xref: /linux/net/bluetooth/hci_sock.c (revision 0883c2c06fb5bcf5b9e008270827e63c09a88c1e)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI sockets. */
26 
27 #include <linux/export.h>
28 #include <linux/utsname.h>
29 #include <asm/unaligned.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/hci_mon.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "mgmt_util.h"
37 
38 static LIST_HEAD(mgmt_chan_list);
39 static DEFINE_MUTEX(mgmt_chan_list_lock);
40 
41 static atomic_t monitor_promisc = ATOMIC_INIT(0);
42 
43 /* ----- HCI socket interface ----- */
44 
45 /* Socket info */
46 #define hci_pi(sk) ((struct hci_pinfo *) sk)
47 
48 struct hci_pinfo {
49 	struct bt_sock    bt;
50 	struct hci_dev    *hdev;
51 	struct hci_filter filter;
52 	__u32             cmsg_mask;
53 	unsigned short    channel;
54 	unsigned long     flags;
55 };
56 
57 void hci_sock_set_flag(struct sock *sk, int nr)
58 {
59 	set_bit(nr, &hci_pi(sk)->flags);
60 }
61 
62 void hci_sock_clear_flag(struct sock *sk, int nr)
63 {
64 	clear_bit(nr, &hci_pi(sk)->flags);
65 }
66 
67 int hci_sock_test_flag(struct sock *sk, int nr)
68 {
69 	return test_bit(nr, &hci_pi(sk)->flags);
70 }
71 
72 unsigned short hci_sock_get_channel(struct sock *sk)
73 {
74 	return hci_pi(sk)->channel;
75 }
76 
77 static inline int hci_test_bit(int nr, const void *addr)
78 {
79 	return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
80 }
81 
82 /* Security filter */
83 #define HCI_SFLT_MAX_OGF  5
84 
85 struct hci_sec_filter {
86 	__u32 type_mask;
87 	__u32 event_mask[2];
88 	__u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
89 };
90 
91 static const struct hci_sec_filter hci_sec_filter = {
92 	/* Packet types */
93 	0x10,
94 	/* Events */
95 	{ 0x1000d9fe, 0x0000b00c },
96 	/* Commands */
97 	{
98 		{ 0x0 },
99 		/* OGF_LINK_CTL */
100 		{ 0xbe000006, 0x00000001, 0x00000000, 0x00 },
101 		/* OGF_LINK_POLICY */
102 		{ 0x00005200, 0x00000000, 0x00000000, 0x00 },
103 		/* OGF_HOST_CTL */
104 		{ 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
105 		/* OGF_INFO_PARAM */
106 		{ 0x000002be, 0x00000000, 0x00000000, 0x00 },
107 		/* OGF_STATUS_PARAM */
108 		{ 0x000000ea, 0x00000000, 0x00000000, 0x00 }
109 	}
110 };
111 
112 static struct bt_sock_list hci_sk_list = {
113 	.lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
114 };
115 
116 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
117 {
118 	struct hci_filter *flt;
119 	int flt_type, flt_event;
120 
121 	/* Apply filter */
122 	flt = &hci_pi(sk)->filter;
123 
124 	flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS;
125 
126 	if (!test_bit(flt_type, &flt->type_mask))
127 		return true;
128 
129 	/* Extra filter for event packets only */
130 	if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT)
131 		return false;
132 
133 	flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
134 
135 	if (!hci_test_bit(flt_event, &flt->event_mask))
136 		return true;
137 
138 	/* Check filter only when opcode is set */
139 	if (!flt->opcode)
140 		return false;
141 
142 	if (flt_event == HCI_EV_CMD_COMPLETE &&
143 	    flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
144 		return true;
145 
146 	if (flt_event == HCI_EV_CMD_STATUS &&
147 	    flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
148 		return true;
149 
150 	return false;
151 }
152 
153 /* Send frame to RAW socket */
154 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
155 {
156 	struct sock *sk;
157 	struct sk_buff *skb_copy = NULL;
158 
159 	BT_DBG("hdev %p len %d", hdev, skb->len);
160 
161 	read_lock(&hci_sk_list.lock);
162 
163 	sk_for_each(sk, &hci_sk_list.head) {
164 		struct sk_buff *nskb;
165 
166 		if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
167 			continue;
168 
169 		/* Don't send frame to the socket it came from */
170 		if (skb->sk == sk)
171 			continue;
172 
173 		if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
174 			if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
175 			    hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
176 			    hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
177 			    hci_skb_pkt_type(skb) != HCI_SCODATA_PKT)
178 				continue;
179 			if (is_filtered_packet(sk, skb))
180 				continue;
181 		} else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
182 			if (!bt_cb(skb)->incoming)
183 				continue;
184 			if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
185 			    hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
186 			    hci_skb_pkt_type(skb) != HCI_SCODATA_PKT)
187 				continue;
188 		} else {
189 			/* Don't send frame to other channel types */
190 			continue;
191 		}
192 
193 		if (!skb_copy) {
194 			/* Create a private copy with headroom */
195 			skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
196 			if (!skb_copy)
197 				continue;
198 
199 			/* Put type byte before the data */
200 			memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1);
201 		}
202 
203 		nskb = skb_clone(skb_copy, GFP_ATOMIC);
204 		if (!nskb)
205 			continue;
206 
207 		if (sock_queue_rcv_skb(sk, nskb))
208 			kfree_skb(nskb);
209 	}
210 
211 	read_unlock(&hci_sk_list.lock);
212 
213 	kfree_skb(skb_copy);
214 }
215 
216 /* Send frame to sockets with specific channel */
217 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
218 			 int flag, struct sock *skip_sk)
219 {
220 	struct sock *sk;
221 
222 	BT_DBG("channel %u len %d", channel, skb->len);
223 
224 	read_lock(&hci_sk_list.lock);
225 
226 	sk_for_each(sk, &hci_sk_list.head) {
227 		struct sk_buff *nskb;
228 
229 		/* Ignore socket without the flag set */
230 		if (!hci_sock_test_flag(sk, flag))
231 			continue;
232 
233 		/* Skip the original socket */
234 		if (sk == skip_sk)
235 			continue;
236 
237 		if (sk->sk_state != BT_BOUND)
238 			continue;
239 
240 		if (hci_pi(sk)->channel != channel)
241 			continue;
242 
243 		nskb = skb_clone(skb, GFP_ATOMIC);
244 		if (!nskb)
245 			continue;
246 
247 		if (sock_queue_rcv_skb(sk, nskb))
248 			kfree_skb(nskb);
249 	}
250 
251 	read_unlock(&hci_sk_list.lock);
252 }
253 
254 /* Send frame to monitor socket */
255 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
256 {
257 	struct sk_buff *skb_copy = NULL;
258 	struct hci_mon_hdr *hdr;
259 	__le16 opcode;
260 
261 	if (!atomic_read(&monitor_promisc))
262 		return;
263 
264 	BT_DBG("hdev %p len %d", hdev, skb->len);
265 
266 	switch (hci_skb_pkt_type(skb)) {
267 	case HCI_COMMAND_PKT:
268 		opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
269 		break;
270 	case HCI_EVENT_PKT:
271 		opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
272 		break;
273 	case HCI_ACLDATA_PKT:
274 		if (bt_cb(skb)->incoming)
275 			opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
276 		else
277 			opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
278 		break;
279 	case HCI_SCODATA_PKT:
280 		if (bt_cb(skb)->incoming)
281 			opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
282 		else
283 			opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
284 		break;
285 	case HCI_DIAG_PKT:
286 		opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG);
287 		break;
288 	default:
289 		return;
290 	}
291 
292 	/* Create a private copy with headroom */
293 	skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true);
294 	if (!skb_copy)
295 		return;
296 
297 	/* Put header before the data */
298 	hdr = (void *)skb_push(skb_copy, HCI_MON_HDR_SIZE);
299 	hdr->opcode = opcode;
300 	hdr->index = cpu_to_le16(hdev->id);
301 	hdr->len = cpu_to_le16(skb->len);
302 
303 	hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy,
304 			    HCI_SOCK_TRUSTED, NULL);
305 	kfree_skb(skb_copy);
306 }
307 
308 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
309 {
310 	struct hci_mon_hdr *hdr;
311 	struct hci_mon_new_index *ni;
312 	struct hci_mon_index_info *ii;
313 	struct sk_buff *skb;
314 	__le16 opcode;
315 
316 	switch (event) {
317 	case HCI_DEV_REG:
318 		skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
319 		if (!skb)
320 			return NULL;
321 
322 		ni = (void *)skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
323 		ni->type = hdev->dev_type;
324 		ni->bus = hdev->bus;
325 		bacpy(&ni->bdaddr, &hdev->bdaddr);
326 		memcpy(ni->name, hdev->name, 8);
327 
328 		opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
329 		break;
330 
331 	case HCI_DEV_UNREG:
332 		skb = bt_skb_alloc(0, GFP_ATOMIC);
333 		if (!skb)
334 			return NULL;
335 
336 		opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
337 		break;
338 
339 	case HCI_DEV_SETUP:
340 		if (hdev->manufacturer == 0xffff)
341 			return NULL;
342 
343 		/* fall through */
344 
345 	case HCI_DEV_UP:
346 		skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC);
347 		if (!skb)
348 			return NULL;
349 
350 		ii = (void *)skb_put(skb, HCI_MON_INDEX_INFO_SIZE);
351 		bacpy(&ii->bdaddr, &hdev->bdaddr);
352 		ii->manufacturer = cpu_to_le16(hdev->manufacturer);
353 
354 		opcode = cpu_to_le16(HCI_MON_INDEX_INFO);
355 		break;
356 
357 	case HCI_DEV_OPEN:
358 		skb = bt_skb_alloc(0, GFP_ATOMIC);
359 		if (!skb)
360 			return NULL;
361 
362 		opcode = cpu_to_le16(HCI_MON_OPEN_INDEX);
363 		break;
364 
365 	case HCI_DEV_CLOSE:
366 		skb = bt_skb_alloc(0, GFP_ATOMIC);
367 		if (!skb)
368 			return NULL;
369 
370 		opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX);
371 		break;
372 
373 	default:
374 		return NULL;
375 	}
376 
377 	__net_timestamp(skb);
378 
379 	hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
380 	hdr->opcode = opcode;
381 	hdr->index = cpu_to_le16(hdev->id);
382 	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
383 
384 	return skb;
385 }
386 
387 static void __printf(2, 3)
388 send_monitor_note(struct sock *sk, const char *fmt, ...)
389 {
390 	size_t len;
391 	struct hci_mon_hdr *hdr;
392 	struct sk_buff *skb;
393 	va_list args;
394 
395 	va_start(args, fmt);
396 	len = vsnprintf(NULL, 0, fmt, args);
397 	va_end(args);
398 
399 	skb = bt_skb_alloc(len + 1, GFP_ATOMIC);
400 	if (!skb)
401 		return;
402 
403 	va_start(args, fmt);
404 	vsprintf(skb_put(skb, len), fmt, args);
405 	*skb_put(skb, 1) = 0;
406 	va_end(args);
407 
408 	__net_timestamp(skb);
409 
410 	hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
411 	hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE);
412 	hdr->index = cpu_to_le16(HCI_DEV_NONE);
413 	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
414 
415 	if (sock_queue_rcv_skb(sk, skb))
416 		kfree_skb(skb);
417 }
418 
419 static void send_monitor_replay(struct sock *sk)
420 {
421 	struct hci_dev *hdev;
422 
423 	read_lock(&hci_dev_list_lock);
424 
425 	list_for_each_entry(hdev, &hci_dev_list, list) {
426 		struct sk_buff *skb;
427 
428 		skb = create_monitor_event(hdev, HCI_DEV_REG);
429 		if (!skb)
430 			continue;
431 
432 		if (sock_queue_rcv_skb(sk, skb))
433 			kfree_skb(skb);
434 
435 		if (!test_bit(HCI_RUNNING, &hdev->flags))
436 			continue;
437 
438 		skb = create_monitor_event(hdev, HCI_DEV_OPEN);
439 		if (!skb)
440 			continue;
441 
442 		if (sock_queue_rcv_skb(sk, skb))
443 			kfree_skb(skb);
444 
445 		if (test_bit(HCI_UP, &hdev->flags))
446 			skb = create_monitor_event(hdev, HCI_DEV_UP);
447 		else if (hci_dev_test_flag(hdev, HCI_SETUP))
448 			skb = create_monitor_event(hdev, HCI_DEV_SETUP);
449 		else
450 			skb = NULL;
451 
452 		if (skb) {
453 			if (sock_queue_rcv_skb(sk, skb))
454 				kfree_skb(skb);
455 		}
456 	}
457 
458 	read_unlock(&hci_dev_list_lock);
459 }
460 
461 /* Generate internal stack event */
462 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
463 {
464 	struct hci_event_hdr *hdr;
465 	struct hci_ev_stack_internal *ev;
466 	struct sk_buff *skb;
467 
468 	skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
469 	if (!skb)
470 		return;
471 
472 	hdr = (void *)skb_put(skb, HCI_EVENT_HDR_SIZE);
473 	hdr->evt  = HCI_EV_STACK_INTERNAL;
474 	hdr->plen = sizeof(*ev) + dlen;
475 
476 	ev  = (void *)skb_put(skb, sizeof(*ev) + dlen);
477 	ev->type = type;
478 	memcpy(ev->data, data, dlen);
479 
480 	bt_cb(skb)->incoming = 1;
481 	__net_timestamp(skb);
482 
483 	hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
484 	hci_send_to_sock(hdev, skb);
485 	kfree_skb(skb);
486 }
487 
488 void hci_sock_dev_event(struct hci_dev *hdev, int event)
489 {
490 	BT_DBG("hdev %s event %d", hdev->name, event);
491 
492 	if (atomic_read(&monitor_promisc)) {
493 		struct sk_buff *skb;
494 
495 		/* Send event to monitor */
496 		skb = create_monitor_event(hdev, event);
497 		if (skb) {
498 			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
499 					    HCI_SOCK_TRUSTED, NULL);
500 			kfree_skb(skb);
501 		}
502 	}
503 
504 	if (event <= HCI_DEV_DOWN) {
505 		struct hci_ev_si_device ev;
506 
507 		/* Send event to sockets */
508 		ev.event  = event;
509 		ev.dev_id = hdev->id;
510 		hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
511 	}
512 
513 	if (event == HCI_DEV_UNREG) {
514 		struct sock *sk;
515 
516 		/* Detach sockets from device */
517 		read_lock(&hci_sk_list.lock);
518 		sk_for_each(sk, &hci_sk_list.head) {
519 			bh_lock_sock_nested(sk);
520 			if (hci_pi(sk)->hdev == hdev) {
521 				hci_pi(sk)->hdev = NULL;
522 				sk->sk_err = EPIPE;
523 				sk->sk_state = BT_OPEN;
524 				sk->sk_state_change(sk);
525 
526 				hci_dev_put(hdev);
527 			}
528 			bh_unlock_sock(sk);
529 		}
530 		read_unlock(&hci_sk_list.lock);
531 	}
532 }
533 
534 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel)
535 {
536 	struct hci_mgmt_chan *c;
537 
538 	list_for_each_entry(c, &mgmt_chan_list, list) {
539 		if (c->channel == channel)
540 			return c;
541 	}
542 
543 	return NULL;
544 }
545 
546 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel)
547 {
548 	struct hci_mgmt_chan *c;
549 
550 	mutex_lock(&mgmt_chan_list_lock);
551 	c = __hci_mgmt_chan_find(channel);
552 	mutex_unlock(&mgmt_chan_list_lock);
553 
554 	return c;
555 }
556 
557 int hci_mgmt_chan_register(struct hci_mgmt_chan *c)
558 {
559 	if (c->channel < HCI_CHANNEL_CONTROL)
560 		return -EINVAL;
561 
562 	mutex_lock(&mgmt_chan_list_lock);
563 	if (__hci_mgmt_chan_find(c->channel)) {
564 		mutex_unlock(&mgmt_chan_list_lock);
565 		return -EALREADY;
566 	}
567 
568 	list_add_tail(&c->list, &mgmt_chan_list);
569 
570 	mutex_unlock(&mgmt_chan_list_lock);
571 
572 	return 0;
573 }
574 EXPORT_SYMBOL(hci_mgmt_chan_register);
575 
576 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c)
577 {
578 	mutex_lock(&mgmt_chan_list_lock);
579 	list_del(&c->list);
580 	mutex_unlock(&mgmt_chan_list_lock);
581 }
582 EXPORT_SYMBOL(hci_mgmt_chan_unregister);
583 
584 static int hci_sock_release(struct socket *sock)
585 {
586 	struct sock *sk = sock->sk;
587 	struct hci_dev *hdev;
588 
589 	BT_DBG("sock %p sk %p", sock, sk);
590 
591 	if (!sk)
592 		return 0;
593 
594 	hdev = hci_pi(sk)->hdev;
595 
596 	if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
597 		atomic_dec(&monitor_promisc);
598 
599 	bt_sock_unlink(&hci_sk_list, sk);
600 
601 	if (hdev) {
602 		if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
603 			/* When releasing an user channel exclusive access,
604 			 * call hci_dev_do_close directly instead of calling
605 			 * hci_dev_close to ensure the exclusive access will
606 			 * be released and the controller brought back down.
607 			 *
608 			 * The checking of HCI_AUTO_OFF is not needed in this
609 			 * case since it will have been cleared already when
610 			 * opening the user channel.
611 			 */
612 			hci_dev_do_close(hdev);
613 			hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
614 			mgmt_index_added(hdev);
615 		}
616 
617 		atomic_dec(&hdev->promisc);
618 		hci_dev_put(hdev);
619 	}
620 
621 	sock_orphan(sk);
622 
623 	skb_queue_purge(&sk->sk_receive_queue);
624 	skb_queue_purge(&sk->sk_write_queue);
625 
626 	sock_put(sk);
627 	return 0;
628 }
629 
630 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
631 {
632 	bdaddr_t bdaddr;
633 	int err;
634 
635 	if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
636 		return -EFAULT;
637 
638 	hci_dev_lock(hdev);
639 
640 	err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
641 
642 	hci_dev_unlock(hdev);
643 
644 	return err;
645 }
646 
647 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
648 {
649 	bdaddr_t bdaddr;
650 	int err;
651 
652 	if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
653 		return -EFAULT;
654 
655 	hci_dev_lock(hdev);
656 
657 	err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
658 
659 	hci_dev_unlock(hdev);
660 
661 	return err;
662 }
663 
664 /* Ioctls that require bound socket */
665 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
666 				unsigned long arg)
667 {
668 	struct hci_dev *hdev = hci_pi(sk)->hdev;
669 
670 	if (!hdev)
671 		return -EBADFD;
672 
673 	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
674 		return -EBUSY;
675 
676 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
677 		return -EOPNOTSUPP;
678 
679 	if (hdev->dev_type != HCI_BREDR)
680 		return -EOPNOTSUPP;
681 
682 	switch (cmd) {
683 	case HCISETRAW:
684 		if (!capable(CAP_NET_ADMIN))
685 			return -EPERM;
686 		return -EOPNOTSUPP;
687 
688 	case HCIGETCONNINFO:
689 		return hci_get_conn_info(hdev, (void __user *)arg);
690 
691 	case HCIGETAUTHINFO:
692 		return hci_get_auth_info(hdev, (void __user *)arg);
693 
694 	case HCIBLOCKADDR:
695 		if (!capable(CAP_NET_ADMIN))
696 			return -EPERM;
697 		return hci_sock_blacklist_add(hdev, (void __user *)arg);
698 
699 	case HCIUNBLOCKADDR:
700 		if (!capable(CAP_NET_ADMIN))
701 			return -EPERM;
702 		return hci_sock_blacklist_del(hdev, (void __user *)arg);
703 	}
704 
705 	return -ENOIOCTLCMD;
706 }
707 
708 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
709 			  unsigned long arg)
710 {
711 	void __user *argp = (void __user *)arg;
712 	struct sock *sk = sock->sk;
713 	int err;
714 
715 	BT_DBG("cmd %x arg %lx", cmd, arg);
716 
717 	lock_sock(sk);
718 
719 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
720 		err = -EBADFD;
721 		goto done;
722 	}
723 
724 	release_sock(sk);
725 
726 	switch (cmd) {
727 	case HCIGETDEVLIST:
728 		return hci_get_dev_list(argp);
729 
730 	case HCIGETDEVINFO:
731 		return hci_get_dev_info(argp);
732 
733 	case HCIGETCONNLIST:
734 		return hci_get_conn_list(argp);
735 
736 	case HCIDEVUP:
737 		if (!capable(CAP_NET_ADMIN))
738 			return -EPERM;
739 		return hci_dev_open(arg);
740 
741 	case HCIDEVDOWN:
742 		if (!capable(CAP_NET_ADMIN))
743 			return -EPERM;
744 		return hci_dev_close(arg);
745 
746 	case HCIDEVRESET:
747 		if (!capable(CAP_NET_ADMIN))
748 			return -EPERM;
749 		return hci_dev_reset(arg);
750 
751 	case HCIDEVRESTAT:
752 		if (!capable(CAP_NET_ADMIN))
753 			return -EPERM;
754 		return hci_dev_reset_stat(arg);
755 
756 	case HCISETSCAN:
757 	case HCISETAUTH:
758 	case HCISETENCRYPT:
759 	case HCISETPTYPE:
760 	case HCISETLINKPOL:
761 	case HCISETLINKMODE:
762 	case HCISETACLMTU:
763 	case HCISETSCOMTU:
764 		if (!capable(CAP_NET_ADMIN))
765 			return -EPERM;
766 		return hci_dev_cmd(cmd, argp);
767 
768 	case HCIINQUIRY:
769 		return hci_inquiry(argp);
770 	}
771 
772 	lock_sock(sk);
773 
774 	err = hci_sock_bound_ioctl(sk, cmd, arg);
775 
776 done:
777 	release_sock(sk);
778 	return err;
779 }
780 
781 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
782 			 int addr_len)
783 {
784 	struct sockaddr_hci haddr;
785 	struct sock *sk = sock->sk;
786 	struct hci_dev *hdev = NULL;
787 	int len, err = 0;
788 
789 	BT_DBG("sock %p sk %p", sock, sk);
790 
791 	if (!addr)
792 		return -EINVAL;
793 
794 	memset(&haddr, 0, sizeof(haddr));
795 	len = min_t(unsigned int, sizeof(haddr), addr_len);
796 	memcpy(&haddr, addr, len);
797 
798 	if (haddr.hci_family != AF_BLUETOOTH)
799 		return -EINVAL;
800 
801 	lock_sock(sk);
802 
803 	if (sk->sk_state == BT_BOUND) {
804 		err = -EALREADY;
805 		goto done;
806 	}
807 
808 	switch (haddr.hci_channel) {
809 	case HCI_CHANNEL_RAW:
810 		if (hci_pi(sk)->hdev) {
811 			err = -EALREADY;
812 			goto done;
813 		}
814 
815 		if (haddr.hci_dev != HCI_DEV_NONE) {
816 			hdev = hci_dev_get(haddr.hci_dev);
817 			if (!hdev) {
818 				err = -ENODEV;
819 				goto done;
820 			}
821 
822 			atomic_inc(&hdev->promisc);
823 		}
824 
825 		hci_pi(sk)->hdev = hdev;
826 		break;
827 
828 	case HCI_CHANNEL_USER:
829 		if (hci_pi(sk)->hdev) {
830 			err = -EALREADY;
831 			goto done;
832 		}
833 
834 		if (haddr.hci_dev == HCI_DEV_NONE) {
835 			err = -EINVAL;
836 			goto done;
837 		}
838 
839 		if (!capable(CAP_NET_ADMIN)) {
840 			err = -EPERM;
841 			goto done;
842 		}
843 
844 		hdev = hci_dev_get(haddr.hci_dev);
845 		if (!hdev) {
846 			err = -ENODEV;
847 			goto done;
848 		}
849 
850 		if (test_bit(HCI_INIT, &hdev->flags) ||
851 		    hci_dev_test_flag(hdev, HCI_SETUP) ||
852 		    hci_dev_test_flag(hdev, HCI_CONFIG) ||
853 		    (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) &&
854 		     test_bit(HCI_UP, &hdev->flags))) {
855 			err = -EBUSY;
856 			hci_dev_put(hdev);
857 			goto done;
858 		}
859 
860 		if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) {
861 			err = -EUSERS;
862 			hci_dev_put(hdev);
863 			goto done;
864 		}
865 
866 		mgmt_index_removed(hdev);
867 
868 		err = hci_dev_open(hdev->id);
869 		if (err) {
870 			if (err == -EALREADY) {
871 				/* In case the transport is already up and
872 				 * running, clear the error here.
873 				 *
874 				 * This can happen when opening an user
875 				 * channel and HCI_AUTO_OFF grace period
876 				 * is still active.
877 				 */
878 				err = 0;
879 			} else {
880 				hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
881 				mgmt_index_added(hdev);
882 				hci_dev_put(hdev);
883 				goto done;
884 			}
885 		}
886 
887 		atomic_inc(&hdev->promisc);
888 
889 		hci_pi(sk)->hdev = hdev;
890 		break;
891 
892 	case HCI_CHANNEL_MONITOR:
893 		if (haddr.hci_dev != HCI_DEV_NONE) {
894 			err = -EINVAL;
895 			goto done;
896 		}
897 
898 		if (!capable(CAP_NET_RAW)) {
899 			err = -EPERM;
900 			goto done;
901 		}
902 
903 		/* The monitor interface is restricted to CAP_NET_RAW
904 		 * capabilities and with that implicitly trusted.
905 		 */
906 		hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
907 
908 		send_monitor_note(sk, "Linux version %s (%s)",
909 				  init_utsname()->release,
910 				  init_utsname()->machine);
911 		send_monitor_note(sk, "Bluetooth subsystem version %s",
912 				  BT_SUBSYS_VERSION);
913 		send_monitor_replay(sk);
914 
915 		atomic_inc(&monitor_promisc);
916 		break;
917 
918 	case HCI_CHANNEL_LOGGING:
919 		if (haddr.hci_dev != HCI_DEV_NONE) {
920 			err = -EINVAL;
921 			goto done;
922 		}
923 
924 		if (!capable(CAP_NET_ADMIN)) {
925 			err = -EPERM;
926 			goto done;
927 		}
928 		break;
929 
930 	default:
931 		if (!hci_mgmt_chan_find(haddr.hci_channel)) {
932 			err = -EINVAL;
933 			goto done;
934 		}
935 
936 		if (haddr.hci_dev != HCI_DEV_NONE) {
937 			err = -EINVAL;
938 			goto done;
939 		}
940 
941 		/* Users with CAP_NET_ADMIN capabilities are allowed
942 		 * access to all management commands and events. For
943 		 * untrusted users the interface is restricted and
944 		 * also only untrusted events are sent.
945 		 */
946 		if (capable(CAP_NET_ADMIN))
947 			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
948 
949 		/* At the moment the index and unconfigured index events
950 		 * are enabled unconditionally. Setting them on each
951 		 * socket when binding keeps this functionality. They
952 		 * however might be cleared later and then sending of these
953 		 * events will be disabled, but that is then intentional.
954 		 *
955 		 * This also enables generic events that are safe to be
956 		 * received by untrusted users. Example for such events
957 		 * are changes to settings, class of device, name etc.
958 		 */
959 		if (haddr.hci_channel == HCI_CHANNEL_CONTROL) {
960 			hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS);
961 			hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
962 			hci_sock_set_flag(sk, HCI_MGMT_GENERIC_EVENTS);
963 		}
964 		break;
965 	}
966 
967 
968 	hci_pi(sk)->channel = haddr.hci_channel;
969 	sk->sk_state = BT_BOUND;
970 
971 done:
972 	release_sock(sk);
973 	return err;
974 }
975 
976 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
977 			    int *addr_len, int peer)
978 {
979 	struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr;
980 	struct sock *sk = sock->sk;
981 	struct hci_dev *hdev;
982 	int err = 0;
983 
984 	BT_DBG("sock %p sk %p", sock, sk);
985 
986 	if (peer)
987 		return -EOPNOTSUPP;
988 
989 	lock_sock(sk);
990 
991 	hdev = hci_pi(sk)->hdev;
992 	if (!hdev) {
993 		err = -EBADFD;
994 		goto done;
995 	}
996 
997 	*addr_len = sizeof(*haddr);
998 	haddr->hci_family = AF_BLUETOOTH;
999 	haddr->hci_dev    = hdev->id;
1000 	haddr->hci_channel= hci_pi(sk)->channel;
1001 
1002 done:
1003 	release_sock(sk);
1004 	return err;
1005 }
1006 
1007 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
1008 			  struct sk_buff *skb)
1009 {
1010 	__u32 mask = hci_pi(sk)->cmsg_mask;
1011 
1012 	if (mask & HCI_CMSG_DIR) {
1013 		int incoming = bt_cb(skb)->incoming;
1014 		put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
1015 			 &incoming);
1016 	}
1017 
1018 	if (mask & HCI_CMSG_TSTAMP) {
1019 #ifdef CONFIG_COMPAT
1020 		struct compat_timeval ctv;
1021 #endif
1022 		struct timeval tv;
1023 		void *data;
1024 		int len;
1025 
1026 		skb_get_timestamp(skb, &tv);
1027 
1028 		data = &tv;
1029 		len = sizeof(tv);
1030 #ifdef CONFIG_COMPAT
1031 		if (!COMPAT_USE_64BIT_TIME &&
1032 		    (msg->msg_flags & MSG_CMSG_COMPAT)) {
1033 			ctv.tv_sec = tv.tv_sec;
1034 			ctv.tv_usec = tv.tv_usec;
1035 			data = &ctv;
1036 			len = sizeof(ctv);
1037 		}
1038 #endif
1039 
1040 		put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
1041 	}
1042 }
1043 
1044 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1045 			    size_t len, int flags)
1046 {
1047 	int noblock = flags & MSG_DONTWAIT;
1048 	struct sock *sk = sock->sk;
1049 	struct sk_buff *skb;
1050 	int copied, err;
1051 
1052 	BT_DBG("sock %p, sk %p", sock, sk);
1053 
1054 	if (flags & MSG_OOB)
1055 		return -EOPNOTSUPP;
1056 
1057 	if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING)
1058 		return -EOPNOTSUPP;
1059 
1060 	if (sk->sk_state == BT_CLOSED)
1061 		return 0;
1062 
1063 	skb = skb_recv_datagram(sk, flags, noblock, &err);
1064 	if (!skb)
1065 		return err;
1066 
1067 	copied = skb->len;
1068 	if (len < copied) {
1069 		msg->msg_flags |= MSG_TRUNC;
1070 		copied = len;
1071 	}
1072 
1073 	skb_reset_transport_header(skb);
1074 	err = skb_copy_datagram_msg(skb, 0, msg, copied);
1075 
1076 	switch (hci_pi(sk)->channel) {
1077 	case HCI_CHANNEL_RAW:
1078 		hci_sock_cmsg(sk, msg, skb);
1079 		break;
1080 	case HCI_CHANNEL_USER:
1081 	case HCI_CHANNEL_MONITOR:
1082 		sock_recv_timestamp(msg, sk, skb);
1083 		break;
1084 	default:
1085 		if (hci_mgmt_chan_find(hci_pi(sk)->channel))
1086 			sock_recv_timestamp(msg, sk, skb);
1087 		break;
1088 	}
1089 
1090 	skb_free_datagram(sk, skb);
1091 
1092 	return err ? : copied;
1093 }
1094 
1095 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk,
1096 			struct msghdr *msg, size_t msglen)
1097 {
1098 	void *buf;
1099 	u8 *cp;
1100 	struct mgmt_hdr *hdr;
1101 	u16 opcode, index, len;
1102 	struct hci_dev *hdev = NULL;
1103 	const struct hci_mgmt_handler *handler;
1104 	bool var_len, no_hdev;
1105 	int err;
1106 
1107 	BT_DBG("got %zu bytes", msglen);
1108 
1109 	if (msglen < sizeof(*hdr))
1110 		return -EINVAL;
1111 
1112 	buf = kmalloc(msglen, GFP_KERNEL);
1113 	if (!buf)
1114 		return -ENOMEM;
1115 
1116 	if (memcpy_from_msg(buf, msg, msglen)) {
1117 		err = -EFAULT;
1118 		goto done;
1119 	}
1120 
1121 	hdr = buf;
1122 	opcode = __le16_to_cpu(hdr->opcode);
1123 	index = __le16_to_cpu(hdr->index);
1124 	len = __le16_to_cpu(hdr->len);
1125 
1126 	if (len != msglen - sizeof(*hdr)) {
1127 		err = -EINVAL;
1128 		goto done;
1129 	}
1130 
1131 	if (opcode >= chan->handler_count ||
1132 	    chan->handlers[opcode].func == NULL) {
1133 		BT_DBG("Unknown op %u", opcode);
1134 		err = mgmt_cmd_status(sk, index, opcode,
1135 				      MGMT_STATUS_UNKNOWN_COMMAND);
1136 		goto done;
1137 	}
1138 
1139 	handler = &chan->handlers[opcode];
1140 
1141 	if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) &&
1142 	    !(handler->flags & HCI_MGMT_UNTRUSTED)) {
1143 		err = mgmt_cmd_status(sk, index, opcode,
1144 				      MGMT_STATUS_PERMISSION_DENIED);
1145 		goto done;
1146 	}
1147 
1148 	if (index != MGMT_INDEX_NONE) {
1149 		hdev = hci_dev_get(index);
1150 		if (!hdev) {
1151 			err = mgmt_cmd_status(sk, index, opcode,
1152 					      MGMT_STATUS_INVALID_INDEX);
1153 			goto done;
1154 		}
1155 
1156 		if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1157 		    hci_dev_test_flag(hdev, HCI_CONFIG) ||
1158 		    hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1159 			err = mgmt_cmd_status(sk, index, opcode,
1160 					      MGMT_STATUS_INVALID_INDEX);
1161 			goto done;
1162 		}
1163 
1164 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1165 		    !(handler->flags & HCI_MGMT_UNCONFIGURED)) {
1166 			err = mgmt_cmd_status(sk, index, opcode,
1167 					      MGMT_STATUS_INVALID_INDEX);
1168 			goto done;
1169 		}
1170 	}
1171 
1172 	no_hdev = (handler->flags & HCI_MGMT_NO_HDEV);
1173 	if (no_hdev != !hdev) {
1174 		err = mgmt_cmd_status(sk, index, opcode,
1175 				      MGMT_STATUS_INVALID_INDEX);
1176 		goto done;
1177 	}
1178 
1179 	var_len = (handler->flags & HCI_MGMT_VAR_LEN);
1180 	if ((var_len && len < handler->data_len) ||
1181 	    (!var_len && len != handler->data_len)) {
1182 		err = mgmt_cmd_status(sk, index, opcode,
1183 				      MGMT_STATUS_INVALID_PARAMS);
1184 		goto done;
1185 	}
1186 
1187 	if (hdev && chan->hdev_init)
1188 		chan->hdev_init(sk, hdev);
1189 
1190 	cp = buf + sizeof(*hdr);
1191 
1192 	err = handler->func(sk, hdev, cp, len);
1193 	if (err < 0)
1194 		goto done;
1195 
1196 	err = msglen;
1197 
1198 done:
1199 	if (hdev)
1200 		hci_dev_put(hdev);
1201 
1202 	kfree(buf);
1203 	return err;
1204 }
1205 
1206 static int hci_logging_frame(struct sock *sk, struct msghdr *msg, int len)
1207 {
1208 	struct hci_mon_hdr *hdr;
1209 	struct sk_buff *skb;
1210 	struct hci_dev *hdev;
1211 	u16 index;
1212 	int err;
1213 
1214 	/* The logging frame consists at minimum of the standard header,
1215 	 * the priority byte, the ident length byte and at least one string
1216 	 * terminator NUL byte. Anything shorter are invalid packets.
1217 	 */
1218 	if (len < sizeof(*hdr) + 3)
1219 		return -EINVAL;
1220 
1221 	skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1222 	if (!skb)
1223 		return err;
1224 
1225 	if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1226 		err = -EFAULT;
1227 		goto drop;
1228 	}
1229 
1230 	hdr = (void *)skb->data;
1231 
1232 	if (__le16_to_cpu(hdr->len) != len - sizeof(*hdr)) {
1233 		err = -EINVAL;
1234 		goto drop;
1235 	}
1236 
1237 	if (__le16_to_cpu(hdr->opcode) == 0x0000) {
1238 		__u8 priority = skb->data[sizeof(*hdr)];
1239 		__u8 ident_len = skb->data[sizeof(*hdr) + 1];
1240 
1241 		/* Only the priorities 0-7 are valid and with that any other
1242 		 * value results in an invalid packet.
1243 		 *
1244 		 * The priority byte is followed by an ident length byte and
1245 		 * the NUL terminated ident string. Check that the ident
1246 		 * length is not overflowing the packet and also that the
1247 		 * ident string itself is NUL terminated. In case the ident
1248 		 * length is zero, the length value actually doubles as NUL
1249 		 * terminator identifier.
1250 		 *
1251 		 * The message follows the ident string (if present) and
1252 		 * must be NUL terminated. Otherwise it is not a valid packet.
1253 		 */
1254 		if (priority > 7 || skb->data[len - 1] != 0x00 ||
1255 		    ident_len > len - sizeof(*hdr) - 3 ||
1256 		    skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) {
1257 			err = -EINVAL;
1258 			goto drop;
1259 		}
1260 	} else {
1261 		err = -EINVAL;
1262 		goto drop;
1263 	}
1264 
1265 	index = __le16_to_cpu(hdr->index);
1266 
1267 	if (index != MGMT_INDEX_NONE) {
1268 		hdev = hci_dev_get(index);
1269 		if (!hdev) {
1270 			err = -ENODEV;
1271 			goto drop;
1272 		}
1273 	} else {
1274 		hdev = NULL;
1275 	}
1276 
1277 	hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING);
1278 
1279 	hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL);
1280 	err = len;
1281 
1282 	if (hdev)
1283 		hci_dev_put(hdev);
1284 
1285 drop:
1286 	kfree_skb(skb);
1287 	return err;
1288 }
1289 
1290 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1291 			    size_t len)
1292 {
1293 	struct sock *sk = sock->sk;
1294 	struct hci_mgmt_chan *chan;
1295 	struct hci_dev *hdev;
1296 	struct sk_buff *skb;
1297 	int err;
1298 
1299 	BT_DBG("sock %p sk %p", sock, sk);
1300 
1301 	if (msg->msg_flags & MSG_OOB)
1302 		return -EOPNOTSUPP;
1303 
1304 	if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
1305 		return -EINVAL;
1306 
1307 	if (len < 4 || len > HCI_MAX_FRAME_SIZE)
1308 		return -EINVAL;
1309 
1310 	lock_sock(sk);
1311 
1312 	switch (hci_pi(sk)->channel) {
1313 	case HCI_CHANNEL_RAW:
1314 	case HCI_CHANNEL_USER:
1315 		break;
1316 	case HCI_CHANNEL_MONITOR:
1317 		err = -EOPNOTSUPP;
1318 		goto done;
1319 	case HCI_CHANNEL_LOGGING:
1320 		err = hci_logging_frame(sk, msg, len);
1321 		goto done;
1322 	default:
1323 		mutex_lock(&mgmt_chan_list_lock);
1324 		chan = __hci_mgmt_chan_find(hci_pi(sk)->channel);
1325 		if (chan)
1326 			err = hci_mgmt_cmd(chan, sk, msg, len);
1327 		else
1328 			err = -EINVAL;
1329 
1330 		mutex_unlock(&mgmt_chan_list_lock);
1331 		goto done;
1332 	}
1333 
1334 	hdev = hci_pi(sk)->hdev;
1335 	if (!hdev) {
1336 		err = -EBADFD;
1337 		goto done;
1338 	}
1339 
1340 	if (!test_bit(HCI_UP, &hdev->flags)) {
1341 		err = -ENETDOWN;
1342 		goto done;
1343 	}
1344 
1345 	skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1346 	if (!skb)
1347 		goto done;
1348 
1349 	if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1350 		err = -EFAULT;
1351 		goto drop;
1352 	}
1353 
1354 	hci_skb_pkt_type(skb) = skb->data[0];
1355 	skb_pull(skb, 1);
1356 
1357 	if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
1358 		/* No permission check is needed for user channel
1359 		 * since that gets enforced when binding the socket.
1360 		 *
1361 		 * However check that the packet type is valid.
1362 		 */
1363 		if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
1364 		    hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1365 		    hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
1366 			err = -EINVAL;
1367 			goto drop;
1368 		}
1369 
1370 		skb_queue_tail(&hdev->raw_q, skb);
1371 		queue_work(hdev->workqueue, &hdev->tx_work);
1372 	} else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) {
1373 		u16 opcode = get_unaligned_le16(skb->data);
1374 		u16 ogf = hci_opcode_ogf(opcode);
1375 		u16 ocf = hci_opcode_ocf(opcode);
1376 
1377 		if (((ogf > HCI_SFLT_MAX_OGF) ||
1378 		     !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
1379 				   &hci_sec_filter.ocf_mask[ogf])) &&
1380 		    !capable(CAP_NET_RAW)) {
1381 			err = -EPERM;
1382 			goto drop;
1383 		}
1384 
1385 		/* Since the opcode has already been extracted here, store
1386 		 * a copy of the value for later use by the drivers.
1387 		 */
1388 		hci_skb_opcode(skb) = opcode;
1389 
1390 		if (ogf == 0x3f) {
1391 			skb_queue_tail(&hdev->raw_q, skb);
1392 			queue_work(hdev->workqueue, &hdev->tx_work);
1393 		} else {
1394 			/* Stand-alone HCI commands must be flagged as
1395 			 * single-command requests.
1396 			 */
1397 			bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
1398 
1399 			skb_queue_tail(&hdev->cmd_q, skb);
1400 			queue_work(hdev->workqueue, &hdev->cmd_work);
1401 		}
1402 	} else {
1403 		if (!capable(CAP_NET_RAW)) {
1404 			err = -EPERM;
1405 			goto drop;
1406 		}
1407 
1408 		if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1409 		    hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
1410 			err = -EINVAL;
1411 			goto drop;
1412 		}
1413 
1414 		skb_queue_tail(&hdev->raw_q, skb);
1415 		queue_work(hdev->workqueue, &hdev->tx_work);
1416 	}
1417 
1418 	err = len;
1419 
1420 done:
1421 	release_sock(sk);
1422 	return err;
1423 
1424 drop:
1425 	kfree_skb(skb);
1426 	goto done;
1427 }
1428 
1429 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
1430 			       char __user *optval, unsigned int len)
1431 {
1432 	struct hci_ufilter uf = { .opcode = 0 };
1433 	struct sock *sk = sock->sk;
1434 	int err = 0, opt = 0;
1435 
1436 	BT_DBG("sk %p, opt %d", sk, optname);
1437 
1438 	lock_sock(sk);
1439 
1440 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1441 		err = -EBADFD;
1442 		goto done;
1443 	}
1444 
1445 	switch (optname) {
1446 	case HCI_DATA_DIR:
1447 		if (get_user(opt, (int __user *)optval)) {
1448 			err = -EFAULT;
1449 			break;
1450 		}
1451 
1452 		if (opt)
1453 			hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1454 		else
1455 			hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1456 		break;
1457 
1458 	case HCI_TIME_STAMP:
1459 		if (get_user(opt, (int __user *)optval)) {
1460 			err = -EFAULT;
1461 			break;
1462 		}
1463 
1464 		if (opt)
1465 			hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1466 		else
1467 			hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1468 		break;
1469 
1470 	case HCI_FILTER:
1471 		{
1472 			struct hci_filter *f = &hci_pi(sk)->filter;
1473 
1474 			uf.type_mask = f->type_mask;
1475 			uf.opcode    = f->opcode;
1476 			uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1477 			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1478 		}
1479 
1480 		len = min_t(unsigned int, len, sizeof(uf));
1481 		if (copy_from_user(&uf, optval, len)) {
1482 			err = -EFAULT;
1483 			break;
1484 		}
1485 
1486 		if (!capable(CAP_NET_RAW)) {
1487 			uf.type_mask &= hci_sec_filter.type_mask;
1488 			uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1489 			uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1490 		}
1491 
1492 		{
1493 			struct hci_filter *f = &hci_pi(sk)->filter;
1494 
1495 			f->type_mask = uf.type_mask;
1496 			f->opcode    = uf.opcode;
1497 			*((u32 *) f->event_mask + 0) = uf.event_mask[0];
1498 			*((u32 *) f->event_mask + 1) = uf.event_mask[1];
1499 		}
1500 		break;
1501 
1502 	default:
1503 		err = -ENOPROTOOPT;
1504 		break;
1505 	}
1506 
1507 done:
1508 	release_sock(sk);
1509 	return err;
1510 }
1511 
1512 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1513 			       char __user *optval, int __user *optlen)
1514 {
1515 	struct hci_ufilter uf;
1516 	struct sock *sk = sock->sk;
1517 	int len, opt, err = 0;
1518 
1519 	BT_DBG("sk %p, opt %d", sk, optname);
1520 
1521 	if (get_user(len, optlen))
1522 		return -EFAULT;
1523 
1524 	lock_sock(sk);
1525 
1526 	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1527 		err = -EBADFD;
1528 		goto done;
1529 	}
1530 
1531 	switch (optname) {
1532 	case HCI_DATA_DIR:
1533 		if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1534 			opt = 1;
1535 		else
1536 			opt = 0;
1537 
1538 		if (put_user(opt, optval))
1539 			err = -EFAULT;
1540 		break;
1541 
1542 	case HCI_TIME_STAMP:
1543 		if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1544 			opt = 1;
1545 		else
1546 			opt = 0;
1547 
1548 		if (put_user(opt, optval))
1549 			err = -EFAULT;
1550 		break;
1551 
1552 	case HCI_FILTER:
1553 		{
1554 			struct hci_filter *f = &hci_pi(sk)->filter;
1555 
1556 			memset(&uf, 0, sizeof(uf));
1557 			uf.type_mask = f->type_mask;
1558 			uf.opcode    = f->opcode;
1559 			uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1560 			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1561 		}
1562 
1563 		len = min_t(unsigned int, len, sizeof(uf));
1564 		if (copy_to_user(optval, &uf, len))
1565 			err = -EFAULT;
1566 		break;
1567 
1568 	default:
1569 		err = -ENOPROTOOPT;
1570 		break;
1571 	}
1572 
1573 done:
1574 	release_sock(sk);
1575 	return err;
1576 }
1577 
1578 static const struct proto_ops hci_sock_ops = {
1579 	.family		= PF_BLUETOOTH,
1580 	.owner		= THIS_MODULE,
1581 	.release	= hci_sock_release,
1582 	.bind		= hci_sock_bind,
1583 	.getname	= hci_sock_getname,
1584 	.sendmsg	= hci_sock_sendmsg,
1585 	.recvmsg	= hci_sock_recvmsg,
1586 	.ioctl		= hci_sock_ioctl,
1587 	.poll		= datagram_poll,
1588 	.listen		= sock_no_listen,
1589 	.shutdown	= sock_no_shutdown,
1590 	.setsockopt	= hci_sock_setsockopt,
1591 	.getsockopt	= hci_sock_getsockopt,
1592 	.connect	= sock_no_connect,
1593 	.socketpair	= sock_no_socketpair,
1594 	.accept		= sock_no_accept,
1595 	.mmap		= sock_no_mmap
1596 };
1597 
1598 static struct proto hci_sk_proto = {
1599 	.name		= "HCI",
1600 	.owner		= THIS_MODULE,
1601 	.obj_size	= sizeof(struct hci_pinfo)
1602 };
1603 
1604 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1605 			   int kern)
1606 {
1607 	struct sock *sk;
1608 
1609 	BT_DBG("sock %p", sock);
1610 
1611 	if (sock->type != SOCK_RAW)
1612 		return -ESOCKTNOSUPPORT;
1613 
1614 	sock->ops = &hci_sock_ops;
1615 
1616 	sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern);
1617 	if (!sk)
1618 		return -ENOMEM;
1619 
1620 	sock_init_data(sock, sk);
1621 
1622 	sock_reset_flag(sk, SOCK_ZAPPED);
1623 
1624 	sk->sk_protocol = protocol;
1625 
1626 	sock->state = SS_UNCONNECTED;
1627 	sk->sk_state = BT_OPEN;
1628 
1629 	bt_sock_link(&hci_sk_list, sk);
1630 	return 0;
1631 }
1632 
1633 static const struct net_proto_family hci_sock_family_ops = {
1634 	.family	= PF_BLUETOOTH,
1635 	.owner	= THIS_MODULE,
1636 	.create	= hci_sock_create,
1637 };
1638 
1639 int __init hci_sock_init(void)
1640 {
1641 	int err;
1642 
1643 	BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr));
1644 
1645 	err = proto_register(&hci_sk_proto, 0);
1646 	if (err < 0)
1647 		return err;
1648 
1649 	err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1650 	if (err < 0) {
1651 		BT_ERR("HCI socket registration failed");
1652 		goto error;
1653 	}
1654 
1655 	err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
1656 	if (err < 0) {
1657 		BT_ERR("Failed to create HCI proc file");
1658 		bt_sock_unregister(BTPROTO_HCI);
1659 		goto error;
1660 	}
1661 
1662 	BT_INFO("HCI socket layer initialized");
1663 
1664 	return 0;
1665 
1666 error:
1667 	proto_unregister(&hci_sk_proto);
1668 	return err;
1669 }
1670 
1671 void hci_sock_cleanup(void)
1672 {
1673 	bt_procfs_cleanup(&init_net, "hci");
1674 	bt_sock_unregister(BTPROTO_HCI);
1675 	proto_unregister(&hci_sk_proto);
1676 }
1677