IDA(sock_cookie_ida);
43
44 static atomic_t monitor_promisc = ATOMIC_INIT(0);
45
46 /* ----- HCI socket interface ----- */
47
48 /* Socket info */
49 #define hci_pi(sk) ((struct hci_pinfo *) sk)
50
51 struct hci_pinfo {
52 struct bt_sock bt;
53 struct hci_dev *hdev;
54 struct hci_filter filter;
55 __u8 cmsg_mask;
56 unsigned short channel;
57 unsigned long flags;
58 __u32 cookie;
59 char comm[TASK_COMM_LEN];
60 __u16 mtu;
61 };
62
hci_hdev_from_sock(struct sock * sk)63 static struct hci_dev *hci_hdev_from_sock(struct sock *sk)
64 {
65 struct hci_dev *hdev = hci_pi(sk)->hdev;
66
67 if (!hdev)
68 return ERR_PTR(-EBADFD);
69 if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
70 return ERR_PTR(-EPIPE);
71 return hdev;
72 }
73
hci_sock_set_flag(struct sock * sk,int nr)74 void hci_sock_set_flag(struct sock *sk, int nr)
75 {
76 set_bit(nr, &hci_pi(sk)->flags);
77 }
78
hci_sock_clear_flag(struct sock * sk,int nr)79 void hci_sock_clear_flag(struct sock *sk, int nr)
80 {
81 clear_bit(nr, &hci_pi(sk)->flags);
82 }
83
hci_sock_test_flag(struct sock * sk,int nr)84 int hci_sock_test_flag(struct sock *sk, int nr)
85 {
86 return test_bit(nr, &hci_pi(sk)->flags);
87 }
88
hci_sock_get_channel(struct sock * sk)89 unsigned short hci_sock_get_channel(struct sock *sk)
90 {
91 return hci_pi(sk)->channel;
92 }
93
hci_sock_get_cookie(struct sock * sk)94 u32 hci_sock_get_cookie(struct sock *sk)
95 {
96 return hci_pi(sk)->cookie;
97 }
98
hci_sock_gen_cookie(struct sock * sk)99 static bool hci_sock_gen_cookie(struct sock *sk)
100 {
101 int id = hci_pi(sk)->cookie;
102
103 if (!id) {
104 id = ida_alloc_min(&sock_cookie_ida, 1, GFP_KERNEL);
105 if (id < 0)
106 id = 0xffffffff;
107
108 hci_pi(sk)->cookie = id;
109 get_task_comm(hci_pi(sk)->comm, current);
110 return true;
111 }
112
113 return false;
114 }
115
hci_sock_free_cookie(struct sock * sk)116 static void hci_sock_free_cookie(struct sock *sk)
117 {
118 int id = hci_pi(sk)->cookie;
119
120 if (id) {
121 hci_pi(sk)->cookie = 0xffffffff;
122 ida_free(&sock_cookie_ida, id);
123 }
124 }
125
hci_test_bit(int nr,const void * addr)126 static inline int hci_test_bit(int nr, const void *addr)
127 {
128 return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
129 }
130
131 /* Security filter */
132 #define HCI_SFLT_MAX_OGF 5
133
134 struct hci_sec_filter {
135 __u32 type_mask;
136 __u32 event_mask[2];
137 __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
138 };
139
140 static const struct hci_sec_filter hci_sec_filter = {
141 /* Packet types */
142 0x10,
143 /* Events */
144 { 0x1000d9fe, 0x0000b00c },
145 /* Commands */
146 {
147 { 0x0 },
148 /* OGF_LINK_CTL */
149 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
150 /* OGF_LINK_POLICY */
151 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
152 /* OGF_HOST_CTL */
153 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
154 /* OGF_INFO_PARAM */
155 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
156 /* OGF_STATUS_PARAM */
157 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
158 }
159 };
160
161 static struct bt_sock_list hci_sk_list = {
162 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
163 };
164
is_filtered_packet(struct sock * sk,struct sk_buff * skb)165 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
166 {
167 struct hci_filter *flt;
168 int flt_type, flt_event;
169
170 /* Apply filter */
171 flt = &hci_pi(sk)->filter;
172
173 flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS;
174
175 if (!test_bit(flt_type, &flt->type_mask))
176 return true;
177
178 /* Extra filter for event packets only */
179 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT)
180 return false;
181
182 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
183
184 if (!hci_test_bit(flt_event, &flt->event_mask))
185 return true;
186
187 /* Check filter only when opcode is set */
188 if (!flt->opcode)
189 return false;
190
191 if (flt_event == HCI_EV_CMD_COMPLETE &&
192 flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
193 return true;
194
195 if (flt_event == HCI_EV_CMD_STATUS &&
196 flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
197 return true;
198
199 return false;
200 }
201
202 /* Send frame to RAW socket */
hci_send_to_sock(struct hci_dev * hdev,struct sk_buff * skb)203 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
204 {
205 struct sock *sk;
206 struct sk_buff *skb_copy = NULL;
207
208 BT_DBG("hdev %p len %d", hdev, skb->len);
209
210 read_lock(&hci_sk_list.lock);
211
212 sk_for_each(sk, &hci_sk_list.head) {
213 struct sk_buff *nskb;
214
215 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
216 continue;
217
218 /* Don't send frame to the socket it came from */
219 if (skb->sk == sk)
220 continue;
221
222 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
223 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
224 hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
225 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
226 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
227 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT)
228 continue;
229 if (is_filtered_packet(sk, skb))
230 continue;
231 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
232 if (!bt_cb(skb)->incoming)
233 continue;
234 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
235 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
236 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
237 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT)
238 continue;
239 } else {
240 /* Don't send frame to other channel types */
241 continue;
242 }
243
244 if (!skb_copy) {
245 /* Create a private copy with headroom */
246 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
247 if (!skb_copy)
248 continue;
249
250 /* Put type byte before the data */
251 memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1);
252 }
253
254 nskb = skb_clone(skb_copy, GFP_ATOMIC);
255 if (!nskb)
256 continue;
257
258 if (sock_queue_rcv_skb(sk, nskb))
259 kfree_skb(nskb);
260 }
261
262 read_unlock(&hci_sk_list.lock);
263
264 kfree_skb(skb_copy);
265 }
266
hci_sock_copy_creds(struct sock * sk,struct sk_buff * skb)267 static void hci_sock_copy_creds(struct sock *sk, struct sk_buff *skb)
268 {
269 struct scm_creds *creds;
270
271 if (!sk || WARN_ON(!skb))
272 return;
273
274 creds = &bt_cb(skb)->creds;
275
276 /* Check if peer credentials is set */
277 if (!sk->sk_peer_pid) {
278 /* Check if parent peer credentials is set */
279 if (bt_sk(sk)->parent && bt_sk(sk)->parent->sk_peer_pid)
280 sk = bt_sk(sk)->parent;
281 else
282 return;
283 }
284
285 /* Check if scm_creds already set */
286 if (creds->pid == pid_vnr(sk->sk_peer_pid))
287 return;
288
289 memset(creds, 0, sizeof(*creds));
290
291 creds->pid = pid_vnr(sk->sk_peer_pid);
292 if (sk->sk_peer_cred) {
293 creds->uid = sk->sk_peer_cred->uid;
294 creds->gid = sk->sk_peer_cred->gid;
295 }
296 }
297
hci_skb_clone(struct sk_buff * skb)298 static struct sk_buff *hci_skb_clone(struct sk_buff *skb)
299 {
300 struct sk_buff *nskb;
301
302 if (!skb)
303 return NULL;
304
305 nskb = skb_clone(skb, GFP_ATOMIC);
306 if (!nskb)
307 return NULL;
308
309 hci_sock_copy_creds(skb->sk, nskb);
310
311 return nskb;
312 }
313
314 /* Send frame to sockets with specific channel */
__hci_send_to_channel(unsigned short channel,struct sk_buff * skb,int flag,struct sock * skip_sk)315 static void __hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
316 int flag, struct sock *skip_sk)
317 {
318 struct sock *sk;
319
320 BT_DBG("channel %u len %d", channel, skb->len);
321
322 sk_for_each(sk, &hci_sk_list.head) {
323 struct sk_buff *nskb;
324
325 /* Ignore socket without the flag set */
326 if (!hci_sock_test_flag(sk, flag))
327 continue;
328
329 /* Skip the original socket */
330 if (sk == skip_sk)
331 continue;
332
333 if (sk->sk_state != BT_BOUND)
334 continue;
335
336 if (hci_pi(sk)->channel != channel)
337 continue;
338
339 nskb = hci_skb_clone(skb);
340 if (!nskb)
341 continue;
342
343 if (sock_queue_rcv_skb(sk, nskb))
344 kfree_skb(nskb);
345 }
346
347 }
348
hci_send_to_channel(unsigned short channel,struct sk_buff * skb,int flag,struct sock * skip_sk)349 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
350 int flag, struct sock *skip_sk)
351 {
352 read_lock(&hci_sk_list.lock);
353 __hci_send_to_channel(channel, skb, flag, skip_sk);
354 read_unlock(&hci_sk_list.lock);
355 }
356
357 /* Send frame to monitor socket */
hci_send_to_monitor(struct hci_dev * hdev,struct sk_buff * skb)358 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
359 {
360 struct sk_buff *skb_copy = NULL;
361 struct hci_mon_hdr *hdr;
362 __le16 opcode;
363
364 if (!atomic_read(&monitor_promisc))
365 return;
366
367 BT_DBG("hdev %p len %d", hdev, skb->len);
368
369 switch (hci_skb_pkt_type(skb)) {
370 case HCI_COMMAND_PKT:
371 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
372 break;
373 case HCI_EVENT_PKT:
374 opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
375 break;
376 case HCI_ACLDATA_PKT:
377 if (bt_cb(skb)->incoming)
378 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
379 else
380 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
381 break;
382 case HCI_SCODATA_PKT:
383 if (bt_cb(skb)->incoming)
384 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
385 else
386 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
387 break;
388 case HCI_ISODATA_PKT:
389 if (bt_cb(skb)->incoming)
390 opcode = cpu_to_le16(HCI_MON_ISO_RX_PKT);
391 else
392 opcode = cpu_to_le16(HCI_MON_ISO_TX_PKT);
393 break;
394 case HCI_DIAG_PKT:
395 opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG);
396 break;
397 default:
398 return;
399 }
400
401 /* Create a private copy with headroom */
402 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true);
403 if (!skb_copy)
404 return;
405
406 hci_sock_copy_creds(skb->sk, skb_copy);
407
408 /* Put header before the data */
409 hdr = skb_push(skb_copy, HCI_MON_HDR_SIZE);
410 hdr->opcode = opcode;
411 hdr->index = cpu_to_le16(hdev->id);
412 hdr->len = cpu_to_le16(skb->len);
413
414 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy,
415 HCI_SOCK_TRUSTED, NULL);
416 kfree_skb(skb_copy);
417 }
418
hci_send_monitor_ctrl_event(struct hci_dev * hdev,u16 event,void * data,u16 data_len,ktime_t tstamp,int flag,struct sock * skip_sk)419 void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event,
420 void *data, u16 data_len, ktime_t tstamp,
421 int flag, struct sock *skip_sk)
422 {
423 struct sock *sk;
424 __le16 index;
425
426 if (hdev)
427 index = cpu_to_le16(hdev->id);
428 else
429 index = cpu_to_le16(MGMT_INDEX_NONE);
430
431 read_lock(&hci_sk_list.lock);
432
433 sk_for_each(sk, &hci_sk_list.head) {
434 struct hci_mon_hdr *hdr;
435 struct sk_buff *skb;
436
437 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
438 continue;
439
440 /* Ignore socket without the flag set */
441 if (!hci_sock_test_flag(sk, flag))
442 continue;
443
444 /* Skip the original socket */
445 if (sk == skip_sk)
446 continue;
447
448 skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC);
449 if (!skb)
450 continue;
451
452 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
453 put_unaligned_le16(event, skb_put(skb, 2));
454
455 if (data)
456 skb_put_data(skb, data, data_len);
457
458 skb->tstamp = tstamp;
459
460 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
461 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT);
462 hdr->index = index;
463 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
464
465 __hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
466 HCI_SOCK_TRUSTED, NULL);
467 kfree_skb(skb);
468 }
469
470 read_unlock(&hci_sk_list.lock);
471 }
472
create_monitor_event(struct hci_dev * hdev,int event)473 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
474 {
475 struct hci_mon_hdr *hdr;
476 struct hci_mon_new_index *ni;
477 struct hci_mon_index_info *ii;
478 struct sk_buff *skb;
479 __le16 opcode;
480
481 switch (event) {
482 case HCI_DEV_REG:
483 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
484 if (!skb)
485 return NULL;
486
487 ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
488 ni->type = 0x00; /* Old hdev->dev_type */
489 ni->bus = hdev->bus;
490 bacpy(&ni->bdaddr, &hdev->bdaddr);
491 memcpy_and_pad(ni->name, sizeof(ni->name), hdev->name,
492 strnlen(hdev->name, sizeof(ni->name)), '\0');
493
494 opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
495 break;
496
497 case HCI_DEV_UNREG:
498 skb = bt_skb_alloc(0, GFP_ATOMIC);
499 if (!skb)
500 return NULL;
501
502 opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
503 break;
504
505 case HCI_DEV_SETUP:
506 if (hdev->manufacturer == 0xffff)
507 return NULL;
508 fallthrough;
509
510 case HCI_DEV_UP:
511 skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC);
512 if (!skb)
513 return NULL;
514
515 ii = skb_put(skb, HCI_MON_INDEX_INFO_SIZE);
516 bacpy(&ii->bdaddr, &hdev->bdaddr);
517 ii->manufacturer = cpu_to_le16(hdev->manufacturer);
518
519 opcode = cpu_to_le16(HCI_MON_INDEX_INFO);
520 break;
521
522 case HCI_DEV_OPEN:
523 skb = bt_skb_alloc(0, GFP_ATOMIC);
524 if (!skb)
525 return NULL;
526
527 opcode = cpu_to_le16(HCI_MON_OPEN_INDEX);
528 break;
529
530 case HCI_DEV_CLOSE:
531 skb = bt_skb_alloc(0, GFP_ATOMIC);
532 if (!skb)
533 return NULL;
534
535 opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX);
536 break;
537
538 default:
539 return NULL;
540 }
541
542 __net_timestamp(skb);
543
544 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
545 hdr->opcode = opcode;
546 hdr->index = cpu_to_le16(hdev->id);
547 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
548
549 return skb;
550 }
551
create_monitor_ctrl_open(struct sock * sk)552 static struct sk_buff *create_monitor_ctrl_open(struct sock *sk)
553 {
554 struct hci_mon_hdr *hdr;
555 struct sk_buff *skb;
556 u16 format;
557 u8 ver[3];
558 u32 flags;
559
560 /* No message needed when cookie is not present */
561 if (!hci_pi(sk)->cookie)
562 return NULL;
563
564 switch (hci_pi(sk)->channel) {
565 case HCI_CHANNEL_RAW:
566 format = 0x0000;
567 ver[0] = BT_SUBSYS_VERSION;
568 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
569 break;
570 case HCI_CHANNEL_USER:
571 format = 0x0001;
572 ver[0] = BT_SUBSYS_VERSION;
573 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
574 break;
575 case HCI_CHANNEL_CONTROL:
576 format = 0x0002;
577 mgmt_fill_version_info(ver);
578 break;
579 default:
580 /* No message for unsupported format */
581 return NULL;
582 }
583
584 skb = bt_skb_alloc(14 + TASK_COMM_LEN, GFP_ATOMIC);
585 if (!skb)
586 return NULL;
587
588 hci_sock_copy_creds(sk, skb);
589
590 flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0;
591
592 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
593 put_unaligned_le16(format, skb_put(skb, 2));
594 skb_put_data(skb, ver, sizeof(ver));
595 put_unaligned_le32(flags, skb_put(skb, 4));
596 skb_put_u8(skb, TASK_COMM_LEN);
597 skb_put_data(skb, hci_pi(sk)->comm, TASK_COMM_LEN);
598
599 __net_timestamp(skb);
600
601 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
602 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN);
603 if (hci_pi(sk)->hdev)
604 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
605 else
606 hdr->index = cpu_to_le16(HCI_DEV_NONE);
607 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
608
609 return skb;
610 }
611
create_monitor_ctrl_close(struct sock * sk)612 static struct sk_buff *create_monitor_ctrl_close(struct sock *sk)
613 {
614 struct hci_mon_hdr *hdr;
615 struct sk_buff *skb;
616
617 /* No message needed when cookie is not present */
618 if (!hci_pi(sk)->cookie)
619 return NULL;
620
621 switch (hci_pi(sk)->channel) {
622 case HCI_CHANNEL_RAW:
623 case HCI_CHANNEL_USER:
624 case HCI_CHANNEL_CONTROL:
625 break;
626 default:
627 /* No message for unsupported format */
628 return NULL;
629 }
630
631 skb = bt_skb_alloc(4, GFP_ATOMIC);
632 if (!skb)
633 return NULL;
634
635 hci_sock_copy_creds(sk, skb);
636
637 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
638
639 __net_timestamp(skb);
640
641 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
642 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE);
643 if (hci_pi(sk)->hdev)
644 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
645 else
646 hdr->index = cpu_to_le16(HCI_DEV_NONE);
647 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
648
649 return skb;
650 }
651
create_monitor_ctrl_command(struct sock * sk,u16 index,u16 opcode,u16 len,const void * buf)652 static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index,
653 u16 opcode, u16 len,
654 const void *buf)
655 {
656 struct hci_mon_hdr *hdr;
657 struct sk_buff *skb;
658
659 skb = bt_skb_alloc(6 + len, GFP_ATOMIC);
660 if (!skb)
661 return NULL;
662
663 hci_sock_copy_creds(sk, skb);
664
665 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
666 put_unaligned_le16(opcode, skb_put(skb, 2));
667
668 if (buf)
669 skb_put_data(skb, buf, len);
670
671 __net_timestamp(skb);
672
673 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
674 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND);
675 hdr->index = cpu_to_le16(index);
676 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
677
678 return skb;
679 }
680
681 static void __printf(2, 3)
send_monitor_note(struct sock * sk,const char * fmt,...)682 send_monitor_note(struct sock *sk, const char *fmt, ...)
683 {
684 size_t len;
685 struct hci_mon_hdr *hdr;
686 struct sk_buff *skb;
687 va_list args;
688
689 va_start(args, fmt);
690 len = vsnprintf(NULL, 0, fmt, args);
691 va_end(args);
692
693 skb = bt_skb_alloc(len + 1, GFP_ATOMIC);
694 if (!skb)
695 return;
696
697 hci_sock_copy_creds(sk, skb);
698
699 va_start(args, fmt);
700 vsprintf(skb_put(skb, len), fmt, args);
701 *(u8 *)skb_put(skb, 1) = 0;
702 va_end(args);
703
704 __net_timestamp(skb);
705
706 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
707 hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE);
708 hdr->index = cpu_to_le16(HCI_DEV_NONE);
709 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
710
711 if (sock_queue_rcv_skb(sk, skb))
712 kfree_skb(skb);
713 }
714
send_monitor_replay(struct sock * sk)715 static void send_monitor_replay(struct sock *sk)
716 {
717 struct hci_dev *hdev;
718
719 read_lock(&hci_dev_list_lock);
720
721 list_for_each_entry(hdev, &hci_dev_list, list) {
722 struct sk_buff *skb;
723
724 skb = create_monitor_event(hdev, HCI_DEV_REG);
725 if (!skb)
726 continue;
727
728 if (sock_queue_rcv_skb(sk, skb))
729 kfree_skb(skb);
730
731 if (!test_bit(HCI_RUNNING, &hdev->flags))
732 continue;
733
734 skb = create_monitor_event(hdev, HCI_DEV_OPEN);
735 if (!skb)
736 continue;
737
738 if (sock_queue_rcv_skb(sk, skb))
739 kfree_skb(skb);
740
741 if (test_bit(HCI_UP, &hdev->flags))
742 skb = create_monitor_event(hdev, HCI_DEV_UP);
743 else if (hci_dev_test_flag(hdev, HCI_SETUP))
744 skb = create_monitor_event(hdev, HCI_DEV_SETUP);
745 else
746 skb = NULL;
747
748 if (skb) {
749 if (sock_queue_rcv_skb(sk, skb))
750 kfree_skb(skb);
751 }
752 }
753
754 read_unlock(&hci_dev_list_lock);
755 }
756
send_monitor_control_replay(struct sock * mon_sk)757 static void send_monitor_control_replay(struct sock *mon_sk)
758 {
759 struct sock *sk;
760
761 read_lock(&hci_sk_list.lock);
762
763 sk_for_each(sk, &hci_sk_list.head) {
764 struct sk_buff *skb;
765
766 skb = create_monitor_ctrl_open(sk);
767 if (!skb)
768 continue;
769
770 if (sock_queue_rcv_skb(mon_sk, skb))
771 kfree_skb(skb);
772 }
773
774 read_unlock(&hci_sk_list.lock);
775 }
776
777 /* Generate internal stack event */
hci_si_event(struct hci_dev * hdev,int type,int dlen,void * data)778 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
779 {
780 struct hci_event_hdr *hdr;
781 struct hci_ev_stack_internal *ev;
782 struct sk_buff *skb;
783
784 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
785 if (!skb)
786 return;
787
788 hdr = skb_put(skb, HCI_EVENT_HDR_SIZE);
789 hdr->evt = HCI_EV_STACK_INTERNAL;
790 hdr->plen = sizeof(*ev) + dlen;
791
792 ev = skb_put(skb, sizeof(*ev) + dlen);
793 ev->type = type;
794 memcpy(ev->data, data, dlen);
795
796 bt_cb(skb)->incoming = 1;
797 __net_timestamp(skb);
798
799 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
800 hci_send_to_sock(hdev, skb);
801 kfree_skb(skb);
802 }
803
hci_sock_dev_event(struct hci_dev * hdev,int event)804 void hci_sock_dev_event(struct hci_dev *hdev, int event)
805 {
806 BT_DBG("hdev %s event %d", hdev->name, event);
807
808 if (atomic_read(&monitor_promisc)) {
809 struct sk_buff *skb;
810
811 /* Send event to monitor */
812 skb = create_monitor_event(hdev, event);
813 if (skb) {
814 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
815 HCI_SOCK_TRUSTED, NULL);
816 kfree_skb(skb);
817 }
818 }
819
820 if (event <= HCI_DEV_DOWN) {
821 struct hci_ev_si_device ev;
822
823 /* Send event to sockets */
824 ev.event = event;
825 ev.dev_id = hdev->id;
826 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
827 }
828
829 if (event == HCI_DEV_UNREG) {
830 struct sock *sk;
831
832 /* Wake up sockets using this dead device */
833 read_lock(&hci_sk_list.lock);
834 sk_for_each(sk, &hci_sk_list.head) {
835 if (hci_pi(sk)->hdev == hdev) {
836 sk->sk_err = EPIPE;
837 sk->sk_state_change(sk);
838 }
839 }
840 read_unlock(&hci_sk_list.lock);
841 }
842 }
843
__hci_mgmt_chan_find(unsigned short channel)844 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel)
845 {
846 struct hci_mgmt_chan *c;
847
848 list_for_each_entry(c, &mgmt_chan_list, list) {
849 if (c->channel == channel)
850 return c;
851 }
852
853 return NULL;
854 }
855
hci_mgmt_chan_find(unsigned short channel)856 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel)
857 {
858 struct hci_mgmt_chan *c;
859
860 mutex_lock(&mgmt_chan_list_lock);
861 c = __hci_mgmt_chan_find(channel);
862 mutex_unlock(&mgmt_chan_list_lock);
863
864 return c;
865 }
866
hci_mgmt_chan_register(struct hci_mgmt_chan * c)867 int hci_mgmt_chan_register(struct hci_mgmt_chan *c)
868 {
869 if (c->channel < HCI_CHANNEL_CONTROL)
870 return -EINVAL;
871
872 mutex_lock(&mgmt_chan_list_lock);
873 if (__hci_mgmt_chan_find(c->channel)) {
874 mutex_unlock(&mgmt_chan_list_lock);
875 return -EALREADY;
876 }
877
878 list_add_tail(&c->list, &mgmt_chan_list);
879
880 mutex_unlock(&mgmt_chan_list_lock);
881
882 return 0;
883 }
884 EXPORT_SYMBOL(hci_mgmt_chan_register);
885
hci_mgmt_chan_unregister(struct hci_mgmt_chan * c)886 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c)
887 {
888 mutex_lock(&mgmt_chan_list_lock);
889 list_del(&c->list);
890 mutex_unlock(&mgmt_chan_list_lock);
891 }
892 EXPORT_SYMBOL(hci_mgmt_chan_unregister);
893
hci_sock_release(struct socket * sock)894 static int hci_sock_release(struct socket *sock)
895 {
896 struct sock *sk = sock->sk;
897 struct hci_dev *hdev;
898 struct sk_buff *skb;
899
900 BT_DBG("sock %p sk %p", sock, sk);
901
902 if (!sk)
903 return 0;
904
905 lock_sock(sk);
906
907 switch (hci_pi(sk)->channel) {
908 case HCI_CHANNEL_MONITOR:
909 atomic_dec(&monitor_promisc);
910 break;
911 case HCI_CHANNEL_RAW:
912 case HCI_CHANNEL_USER:
913 case HCI_CHANNEL_CONTROL:
914 /* Send event to monitor */
915 skb = create_monitor_ctrl_close(sk);
916 if (skb) {
917 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
918 HCI_SOCK_TRUSTED, NULL);
919 kfree_skb(skb);
920 }
921
922 hci_sock_free_cookie(sk);
923 break;
924 }
925
926 bt_sock_unlink(&hci_sk_list, sk);
927
928 hdev = hci_pi(sk)->hdev;
929 if (hdev) {
930 if (hci_pi(sk)->channel == HCI_CHANNEL_USER &&
931 !hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
932 /* When releasing a user channel exclusive access,
933 * call hci_dev_do_close directly instead of calling
934 * hci_dev_close to ensure the exclusive access will
935 * be released and the controller brought back down.
936 *
937 * The checking of HCI_AUTO_OFF is not needed in this
938 * case since it will have been cleared already when
939 * opening the user channel.
940 *
941 * Make sure to also check that we haven't already
942 * unregistered since all the cleanup will have already
943 * been complete and hdev will get released when we put
944 * below.
945 */
946 hci_dev_do_close(hdev);
947 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
948 mgmt_index_added(hdev);
949 }
950
951 atomic_dec(&hdev->promisc);
952 hci_dev_put(hdev);
953 }
954
955 sock_orphan(sk);
956 release_sock(sk);
957 sock_put(sk);
958 return 0;
959 }
960
hci_sock_reject_list_add(struct hci_dev * hdev,void __user * arg)961 static int hci_sock_reject_list_add(struct hci_dev *hdev, void __user *arg)
962 {
963 bdaddr_t bdaddr;
964 int err;
965
966 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
967 return -EFAULT;
968
969 hci_dev_lock(hdev);
970
971 err = hci_bdaddr_list_add(&hdev->reject_list, &bdaddr, BDADDR_BREDR);
972
973 hci_dev_unlock(hdev);
974
975 return err;
976 }
977
hci_sock_reject_list_del(struct hci_dev * hdev,void __user * arg)978 static int hci_sock_reject_list_del(struct hci_dev *hdev, void __user *arg)
979 {
980 bdaddr_t bdaddr;
981 int err;
982
983 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
984 return -EFAULT;
985
986 hci_dev_lock(hdev);
987
988 err = hci_bdaddr_list_del(&hdev->reject_list, &bdaddr, BDADDR_BREDR);
989
990 hci_dev_unlock(hdev);
991
992 return err;
993 }
994
995 /* Ioctls that require bound socket */
hci_sock_bound_ioctl(struct sock * sk,unsigned int cmd,unsigned long arg)996 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
997 unsigned long arg)
998 {
999 struct hci_dev *hdev = hci_hdev_from_sock(sk);
1000
1001 if (IS_ERR(hdev))
1002 return PTR_ERR(hdev);
1003
1004 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
1005 return -EBUSY;
1006
1007 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1008 return -EOPNOTSUPP;
1009
1010 switch (cmd) {
1011 case HCISETRAW:
1012 if (!capable(CAP_NET_ADMIN))
1013 return -EPERM;
1014 return -EOPNOTSUPP;
1015
1016 case HCIGETCONNINFO:
1017 return hci_get_conn_info(hdev, (void __user *)arg);
1018
1019 case HCIGETAUTHINFO:
1020 return hci_get_auth_info(hdev, (void __user *)arg);
1021
1022 case HCIBLOCKADDR:
1023 if (!capable(CAP_NET_ADMIN))
1024 return -EPERM;
1025 return hci_sock_reject_list_add(hdev, (void __user *)arg);
1026
1027 case HCIUNBLOCKADDR:
1028 if (!capable(CAP_NET_ADMIN))
1029 return -EPERM;
1030 return hci_sock_reject_list_del(hdev, (void __user *)arg);
1031 }
1032
1033 return -ENOIOCTLCMD;
1034 }
1035
hci_sock_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)1036 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
1037 unsigned long arg)
1038 {
1039 void __user *argp = (void __user *)arg;
1040 struct sock *sk = sock->sk;
1041 int err;
1042
1043 BT_DBG("cmd %x arg %lx", cmd, arg);
1044
1045 /* Make sure the cmd is valid before doing anything */
1046 switch (cmd) {
1047 case HCIGETDEVLIST:
1048 case HCIGETDEVINFO:
1049 case HCIGETCONNLIST:
1050 case HCIDEVUP:
1051 case HCIDEVDOWN:
1052 case HCIDEVRESET:
1053 case HCIDEVRESTAT:
1054 case HCISETSCAN:
1055 case HCISETAUTH:
1056 case HCISETENCRYPT:
1057 case HCISETPTYPE:
1058 case HCISETLINKPOL:
1059 case HCISETLINKMODE:
1060 case HCISETACLMTU:
1061 case HCISETSCOMTU:
1062 case HCIINQUIRY:
1063 case HCISETRAW:
1064 case HCIGETCONNINFO:
1065 case HCIGETAUTHINFO:
1066 case HCIBLOCKADDR:
1067 case HCIUNBLOCKADDR:
1068 break;
1069 default:
1070 return -ENOIOCTLCMD;
1071 }
1072
1073 lock_sock(sk);
1074
1075 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1076 err = -EBADFD;
1077 goto done;
1078 }
1079
1080 /* When calling an ioctl on an unbound raw socket, then ensure
1081 * that the monitor gets informed. Ensure that the resulting event
1082 * is only send once by checking if the cookie exists or not. The
1083 * socket cookie will be only ever generated once for the lifetime
1084 * of a given socket.
1085 */
1086 if (hci_sock_gen_cookie(sk)) {
1087 struct sk_buff *skb;
1088
1089 /* Perform careful checks before setting the HCI_SOCK_TRUSTED
1090 * flag. Make sure that not only the current task but also
1091 * the socket opener has the required capability, since
1092 * privileged programs can be tricked into making ioctl calls
1093 * on HCI sockets, and the socket should not be marked as
1094 * trusted simply because the ioctl caller is privileged.
1095 */
1096 if (sk_capable(sk, CAP_NET_ADMIN))
1097 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1098
1099 /* Send event to monitor */
1100 skb = create_monitor_ctrl_open(sk);
1101 if (skb) {
1102 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1103 HCI_SOCK_TRUSTED, NULL);
1104 kfree_skb(skb);
1105 }
1106 }
1107
1108 release_sock(sk);
1109
1110 switch (cmd) {
1111 case HCIGETDEVLIST:
1112 return hci_get_dev_list(argp);
1113
1114 case HCIGETDEVINFO:
1115 return hci_get_dev_info(argp);
1116
1117 case HCIGETCONNLIST:
1118 return hci_get_conn_list(argp);
1119
1120 case HCIDEVUP:
1121 if (!capable(CAP_NET_ADMIN))
1122 return -EPERM;
1123 return hci_dev_open(arg);
1124
1125 case HCIDEVDOWN:
1126 if (!capable(CAP_NET_ADMIN))
1127 return -EPERM;
1128 return hci_dev_close(arg);
1129
1130 case HCIDEVRESET:
1131 if (!capable(CAP_NET_ADMIN))
1132 return -EPERM;
1133 return hci_dev_reset(arg);
1134
1135 case HCIDEVRESTAT:
1136 if (!capable(CAP_NET_ADMIN))
1137 return -EPERM;
1138 return hci_dev_reset_stat(arg);
1139
1140 case HCISETSCAN:
1141 case HCISETAUTH:
1142 case HCISETENCRYPT:
1143 case HCISETPTYPE:
1144 case HCISETLINKPOL:
1145 case HCISETLINKMODE:
1146 case HCISETACLMTU:
1147 case HCISETSCOMTU:
1148 if (!capable(CAP_NET_ADMIN))
1149 return -EPERM;
1150 return hci_dev_cmd(cmd, argp);
1151
1152 case HCIINQUIRY:
1153 return hci_inquiry(argp);
1154 }
1155
1156 lock_sock(sk);
1157
1158 err = hci_sock_bound_ioctl(sk, cmd, arg);
1159
1160 done:
1161 release_sock(sk);
1162 return err;
1163 }
1164
1165 #ifdef CONFIG_COMPAT
hci_sock_compat_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)1166 static int hci_sock_compat_ioctl(struct socket *sock, unsigned int cmd,
1167 unsigned long arg)
1168 {
1169 switch (cmd) {
1170 case HCIDEVUP:
1171 case HCIDEVDOWN:
1172 case HCIDEVRESET:
1173 case HCIDEVRESTAT:
1174 return hci_sock_ioctl(sock, cmd, arg);
1175 }
1176
1177 return hci_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
1178 }
1179 #endif
1180
hci_sock_bind(struct socket * sock,struct sockaddr * addr,int addr_len)1181 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
1182 int addr_len)
1183 {
1184 struct sockaddr_hci haddr;
1185 struct sock *sk = sock->sk;
1186 struct hci_dev *hdev = NULL;
1187 struct sk_buff *skb;
1188 int len, err = 0;
1189
1190 BT_DBG("sock %p sk %p", sock, sk);
1191
1192 if (!addr)
1193 return -EINVAL;
1194
1195 memset(&haddr, 0, sizeof(haddr));
1196 len = min_t(unsigned int, sizeof(haddr), addr_len);
1197 memcpy(&haddr, addr, len);
1198
1199 if (haddr.hci_family != AF_BLUETOOTH)
1200 return -EINVAL;
1201
1202 lock_sock(sk);
1203
1204 /* Allow detaching from dead device and attaching to alive device, if
1205 * the caller wants to re-bind (instead of close) this socket in
1206 * response to hci_sock_dev_event(HCI_DEV_UNREG) notification.
1207 */
1208 hdev = hci_pi(sk)->hdev;
1209 if (hdev && hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
1210 hci_pi(sk)->hdev = NULL;
1211 sk->sk_state = BT_OPEN;
1212 hci_dev_put(hdev);
1213 }
1214 hdev = NULL;
1215
1216 if (sk->sk_state == BT_BOUND) {
1217 err = -EALREADY;
1218 goto done;
1219 }
1220
1221 switch (haddr.hci_channel) {
1222 case HCI_CHANNEL_RAW:
1223 if (hci_pi(sk)->hdev) {
1224 err = -EALREADY;
1225 goto done;
1226 }
1227
1228 if (haddr.hci_dev != HCI_DEV_NONE) {
1229 hdev = hci_dev_get(haddr.hci_dev);
1230 if (!hdev) {
1231 err = -ENODEV;
1232 goto done;
1233 }
1234
1235 atomic_inc(&hdev->promisc);
1236 }
1237
1238 hci_pi(sk)->channel = haddr.hci_channel;
1239
1240 if (!hci_sock_gen_cookie(sk)) {
1241 /* In the case when a cookie has already been assigned,
1242 * then there has been already an ioctl issued against
1243 * an unbound socket and with that triggered an open
1244 * notification. Send a close notification first to
1245 * allow the state transition to bounded.
1246 */
1247 skb = create_monitor_ctrl_close(sk);
1248 if (skb) {
1249 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1250 HCI_SOCK_TRUSTED, NULL);
1251 kfree_skb(skb);
1252 }
1253 }
1254
1255 if (capable(CAP_NET_ADMIN))
1256 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1257
1258 hci_pi(sk)->hdev = hdev;
1259
1260 /* Send event to monitor */
1261 skb = create_monitor_ctrl_open(sk);
1262 if (skb) {
1263 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1264 HCI_SOCK_TRUSTED, NULL);
1265 kfree_skb(skb);
1266 }
1267 break;
1268
1269 case HCI_CHANNEL_USER:
1270 if (hci_pi(sk)->hdev) {
1271 err = -EALREADY;
1272 goto done;
1273 }
1274
1275 if (haddr.hci_dev == HCI_DEV_NONE) {
1276 err = -EINVAL;
1277 goto done;
1278 }
1279
1280 if (!capable(CAP_NET_ADMIN)) {
1281 err = -EPERM;
1282 goto done;
1283 }
1284
1285 hdev = hci_dev_get(haddr.hci_dev);
1286 if (!hdev) {
1287 err = -ENODEV;
1288 goto done;
1289 }
1290
1291 if (test_bit(HCI_INIT, &hdev->flags) ||
1292 hci_dev_test_flag(hdev, HCI_SETUP) ||
1293 hci_dev_test_flag(hdev, HCI_CONFIG) ||
1294 (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) &&
1295 test_bit(HCI_UP, &hdev->flags))) {
1296 err = -EBUSY;
1297 hci_dev_put(hdev);
1298 goto done;
1299 }
1300
1301 if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) {
1302 err = -EUSERS;
1303 hci_dev_put(hdev);
1304 goto done;
1305 }
1306
1307 mgmt_index_removed(hdev);
1308
1309 err = hci_dev_open(hdev->id);
1310 if (err) {
1311 if (err == -EALREADY) {
1312 /* In case the transport is already up and
1313 * running, clear the error here.
1314 *
1315 * This can happen when opening a user
1316 * channel and HCI_AUTO_OFF grace period
1317 * is still active.
1318 */
1319 err = 0;
1320 } else {
1321 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
1322 mgmt_index_added(hdev);
1323 hci_dev_put(hdev);
1324 goto done;
1325 }
1326 }
1327
1328 hci_pi(sk)->channel = haddr.hci_channel;
1329
1330 if (!hci_sock_gen_cookie(sk)) {
1331 /* In the case when a cookie has already been assigned,
1332 * this socket will transition from a raw socket into
1333 * a user channel socket. For a clean transition, send
1334 * the close notification first.
1335 */
1336 skb = create_monitor_ctrl_close(sk);
1337 if (skb) {
1338 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1339 HCI_SOCK_TRUSTED, NULL);
1340 kfree_skb(skb);
1341 }
1342 }
1343
1344 /* The user channel is restricted to CAP_NET_ADMIN
1345 * capabilities and with that implicitly trusted.
1346 */
1347 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1348
1349 hci_pi(sk)->hdev = hdev;
1350
1351 /* Send event to monitor */
1352 skb = create_monitor_ctrl_open(sk);
1353 if (skb) {
1354 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1355 HCI_SOCK_TRUSTED, NULL);
1356 kfree_skb(skb);
1357 }
1358
1359 atomic_inc(&hdev->promisc);
1360 break;
1361
1362 case HCI_CHANNEL_MONITOR:
1363 if (haddr.hci_dev != HCI_DEV_NONE) {
1364 err = -EINVAL;
1365 goto done;
1366 }
1367
1368 if (!capable(CAP_NET_RAW)) {
1369 err = -EPERM;
1370 goto done;
1371 }
1372
1373 hci_pi(sk)->channel = haddr.hci_channel;
1374
1375 /* The monitor interface is restricted to CAP_NET_RAW
1376 * capabilities and with that implicitly trusted.
1377 */
1378 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1379
1380 send_monitor_note(sk, "Linux version %s (%s)",
1381 init_utsname()->release,
1382 init_utsname()->machine);
1383 send_monitor_note(sk, "Bluetooth subsystem version %u.%u",
1384 BT_SUBSYS_VERSION, BT_SUBSYS_REVISION);
1385 send_monitor_replay(sk);
1386 send_monitor_control_replay(sk);
1387
1388 atomic_inc(&monitor_promisc);
1389 break;
1390
1391 case HCI_CHANNEL_LOGGING:
1392 if (haddr.hci_dev != HCI_DEV_NONE) {
1393 err = -EINVAL;
1394 goto done;
1395 }
1396
1397 if (!capable(CAP_NET_ADMIN)) {
1398 err = -EPERM;
1399 goto done;
1400 }
1401
1402 hci_pi(sk)->channel = haddr.hci_channel;
1403 break;
1404
1405 default:
1406 if (!hci_mgmt_chan_find(haddr.hci_channel)) {
1407 err = -EINVAL;
1408 goto done;
1409 }
1410
1411 if (haddr.hci_dev != HCI_DEV_NONE) {
1412 err = -EINVAL;
1413 goto done;
1414 }
1415
1416 /* Users with CAP_NET_ADMIN capabilities are allowed
1417 * access to all management commands and events. For
1418 * untrusted users the interface is restricted and
1419 * also only untrusted events are sent.
1420 */
1421 if (capable(CAP_NET_ADMIN))
1422 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1423
1424 hci_pi(sk)->channel = haddr.hci_channel;
1425
1426 /* At the moment the index and unconfigured index events
1427 * are enabled unconditionally. Setting them on each
1428 * socket when binding keeps this functionality. They
1429 * however might be cleared later and then sending of these
1430 * events will be disabled, but that is then intentional.
1431 *
1432 * This also enables generic events that are safe to be
1433 * received by untrusted users. Example for such events
1434 * are changes to settings, class of device, name etc.
1435 */
1436 if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) {
1437 if (!hci_sock_gen_cookie(sk)) {
1438 /* In the case when a cookie has already been
1439 * assigned, this socket will transition from
1440 * a raw socket into a control socket. To
1441 * allow for a clean transition, send the
1442 * close notification first.
1443 */
1444 skb = create_monitor_ctrl_close(sk);
1445 if (skb) {
1446 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1447 HCI_SOCK_TRUSTED, NULL);
1448 kfree_skb(skb);
1449 }
1450 }
1451
1452 /* Send event to monitor */
1453 skb = create_monitor_ctrl_open(sk);
1454 if (skb) {
1455 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1456 HCI_SOCK_TRUSTED, NULL);
1457 kfree_skb(skb);
1458 }
1459
1460 hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS);
1461 hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
1462 hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS);
1463 hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS);
1464 hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1465 hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1466 }
1467 break;
1468 }
1469
1470 /* Default MTU to HCI_MAX_FRAME_SIZE if not set */
1471 if (!hci_pi(sk)->mtu)
1472 hci_pi(sk)->mtu = HCI_MAX_FRAME_SIZE;
1473
1474 sk->sk_state = BT_BOUND;
1475
1476 done:
1477 release_sock(sk);
1478 return err;
1479 }
1480
hci_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)1481 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
1482 int peer)
1483 {
1484 struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr;
1485 struct sock *sk = sock->sk;
1486 struct hci_dev *hdev;
1487 int err = 0;
1488
1489 BT_DBG("sock %p sk %p", sock, sk);
1490
1491 if (peer)
1492 return -EOPNOTSUPP;
1493
1494 lock_sock(sk);
1495
1496 hdev = hci_hdev_from_sock(sk);
1497 if (IS_ERR(hdev)) {
1498 err = PTR_ERR(hdev);
1499 goto done;
1500 }
1501
1502 haddr->hci_family = AF_BLUETOOTH;
1503 haddr->hci_dev = hdev->id;
1504 haddr->hci_channel= hci_pi(sk)->channel;
1505 err = sizeof(*haddr);
1506
1507 done:
1508 release_sock(sk);
1509 return err;
1510 }
1511
hci_sock_cmsg(struct sock * sk,struct msghdr * msg,struct sk_buff * skb)1512 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
1513 struct sk_buff *skb)
1514 {
1515 __u8 mask = hci_pi(sk)->cmsg_mask;
1516
1517 if (mask & HCI_CMSG_DIR) {
1518 int incoming = bt_cb(skb)->incoming;
1519 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
1520 &incoming);
1521 }
1522
1523 if (mask & HCI_CMSG_TSTAMP) {
1524 #ifdef CONFIG_COMPAT
1525 struct old_timeval32 ctv;
1526 #endif
1527 struct __kernel_old_timeval tv;
1528 void *data;
1529 int len;
1530
1531 skb_get_timestamp(skb, &tv);
1532
1533 data = &tv;
1534 len = sizeof(tv);
1535 #ifdef CONFIG_COMPAT
1536 if (!COMPAT_USE_64BIT_TIME &&
1537 (msg->msg_flags & MSG_CMSG_COMPAT)) {
1538 ctv.tv_sec = tv.tv_sec;
1539 ctv.tv_usec = tv.tv_usec;
1540 data = &ctv;
1541 len = sizeof(ctv);
1542 }
1543 #endif
1544
1545 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
1546 }
1547 }
1548
hci_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)1549 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1550 size_t len, int flags)
1551 {
1552 struct scm_cookie scm;
1553 struct sock *sk = sock->sk;
1554 struct sk_buff *skb;
1555 int copied, err;
1556 unsigned int skblen;
1557
1558 BT_DBG("sock %p, sk %p", sock, sk);
1559
1560 if (flags & MSG_OOB)
1561 return -EOPNOTSUPP;
1562
1563 if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING)
1564 return -EOPNOTSUPP;
1565
1566 if (sk->sk_state == BT_CLOSED)
1567 return 0;
1568
1569 skb = skb_recv_datagram(sk, flags, &err);
1570 if (!skb)
1571 return err;
1572
1573 skblen = skb->len;
1574 copied = skb->len;
1575 if (len < copied) {
1576 msg->msg_flags |= MSG_TRUNC;
1577 copied = len;
1578 }
1579
1580 skb_reset_transport_header(skb);
1581 err = skb_copy_datagram_msg(skb, 0, msg, copied);
1582
1583 switch (hci_pi(sk)->channel) {
1584 case HCI_CHANNEL_RAW:
1585 hci_sock_cmsg(sk, msg, skb);
1586 break;
1587 case HCI_CHANNEL_USER:
1588 case HCI_CHANNEL_MONITOR:
1589 sock_recv_timestamp(msg, sk, skb);
1590 break;
1591 default:
1592 if (hci_mgmt_chan_find(hci_pi(sk)->channel))
1593 sock_recv_timestamp(msg, sk, skb);
1594 break;
1595 }
1596
1597 memset(&scm, 0, sizeof(scm));
1598 scm.creds = bt_cb(skb)->creds;
1599
1600 skb_free_datagram(sk, skb);
1601
1602 if (flags & MSG_TRUNC)
1603 copied = skblen;
1604
1605 scm_recv(sock, msg, &scm, flags);
1606
1607 return err ? : copied;
1608 }
1609
hci_mgmt_cmd(struct hci_mgmt_chan * chan,struct sock * sk,struct sk_buff * skb)1610 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk,
1611 struct sk_buff *skb)
1612 {
1613 u8 *cp;
1614 struct mgmt_hdr *hdr;
1615 u16 opcode, index, len;
1616 struct hci_dev *hdev = NULL;
1617 const struct hci_mgmt_handler *handler;
1618 bool var_len, no_hdev;
1619 int err;
1620
1621 BT_DBG("got %d bytes", skb->len);
1622
1623 if (skb->len < sizeof(*hdr))
1624 return -EINVAL;
1625
1626 hdr = (void *)skb->data;
1627 opcode = __le16_to_cpu(hdr->opcode);
1628 index = __le16_to_cpu(hdr->index);
1629 len = __le16_to_cpu(hdr->len);
1630
1631 if (len != skb->len - sizeof(*hdr)) {
1632 err = -EINVAL;
1633 goto done;
1634 }
1635
1636 if (chan->channel == HCI_CHANNEL_CONTROL) {
1637 struct sk_buff *cmd;
1638
1639 /* Send event to monitor */
1640 cmd = create_monitor_ctrl_command(sk, index, opcode, len,
1641 skb->data + sizeof(*hdr));
1642 if (cmd) {
1643 hci_send_to_channel(HCI_CHANNEL_MONITOR, cmd,
1644 HCI_SOCK_TRUSTED, NULL);
1645 kfree_skb(cmd);
1646 }
1647 }
1648
1649 if (opcode >= chan->handler_count ||
1650 chan->handlers[opcode].func == NULL) {
1651 BT_DBG("Unknown op %u", opcode);
1652 err = mgmt_cmd_status(sk, index, opcode,
1653 MGMT_STATUS_UNKNOWN_COMMAND);
1654 goto done;
1655 }
1656
1657 handler = &chan->handlers[opcode];
1658
1659 if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) &&
1660 !(handler->flags & HCI_MGMT_UNTRUSTED)) {
1661 err = mgmt_cmd_status(sk, index, opcode,
1662 MGMT_STATUS_PERMISSION_DENIED);
1663 goto done;
1664 }
1665
1666 if (index != MGMT_INDEX_NONE) {
1667 hdev = hci_dev_get(index);
1668 if (!hdev) {
1669 err = mgmt_cmd_status(sk, index, opcode,
1670 MGMT_STATUS_INVALID_INDEX);
1671 goto done;
1672 }
1673
1674 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1675 hci_dev_test_flag(hdev, HCI_CONFIG) ||
1676 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1677 err = mgmt_cmd_status(sk, index, opcode,
1678 MGMT_STATUS_INVALID_INDEX);
1679 goto done;
1680 }
1681
1682 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1683 !(handler->flags & HCI_MGMT_UNCONFIGURED)) {
1684 err = mgmt_cmd_status(sk, index, opcode,
1685 MGMT_STATUS_INVALID_INDEX);
1686 goto done;
1687 }
1688 }
1689
1690 if (!(handler->flags & HCI_MGMT_HDEV_OPTIONAL)) {
1691 no_hdev = (handler->flags & HCI_MGMT_NO_HDEV);
1692 if (no_hdev != !hdev) {
1693 err = mgmt_cmd_status(sk, index, opcode,
1694 MGMT_STATUS_INVALID_INDEX);
1695 goto done;
1696 }
1697 }
1698
1699 var_len = (handler->flags & HCI_MGMT_VAR_LEN);
1700 if ((var_len && len < handler->data_len) ||
1701 (!var_len && len != handler->data_len)) {
1702 err = mgmt_cmd_status(sk, index, opcode,
1703 MGMT_STATUS_INVALID_PARAMS);
1704 goto done;
1705 }
1706
1707 if (hdev && chan->hdev_init)
1708 chan->hdev_init(sk, hdev);
1709
1710 cp = skb->data + sizeof(*hdr);
1711
1712 err = handler->func(sk, hdev, cp, len);
1713 if (err < 0)
1714 goto done;
1715
1716 err = skb->len;
1717
1718 done:
1719 if (hdev)
1720 hci_dev_put(hdev);
1721
1722 return err;
1723 }
1724
hci_logging_frame(struct sock * sk,struct sk_buff * skb,unsigned int flags)1725 static int hci_logging_frame(struct sock *sk, struct sk_buff *skb,
1726 unsigned int flags)
1727 {
1728 struct hci_mon_hdr *hdr;
1729 struct hci_dev *hdev;
1730 u16 index;
1731 int err;
1732
1733 /* The logging frame consists at minimum of the standard header,
1734 * the priority byte, the ident length byte and at least one string
1735 * terminator NUL byte. Anything shorter are invalid packets.
1736 */
1737 if (skb->len < sizeof(*hdr) + 3)
1738 return -EINVAL;
1739
1740 hdr = (void *)skb->data;
1741
1742 if (__le16_to_cpu(hdr->len) != skb->len - sizeof(*hdr))
1743 return -EINVAL;
1744
1745 if (__le16_to_cpu(hdr->opcode) == 0x0000) {
1746 __u8 priority = skb->data[sizeof(*hdr)];
1747 __u8 ident_len = skb->data[sizeof(*hdr) + 1];
1748
1749 /* Only the priorities 0-7 are valid and with that any other
1750 * value results in an invalid packet.
1751 *
1752 * The priority byte is followed by an ident length byte and
1753 * the NUL terminated ident string. Check that the ident
1754 * length is not overflowing the packet and also that the
1755 * ident string itself is NUL terminated. In case the ident
1756 * length is zero, the length value actually doubles as NUL
1757 * terminator identifier.
1758 *
1759 * The message follows the ident string (if present) and
1760 * must be NUL terminated. Otherwise it is not a valid packet.
1761 */
1762 if (priority > 7 || skb->data[skb->len - 1] != 0x00 ||
1763 ident_len > skb->len - sizeof(*hdr) - 3 ||
1764 skb->data[sizeof(*hdr) + ident_len + 1] != 0x00)
1765 return -EINVAL;
1766 } else {
1767 return -EINVAL;
1768 }
1769
1770 index = __le16_to_cpu(hdr->index);
1771
1772 if (index != MGMT_INDEX_NONE) {
1773 hdev = hci_dev_get(index);
1774 if (!hdev)
1775 return -ENODEV;
1776 } else {
1777 hdev = NULL;
1778 }
1779
1780 hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING);
1781
1782 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL);
1783 err = skb->len;
1784
1785 if (hdev)
1786 hci_dev_put(hdev);
1787
1788 return err;
1789 }
1790
hci_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)1791 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1792 size_t len)
1793 {
1794 struct sock *sk = sock->sk;
1795 struct hci_mgmt_chan *chan;
1796 struct hci_dev *hdev;
1797 struct sk_buff *skb;
1798 int err;
1799 const unsigned int flags = msg->msg_flags;
1800
1801 BT_DBG("sock %p sk %p", sock, sk);
1802
1803 if (flags & MSG_OOB)
1804 return -EOPNOTSUPP;
1805
1806 if (flags & ~(MSG_DONTWAIT | MSG_NOSIGNAL | MSG_ERRQUEUE | MSG_CMSG_COMPAT))
1807 return -EINVAL;
1808
1809 if (len < 4 || len > hci_pi(sk)->mtu)
1810 return -EINVAL;
1811
1812 skb = bt_skb_sendmsg(sk, msg, len, len, 0, 0);
1813 if (IS_ERR(skb))
1814 return PTR_ERR(skb);
1815
1816 lock_sock(sk);
1817
1818 switch (hci_pi(sk)->channel) {
1819 case HCI_CHANNEL_RAW:
1820 case HCI_CHANNEL_USER:
1821 break;
1822 case HCI_CHANNEL_MONITOR:
1823 err = -EOPNOTSUPP;
1824 goto drop;
1825 case HCI_CHANNEL_LOGGING:
1826 err = hci_logging_frame(sk, skb, flags);
1827 goto drop;
1828 default:
1829 mutex_lock(&mgmt_chan_list_lock);
1830 chan = __hci_mgmt_chan_find(hci_pi(sk)->channel);
1831 if (chan)
1832 err = hci_mgmt_cmd(chan, sk, skb);
1833 else
1834 err = -EINVAL;
1835
1836 mutex_unlock(&mgmt_chan_list_lock);
1837 goto drop;
1838 }
1839
1840 hdev = hci_hdev_from_sock(sk);
1841 if (IS_ERR(hdev)) {
1842 err = PTR_ERR(hdev);
1843 goto drop;
1844 }
1845
1846 if (!test_bit(HCI_UP, &hdev->flags)) {
1847 err = -ENETDOWN;
1848 goto drop;
1849 }
1850
1851 hci_skb_pkt_type(skb) = skb->data[0];
1852 skb_pull(skb, 1);
1853
1854 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
1855 /* No permission check is needed for user channel
1856 * since that gets enforced when binding the socket.
1857 *
1858 * However check that the packet type is valid.
1859 */
1860 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
1861 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1862 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
1863 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) {
1864 err = -EINVAL;
1865 goto drop;
1866 }
1867
1868 skb_queue_tail(&hdev->raw_q, skb);
1869 queue_work(hdev->workqueue, &hdev->tx_work);
1870 } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) {
1871 u16 opcode = get_unaligned_le16(skb->data);
1872 u16 ogf = hci_opcode_ogf(opcode);
1873 u16 ocf = hci_opcode_ocf(opcode);
1874
1875 if (((ogf > HCI_SFLT_MAX_OGF) ||
1876 !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
1877 &hci_sec_filter.ocf_mask[ogf])) &&
1878 !capable(CAP_NET_RAW)) {
1879 err = -EPERM;
1880 goto drop;
1881 }
1882
1883 /* Since the opcode has already been extracted here, store
1884 * a copy of the value for later use by the drivers.
1885 */
1886 hci_skb_opcode(skb) = opcode;
1887
1888 if (ogf == 0x3f) {
1889 skb_queue_tail(&hdev->raw_q, skb);
1890 queue_work(hdev->workqueue, &hdev->tx_work);
1891 } else {
1892 /* Stand-alone HCI commands must be flagged as
1893 * single-command requests.
1894 */
1895 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
1896
1897 skb_queue_tail(&hdev->cmd_q, skb);
1898 queue_work(hdev->workqueue, &hdev->cmd_work);
1899 }
1900 } else {
1901 if (!capable(CAP_NET_RAW)) {
1902 err = -EPERM;
1903 goto drop;
1904 }
1905
1906 if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1907 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
1908 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) {
1909 err = -EINVAL;
1910 goto drop;
1911 }
1912
1913 skb_queue_tail(&hdev->raw_q, skb);
1914 queue_work(hdev->workqueue, &hdev->tx_work);
1915 }
1916
1917 err = len;
1918
1919 done:
1920 release_sock(sk);
1921 return err;
1922
1923 drop:
1924 kfree_skb(skb);
1925 goto done;
1926 }
1927
hci_sock_setsockopt_old(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)1928 static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
1929 sockptr_t optval, unsigned int optlen)
1930 {
1931 struct hci_ufilter uf = { .opcode = 0 };
1932 struct sock *sk = sock->sk;
1933 int err = 0, opt = 0;
1934
1935 BT_DBG("sk %p, opt %d", sk, optname);
1936
1937 lock_sock(sk);
1938
1939 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1940 err = -EBADFD;
1941 goto done;
1942 }
1943
1944 switch (optname) {
1945 case HCI_DATA_DIR:
1946 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1947 if (err)
1948 break;
1949
1950 if (opt)
1951 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1952 else
1953 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1954 break;
1955
1956 case HCI_TIME_STAMP:
1957 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1958 if (err)
1959 break;
1960
1961 if (opt)
1962 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1963 else
1964 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1965 break;
1966
1967 case HCI_FILTER:
1968 {
1969 struct hci_filter *f = &hci_pi(sk)->filter;
1970
1971 uf.type_mask = f->type_mask;
1972 uf.opcode = f->opcode;
1973 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1974 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1975 }
1976
1977 err = copy_safe_from_sockptr(&uf, sizeof(uf), optval, optlen);
1978 if (err)
1979 break;
1980
1981 if (!capable(CAP_NET_RAW)) {
1982 uf.type_mask &= hci_sec_filter.type_mask;
1983 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1984 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1985 }
1986
1987 {
1988 struct hci_filter *f = &hci_pi(sk)->filter;
1989
1990 f->type_mask = uf.type_mask;
1991 f->opcode = uf.opcode;
1992 *((u32 *) f->event_mask + 0) = uf.event_mask[0];
1993 *((u32 *) f->event_mask + 1) = uf.event_mask[1];
1994 }
1995 break;
1996
1997 default:
1998 err = -ENOPROTOOPT;
1999 break;
2000 }
2001
2002 done:
2003 release_sock(sk);
2004 return err;
2005 }
2006
hci_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)2007 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
2008 sockptr_t optval, unsigned int optlen)
2009 {
2010 struct sock *sk = sock->sk;
2011 int err = 0;
2012 u16 opt;
2013
2014 BT_DBG("sk %p, opt %d", sk, optname);
2015
2016 if (level == SOL_HCI)
2017 return hci_sock_setsockopt_old(sock, level, optname, optval,
2018 optlen);
2019
2020 if (level != SOL_BLUETOOTH)
2021 return -ENOPROTOOPT;
2022
2023 lock_sock(sk);
2024
2025 switch (optname) {
2026 case BT_SNDMTU:
2027 case BT_RCVMTU:
2028 switch (hci_pi(sk)->channel) {
2029 /* Don't allow changing MTU for channels that are meant for HCI
2030 * traffic only.
2031 */
2032 case HCI_CHANNEL_RAW:
2033 case HCI_CHANNEL_USER:
2034 err = -ENOPROTOOPT;
2035 goto done;
2036 }
2037
2038 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
2039 if (err)
2040 break;
2041
2042 hci_pi(sk)->mtu = opt;
2043 break;
2044
2045 default:
2046 err = -ENOPROTOOPT;
2047 break;
2048 }
2049
2050 done:
2051 release_sock(sk);
2052 return err;
2053 }
2054
hci_sock_getsockopt_old(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)2055 static int hci_sock_getsockopt_old(struct socket *sock, int level, int optname,
2056 char __user *optval, int __user *optlen)
2057 {
2058 struct hci_ufilter uf;
2059 struct sock *sk = sock->sk;
2060 int len, opt, err = 0;
2061
2062 BT_DBG("sk %p, opt %d", sk, optname);
2063
2064 if (get_user(len, optlen))
2065 return -EFAULT;
2066
2067 lock_sock(sk);
2068
2069 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
2070 err = -EBADFD;
2071 goto done;
2072 }
2073
2074 switch (optname) {
2075 case HCI_DATA_DIR:
2076 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
2077 opt = 1;
2078 else
2079 opt = 0;
2080
2081 if (put_user(opt, optval))
2082 err = -EFAULT;
2083 break;
2084
2085 case HCI_TIME_STAMP:
2086 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
2087 opt = 1;
2088 else
2089 opt = 0;
2090
2091 if (put_user(opt, optval))
2092 err = -EFAULT;
2093 break;
2094
2095 case HCI_FILTER:
2096 {
2097 struct hci_filter *f = &hci_pi(sk)->filter;
2098
2099 memset(&uf, 0, sizeof(uf));
2100 uf.type_mask = f->type_mask;
2101 uf.opcode = f->opcode;
2102 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
2103 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
2104 }
2105
2106 len = min_t(unsigned int, len, sizeof(uf));
2107 if (copy_to_user(optval, &uf, len))
2108 err = -EFAULT;
2109 break;
2110
2111 default:
2112 err = -ENOPROTOOPT;
2113 break;
2114 }
2115
2116 done:
2117 release_sock(sk);
2118 return err;
2119 }
2120
hci_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)2121 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
2122 char __user *optval, int __user *optlen)
2123 {
2124 struct sock *sk = sock->sk;
2125 int err = 0;
2126
2127 BT_DBG("sk %p, opt %d", sk, optname);
2128
2129 if (level == SOL_HCI)
2130 return hci_sock_getsockopt_old(sock, level, optname, optval,
2131 optlen);
2132
2133 if (level != SOL_BLUETOOTH)
2134 return -ENOPROTOOPT;
2135
2136 lock_sock(sk);
2137
2138 switch (optname) {
2139 case BT_SNDMTU:
2140 case BT_RCVMTU:
2141 if (put_user(hci_pi(sk)->mtu, (u16 __user *)optval))
2142 err = -EFAULT;
2143 break;
2144
2145 default:
2146 err = -ENOPROTOOPT;
2147 break;
2148 }
2149
2150 release_sock(sk);
2151 return err;
2152 }
2153
hci_sock_destruct(struct sock * sk)2154 static void hci_sock_destruct(struct sock *sk)
2155 {
2156 mgmt_cleanup(sk);
2157 skb_queue_purge(&sk->sk_receive_queue);
2158 skb_queue_purge(&sk->sk_write_queue);
2159 }
2160
2161 static const struct proto_ops hci_sock_ops = {
2162 .family = PF_BLUETOOTH,
2163 .owner = THIS_MODULE,
2164 .release = hci_sock_release,
2165 .bind = hci_sock_bind,
2166 .getname = hci_sock_getname,
2167 .sendmsg = hci_sock_sendmsg,
2168 .recvmsg = hci_sock_recvmsg,
2169 .ioctl = hci_sock_ioctl,
2170 #ifdef CONFIG_COMPAT
2171 .compat_ioctl = hci_sock_compat_ioctl,
2172 #endif
2173 .poll = datagram_poll,
2174 .listen = sock_no_listen,
2175 .shutdown = sock_no_shutdown,
2176 .setsockopt = hci_sock_setsockopt,
2177 .getsockopt = hci_sock_getsockopt,
2178 .connect = sock_no_connect,
2179 .socketpair = sock_no_socketpair,
2180 .accept = sock_no_accept,
2181 .mmap = sock_no_mmap
2182 };
2183
2184 static struct proto hci_sk_proto = {
2185 .name = "HCI",
2186 .owner = THIS_MODULE,
2187 .obj_size = sizeof(struct hci_pinfo)
2188 };
2189
hci_sock_create(struct net * net,struct socket * sock,int protocol,int kern)2190 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
2191 int kern)
2192 {
2193 struct sock *sk;
2194
2195 BT_DBG("sock %p", sock);
2196
2197 if (sock->type != SOCK_RAW)
2198 return -ESOCKTNOSUPPORT;
2199
2200 sock->ops = &hci_sock_ops;
2201
2202 sk = bt_sock_alloc(net, sock, &hci_sk_proto, protocol, GFP_ATOMIC,
2203 kern);
2204 if (!sk)
2205 return -ENOMEM;
2206
2207 sock->state = SS_UNCONNECTED;
2208 sk->sk_destruct = hci_sock_destruct;
2209
2210 bt_sock_link(&hci_sk_list, sk);
2211 return 0;
2212 }
2213
2214 static const struct net_proto_family hci_sock_family_ops = {
2215 .family = PF_BLUETOOTH,
2216 .owner = THIS_MODULE,
2217 .create = hci_sock_create,
2218 };
2219
hci_sock_init(void)2220 int __init hci_sock_init(void)
2221 {
2222 int err;
2223
2224 BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr));
2225
2226 err = proto_register(&hci_sk_proto, 0);
2227 if (err < 0)
2228 return err;
2229
2230 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
2231 if (err < 0) {
2232 BT_ERR("HCI socket registration failed");
2233 goto error;
2234 }
2235
2236 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
2237 if (err < 0) {
2238 BT_ERR("Failed to create HCI proc file");
2239 bt_sock_unregister(BTPROTO_HCI);
2240 goto error;
2241 }
2242
2243 BT_INFO("HCI socket layer initialized");
2244
2245 return 0;
2246
2247 error:
2248 proto_unregister(&hci_sk_proto);
2249 return err;
2250 }
2251
hci_sock_cleanup(void)2252 void hci_sock_cleanup(void)
2253 {
2254 bt_procfs_cleanup(&init_net, "hci");
2255 bt_sock_unregister(BTPROTO_HCI);
2256 proto_unregister(&hci_sk_proto);
2257 }
2258