1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI sockets. */ 26 #include <linux/compat.h> 27 #include <linux/export.h> 28 #include <linux/utsname.h> 29 #include <linux/sched.h> 30 #include <linux/unaligned.h> 31 32 #include <net/bluetooth/bluetooth.h> 33 #include <net/bluetooth/hci_core.h> 34 #include <net/bluetooth/hci_mon.h> 35 #include <net/bluetooth/mgmt.h> 36 37 #include "mgmt_util.h" 38 39 static LIST_HEAD(mgmt_chan_list); 40 static DEFINE_MUTEX(mgmt_chan_list_lock); 41 42 static DEFINE_IDA(sock_cookie_ida); 43 44 static atomic_t monitor_promisc = ATOMIC_INIT(0); 45 46 /* ----- HCI socket interface ----- */ 47 48 /* Socket info */ 49 #define hci_pi(sk) ((struct hci_pinfo *) sk) 50 51 struct hci_pinfo { 52 struct bt_sock bt; 53 struct hci_dev *hdev; 54 struct hci_filter filter; 55 __u8 cmsg_mask; 56 unsigned short channel; 57 unsigned long flags; 58 __u32 cookie; 59 char comm[TASK_COMM_LEN]; 60 __u16 mtu; 61 }; 62 63 static struct hci_dev *hci_hdev_from_sock(struct sock *sk) 64 { 65 struct hci_dev *hdev = hci_pi(sk)->hdev; 66 67 if (!hdev) 68 return ERR_PTR(-EBADFD); 69 if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) 70 return ERR_PTR(-EPIPE); 71 return hdev; 72 } 73 74 void hci_sock_set_flag(struct sock *sk, int nr) 75 { 76 set_bit(nr, &hci_pi(sk)->flags); 77 } 78 79 void hci_sock_clear_flag(struct sock *sk, int nr) 80 { 81 clear_bit(nr, &hci_pi(sk)->flags); 82 } 83 84 int hci_sock_test_flag(struct sock *sk, int nr) 85 { 86 return test_bit(nr, &hci_pi(sk)->flags); 87 } 88 89 unsigned short hci_sock_get_channel(struct sock *sk) 90 { 91 return hci_pi(sk)->channel; 92 } 93 94 u32 hci_sock_get_cookie(struct sock *sk) 95 { 96 return hci_pi(sk)->cookie; 97 } 98 99 static bool hci_sock_gen_cookie(struct sock *sk) 100 { 101 int id = hci_pi(sk)->cookie; 102 103 if (!id) { 104 id = ida_alloc_min(&sock_cookie_ida, 1, GFP_KERNEL); 105 if (id < 0) 106 id = 0xffffffff; 107 108 hci_pi(sk)->cookie = id; 109 get_task_comm(hci_pi(sk)->comm, current); 110 return true; 111 } 112 113 return false; 114 } 115 116 static void hci_sock_free_cookie(struct sock *sk) 117 { 118 int id = hci_pi(sk)->cookie; 119 120 if (id) { 121 hci_pi(sk)->cookie = 0; 122 ida_free(&sock_cookie_ida, id); 123 } 124 } 125 126 static inline int hci_test_bit(int nr, const void *addr) 127 { 128 return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); 129 } 130 131 /* Security filter */ 132 #define HCI_SFLT_MAX_OGF 5 133 134 struct hci_sec_filter { 135 __u32 type_mask; 136 __u32 event_mask[2]; 137 __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4]; 138 }; 139 140 static const struct hci_sec_filter hci_sec_filter = { 141 /* Packet types */ 142 0x10, 143 /* Events */ 144 { 0x1000d9fe, 0x0000b00c }, 145 /* Commands */ 146 { 147 { 0x0 }, 148 /* OGF_LINK_CTL */ 149 { 0xbe000006, 0x00000001, 0x00000000, 0x00 }, 150 /* OGF_LINK_POLICY */ 151 { 0x00005200, 0x00000000, 0x00000000, 0x00 }, 152 /* OGF_HOST_CTL */ 153 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 }, 154 /* OGF_INFO_PARAM */ 155 { 0x000002be, 0x00000000, 0x00000000, 0x00 }, 156 /* OGF_STATUS_PARAM */ 157 { 0x000000ea, 0x00000000, 0x00000000, 0x00 } 158 } 159 }; 160 161 static struct bt_sock_list hci_sk_list = { 162 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock) 163 }; 164 165 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb) 166 { 167 struct hci_filter *flt; 168 int flt_type, flt_event; 169 170 /* Apply filter */ 171 flt = &hci_pi(sk)->filter; 172 173 flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS; 174 175 if (!test_bit(flt_type, &flt->type_mask)) 176 return true; 177 178 /* Extra filter for event packets only */ 179 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT) 180 return false; 181 182 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS); 183 184 if (!hci_test_bit(flt_event, &flt->event_mask)) 185 return true; 186 187 /* Check filter only when opcode is set */ 188 if (!flt->opcode) 189 return false; 190 191 if (flt_event == HCI_EV_CMD_COMPLETE && 192 flt->opcode != get_unaligned((__le16 *)(skb->data + 3))) 193 return true; 194 195 if (flt_event == HCI_EV_CMD_STATUS && 196 flt->opcode != get_unaligned((__le16 *)(skb->data + 4))) 197 return true; 198 199 return false; 200 } 201 202 /* Send frame to RAW socket */ 203 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) 204 { 205 struct sock *sk; 206 struct sk_buff *skb_copy = NULL; 207 208 BT_DBG("hdev %p len %d", hdev, skb->len); 209 210 read_lock(&hci_sk_list.lock); 211 212 sk_for_each(sk, &hci_sk_list.head) { 213 struct sk_buff *nskb; 214 215 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev) 216 continue; 217 218 /* Don't send frame to the socket it came from */ 219 if (skb->sk == sk) 220 continue; 221 222 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) { 223 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT && 224 hci_skb_pkt_type(skb) != HCI_EVENT_PKT && 225 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 226 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && 227 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) 228 continue; 229 if (is_filtered_packet(sk, skb)) 230 continue; 231 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 232 if (!bt_cb(skb)->incoming) 233 continue; 234 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT && 235 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 236 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && 237 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT && 238 hci_skb_pkt_type(skb) != HCI_DRV_PKT) 239 continue; 240 } else { 241 /* Don't send frame to other channel types */ 242 continue; 243 } 244 245 if (!skb_copy) { 246 /* Create a private copy with headroom */ 247 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true); 248 if (!skb_copy) 249 continue; 250 251 /* Put type byte before the data */ 252 memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1); 253 } 254 255 nskb = skb_clone(skb_copy, GFP_ATOMIC); 256 if (!nskb) 257 continue; 258 259 if (sock_queue_rcv_skb(sk, nskb)) 260 kfree_skb(nskb); 261 } 262 263 read_unlock(&hci_sk_list.lock); 264 265 kfree_skb(skb_copy); 266 } 267 268 static void hci_sock_copy_creds(struct sock *sk, struct sk_buff *skb) 269 { 270 struct scm_creds *creds; 271 272 if (!sk || WARN_ON(!skb)) 273 return; 274 275 creds = &bt_cb(skb)->creds; 276 277 /* Check if peer credentials is set */ 278 if (!sk->sk_peer_pid) { 279 /* Check if parent peer credentials is set */ 280 if (bt_sk(sk)->parent && bt_sk(sk)->parent->sk_peer_pid) 281 sk = bt_sk(sk)->parent; 282 else 283 return; 284 } 285 286 /* Check if scm_creds already set */ 287 if (creds->pid == pid_vnr(sk->sk_peer_pid)) 288 return; 289 290 memset(creds, 0, sizeof(*creds)); 291 292 creds->pid = pid_vnr(sk->sk_peer_pid); 293 if (sk->sk_peer_cred) { 294 creds->uid = sk->sk_peer_cred->uid; 295 creds->gid = sk->sk_peer_cred->gid; 296 } 297 } 298 299 static struct sk_buff *hci_skb_clone(struct sk_buff *skb) 300 { 301 struct sk_buff *nskb; 302 303 if (!skb) 304 return NULL; 305 306 nskb = skb_clone(skb, GFP_ATOMIC); 307 if (!nskb) 308 return NULL; 309 310 hci_sock_copy_creds(skb->sk, nskb); 311 312 return nskb; 313 } 314 315 /* Send frame to sockets with specific channel */ 316 static void __hci_send_to_channel(unsigned short channel, struct sk_buff *skb, 317 int flag, struct sock *skip_sk) 318 { 319 struct sock *sk; 320 321 BT_DBG("channel %u len %d", channel, skb->len); 322 323 sk_for_each(sk, &hci_sk_list.head) { 324 struct sk_buff *nskb; 325 326 /* Ignore socket without the flag set */ 327 if (!hci_sock_test_flag(sk, flag)) 328 continue; 329 330 /* Skip the original socket */ 331 if (sk == skip_sk) 332 continue; 333 334 if (sk->sk_state != BT_BOUND) 335 continue; 336 337 if (hci_pi(sk)->channel != channel) 338 continue; 339 340 nskb = hci_skb_clone(skb); 341 if (!nskb) 342 continue; 343 344 if (sock_queue_rcv_skb(sk, nskb)) 345 kfree_skb(nskb); 346 } 347 348 } 349 350 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb, 351 int flag, struct sock *skip_sk) 352 { 353 read_lock(&hci_sk_list.lock); 354 __hci_send_to_channel(channel, skb, flag, skip_sk); 355 read_unlock(&hci_sk_list.lock); 356 } 357 358 /* Send frame to monitor socket */ 359 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb) 360 { 361 struct sk_buff *skb_copy = NULL; 362 struct hci_mon_hdr *hdr; 363 __le16 opcode; 364 365 if (!atomic_read(&monitor_promisc)) 366 return; 367 368 BT_DBG("hdev %p len %d", hdev, skb->len); 369 370 switch (hci_skb_pkt_type(skb)) { 371 case HCI_COMMAND_PKT: 372 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT); 373 break; 374 case HCI_EVENT_PKT: 375 opcode = cpu_to_le16(HCI_MON_EVENT_PKT); 376 break; 377 case HCI_ACLDATA_PKT: 378 if (bt_cb(skb)->incoming) 379 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT); 380 else 381 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT); 382 break; 383 case HCI_SCODATA_PKT: 384 if (bt_cb(skb)->incoming) 385 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT); 386 else 387 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT); 388 break; 389 case HCI_ISODATA_PKT: 390 if (bt_cb(skb)->incoming) 391 opcode = cpu_to_le16(HCI_MON_ISO_RX_PKT); 392 else 393 opcode = cpu_to_le16(HCI_MON_ISO_TX_PKT); 394 break; 395 case HCI_DRV_PKT: 396 if (bt_cb(skb)->incoming) 397 opcode = cpu_to_le16(HCI_MON_DRV_RX_PKT); 398 else 399 opcode = cpu_to_le16(HCI_MON_DRV_TX_PKT); 400 break; 401 case HCI_DIAG_PKT: 402 opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG); 403 break; 404 default: 405 return; 406 } 407 408 /* Create a private copy with headroom */ 409 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true); 410 if (!skb_copy) 411 return; 412 413 hci_sock_copy_creds(skb->sk, skb_copy); 414 415 /* Put header before the data */ 416 hdr = skb_push(skb_copy, HCI_MON_HDR_SIZE); 417 hdr->opcode = opcode; 418 hdr->index = cpu_to_le16(hdev->id); 419 hdr->len = cpu_to_le16(skb->len); 420 421 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy, 422 HCI_SOCK_TRUSTED, NULL); 423 kfree_skb(skb_copy); 424 } 425 426 void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event, 427 void *data, u16 data_len, ktime_t tstamp, 428 int flag, struct sock *skip_sk) 429 { 430 struct sock *sk; 431 __le16 index; 432 433 if (hdev) 434 index = cpu_to_le16(hdev->id); 435 else 436 index = cpu_to_le16(MGMT_INDEX_NONE); 437 438 read_lock(&hci_sk_list.lock); 439 440 sk_for_each(sk, &hci_sk_list.head) { 441 struct hci_mon_hdr *hdr; 442 struct sk_buff *skb; 443 444 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL) 445 continue; 446 447 /* Ignore socket without the flag set */ 448 if (!hci_sock_test_flag(sk, flag)) 449 continue; 450 451 /* Skip the original socket */ 452 if (sk == skip_sk) 453 continue; 454 455 skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC); 456 if (!skb) 457 continue; 458 459 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 460 put_unaligned_le16(event, skb_put(skb, 2)); 461 462 if (data) 463 skb_put_data(skb, data, data_len); 464 465 skb->tstamp = tstamp; 466 467 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 468 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT); 469 hdr->index = index; 470 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 471 472 __hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 473 HCI_SOCK_TRUSTED, NULL); 474 kfree_skb(skb); 475 } 476 477 read_unlock(&hci_sk_list.lock); 478 } 479 480 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event) 481 { 482 struct hci_mon_hdr *hdr; 483 struct hci_mon_new_index *ni; 484 struct hci_mon_index_info *ii; 485 struct sk_buff *skb; 486 __le16 opcode; 487 488 switch (event) { 489 case HCI_DEV_REG: 490 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC); 491 if (!skb) 492 return NULL; 493 494 ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE); 495 ni->type = 0x00; /* Old hdev->dev_type */ 496 ni->bus = hdev->bus; 497 bacpy(&ni->bdaddr, &hdev->bdaddr); 498 memcpy_and_pad(ni->name, sizeof(ni->name), hdev->name, 499 strnlen(hdev->name, sizeof(ni->name)), '\0'); 500 501 opcode = cpu_to_le16(HCI_MON_NEW_INDEX); 502 break; 503 504 case HCI_DEV_UNREG: 505 skb = bt_skb_alloc(0, GFP_ATOMIC); 506 if (!skb) 507 return NULL; 508 509 opcode = cpu_to_le16(HCI_MON_DEL_INDEX); 510 break; 511 512 case HCI_DEV_SETUP: 513 if (hdev->manufacturer == 0xffff) 514 return NULL; 515 fallthrough; 516 517 case HCI_DEV_UP: 518 skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC); 519 if (!skb) 520 return NULL; 521 522 ii = skb_put(skb, HCI_MON_INDEX_INFO_SIZE); 523 bacpy(&ii->bdaddr, &hdev->bdaddr); 524 ii->manufacturer = cpu_to_le16(hdev->manufacturer); 525 526 opcode = cpu_to_le16(HCI_MON_INDEX_INFO); 527 break; 528 529 case HCI_DEV_OPEN: 530 skb = bt_skb_alloc(0, GFP_ATOMIC); 531 if (!skb) 532 return NULL; 533 534 opcode = cpu_to_le16(HCI_MON_OPEN_INDEX); 535 break; 536 537 case HCI_DEV_CLOSE: 538 skb = bt_skb_alloc(0, GFP_ATOMIC); 539 if (!skb) 540 return NULL; 541 542 opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX); 543 break; 544 545 default: 546 return NULL; 547 } 548 549 __net_timestamp(skb); 550 551 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 552 hdr->opcode = opcode; 553 hdr->index = cpu_to_le16(hdev->id); 554 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 555 556 return skb; 557 } 558 559 static struct sk_buff *create_monitor_ctrl_open(struct sock *sk) 560 { 561 struct hci_mon_hdr *hdr; 562 struct sk_buff *skb; 563 u16 format; 564 u8 ver[3]; 565 u32 flags; 566 567 /* No message needed when cookie is not present */ 568 if (!hci_pi(sk)->cookie) 569 return NULL; 570 571 switch (hci_pi(sk)->channel) { 572 case HCI_CHANNEL_RAW: 573 format = 0x0000; 574 ver[0] = BT_SUBSYS_VERSION; 575 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1); 576 break; 577 case HCI_CHANNEL_USER: 578 format = 0x0001; 579 ver[0] = BT_SUBSYS_VERSION; 580 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1); 581 break; 582 case HCI_CHANNEL_CONTROL: 583 format = 0x0002; 584 mgmt_fill_version_info(ver); 585 break; 586 default: 587 /* No message for unsupported format */ 588 return NULL; 589 } 590 591 skb = bt_skb_alloc(14 + TASK_COMM_LEN, GFP_ATOMIC); 592 if (!skb) 593 return NULL; 594 595 hci_sock_copy_creds(sk, skb); 596 597 flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0; 598 599 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 600 put_unaligned_le16(format, skb_put(skb, 2)); 601 skb_put_data(skb, ver, sizeof(ver)); 602 put_unaligned_le32(flags, skb_put(skb, 4)); 603 skb_put_u8(skb, TASK_COMM_LEN); 604 skb_put_data(skb, hci_pi(sk)->comm, TASK_COMM_LEN); 605 606 __net_timestamp(skb); 607 608 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 609 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN); 610 if (hci_pi(sk)->hdev) 611 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); 612 else 613 hdr->index = cpu_to_le16(HCI_DEV_NONE); 614 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 615 616 return skb; 617 } 618 619 static struct sk_buff *create_monitor_ctrl_close(struct sock *sk) 620 { 621 struct hci_mon_hdr *hdr; 622 struct sk_buff *skb; 623 624 /* No message needed when cookie is not present */ 625 if (!hci_pi(sk)->cookie) 626 return NULL; 627 628 switch (hci_pi(sk)->channel) { 629 case HCI_CHANNEL_RAW: 630 case HCI_CHANNEL_USER: 631 case HCI_CHANNEL_CONTROL: 632 break; 633 default: 634 /* No message for unsupported format */ 635 return NULL; 636 } 637 638 skb = bt_skb_alloc(4, GFP_ATOMIC); 639 if (!skb) 640 return NULL; 641 642 hci_sock_copy_creds(sk, skb); 643 644 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 645 646 __net_timestamp(skb); 647 648 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 649 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE); 650 if (hci_pi(sk)->hdev) 651 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); 652 else 653 hdr->index = cpu_to_le16(HCI_DEV_NONE); 654 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 655 656 return skb; 657 } 658 659 static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index, 660 u16 opcode, u16 len, 661 const void *buf) 662 { 663 struct hci_mon_hdr *hdr; 664 struct sk_buff *skb; 665 666 skb = bt_skb_alloc(6 + len, GFP_ATOMIC); 667 if (!skb) 668 return NULL; 669 670 hci_sock_copy_creds(sk, skb); 671 672 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); 673 put_unaligned_le16(opcode, skb_put(skb, 2)); 674 675 if (buf) 676 skb_put_data(skb, buf, len); 677 678 __net_timestamp(skb); 679 680 hdr = skb_push(skb, HCI_MON_HDR_SIZE); 681 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND); 682 hdr->index = cpu_to_le16(index); 683 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 684 685 return skb; 686 } 687 688 static void __printf(2, 3) 689 send_monitor_note(struct sock *sk, const char *fmt, ...) 690 { 691 size_t len; 692 struct hci_mon_hdr *hdr; 693 struct sk_buff *skb; 694 va_list args; 695 696 va_start(args, fmt); 697 len = vsnprintf(NULL, 0, fmt, args); 698 va_end(args); 699 700 skb = bt_skb_alloc(len + 1, GFP_ATOMIC); 701 if (!skb) 702 return; 703 704 hci_sock_copy_creds(sk, skb); 705 706 va_start(args, fmt); 707 vsprintf(skb_put(skb, len), fmt, args); 708 *(u8 *)skb_put(skb, 1) = 0; 709 va_end(args); 710 711 __net_timestamp(skb); 712 713 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE); 714 hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE); 715 hdr->index = cpu_to_le16(HCI_DEV_NONE); 716 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 717 718 if (sock_queue_rcv_skb(sk, skb)) 719 kfree_skb(skb); 720 } 721 722 static void send_monitor_replay(struct sock *sk) 723 { 724 struct hci_dev *hdev; 725 726 read_lock(&hci_dev_list_lock); 727 728 list_for_each_entry(hdev, &hci_dev_list, list) { 729 struct sk_buff *skb; 730 731 skb = create_monitor_event(hdev, HCI_DEV_REG); 732 if (!skb) 733 continue; 734 735 if (sock_queue_rcv_skb(sk, skb)) 736 kfree_skb(skb); 737 738 if (!test_bit(HCI_RUNNING, &hdev->flags)) 739 continue; 740 741 skb = create_monitor_event(hdev, HCI_DEV_OPEN); 742 if (!skb) 743 continue; 744 745 if (sock_queue_rcv_skb(sk, skb)) 746 kfree_skb(skb); 747 748 if (test_bit(HCI_UP, &hdev->flags)) 749 skb = create_monitor_event(hdev, HCI_DEV_UP); 750 else if (hci_dev_test_flag(hdev, HCI_SETUP)) 751 skb = create_monitor_event(hdev, HCI_DEV_SETUP); 752 else 753 skb = NULL; 754 755 if (skb) { 756 if (sock_queue_rcv_skb(sk, skb)) 757 kfree_skb(skb); 758 } 759 } 760 761 read_unlock(&hci_dev_list_lock); 762 } 763 764 static void send_monitor_control_replay(struct sock *mon_sk) 765 { 766 struct sock *sk; 767 768 read_lock(&hci_sk_list.lock); 769 770 sk_for_each(sk, &hci_sk_list.head) { 771 struct sk_buff *skb; 772 773 skb = create_monitor_ctrl_open(sk); 774 if (!skb) 775 continue; 776 777 if (sock_queue_rcv_skb(mon_sk, skb)) 778 kfree_skb(skb); 779 } 780 781 read_unlock(&hci_sk_list.lock); 782 } 783 784 /* Generate internal stack event */ 785 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data) 786 { 787 struct hci_event_hdr *hdr; 788 struct hci_ev_stack_internal *ev; 789 struct sk_buff *skb; 790 791 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC); 792 if (!skb) 793 return; 794 795 hdr = skb_put(skb, HCI_EVENT_HDR_SIZE); 796 hdr->evt = HCI_EV_STACK_INTERNAL; 797 hdr->plen = sizeof(*ev) + dlen; 798 799 ev = skb_put(skb, sizeof(*ev) + dlen); 800 ev->type = type; 801 memcpy(ev->data, data, dlen); 802 803 bt_cb(skb)->incoming = 1; 804 __net_timestamp(skb); 805 806 hci_skb_pkt_type(skb) = HCI_EVENT_PKT; 807 hci_send_to_sock(hdev, skb); 808 kfree_skb(skb); 809 } 810 811 void hci_sock_dev_event(struct hci_dev *hdev, int event) 812 { 813 BT_DBG("hdev %s event %d", hdev->name, event); 814 815 if (atomic_read(&monitor_promisc)) { 816 struct sk_buff *skb; 817 818 /* Send event to monitor */ 819 skb = create_monitor_event(hdev, event); 820 if (skb) { 821 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 822 HCI_SOCK_TRUSTED, NULL); 823 kfree_skb(skb); 824 } 825 } 826 827 if (event <= HCI_DEV_DOWN) { 828 struct hci_ev_si_device ev; 829 830 /* Send event to sockets */ 831 ev.event = event; 832 ev.dev_id = hdev->id; 833 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev); 834 } 835 836 if (event == HCI_DEV_UNREG) { 837 struct sock *sk; 838 839 /* Wake up sockets using this dead device */ 840 read_lock(&hci_sk_list.lock); 841 sk_for_each(sk, &hci_sk_list.head) { 842 if (hci_pi(sk)->hdev == hdev) { 843 sk->sk_err = EPIPE; 844 sk->sk_state_change(sk); 845 } 846 } 847 read_unlock(&hci_sk_list.lock); 848 } 849 } 850 851 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel) 852 { 853 struct hci_mgmt_chan *c; 854 855 list_for_each_entry(c, &mgmt_chan_list, list) { 856 if (c->channel == channel) 857 return c; 858 } 859 860 return NULL; 861 } 862 863 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel) 864 { 865 struct hci_mgmt_chan *c; 866 867 mutex_lock(&mgmt_chan_list_lock); 868 c = __hci_mgmt_chan_find(channel); 869 mutex_unlock(&mgmt_chan_list_lock); 870 871 return c; 872 } 873 874 int hci_mgmt_chan_register(struct hci_mgmt_chan *c) 875 { 876 if (c->channel < HCI_CHANNEL_CONTROL) 877 return -EINVAL; 878 879 mutex_lock(&mgmt_chan_list_lock); 880 if (__hci_mgmt_chan_find(c->channel)) { 881 mutex_unlock(&mgmt_chan_list_lock); 882 return -EALREADY; 883 } 884 885 list_add_tail(&c->list, &mgmt_chan_list); 886 887 mutex_unlock(&mgmt_chan_list_lock); 888 889 return 0; 890 } 891 EXPORT_SYMBOL(hci_mgmt_chan_register); 892 893 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c) 894 { 895 mutex_lock(&mgmt_chan_list_lock); 896 list_del(&c->list); 897 mutex_unlock(&mgmt_chan_list_lock); 898 } 899 EXPORT_SYMBOL(hci_mgmt_chan_unregister); 900 901 static int hci_sock_release(struct socket *sock) 902 { 903 struct sock *sk = sock->sk; 904 struct hci_dev *hdev; 905 struct sk_buff *skb; 906 907 BT_DBG("sock %p sk %p", sock, sk); 908 909 if (!sk) 910 return 0; 911 912 lock_sock(sk); 913 914 switch (hci_pi(sk)->channel) { 915 case HCI_CHANNEL_MONITOR: 916 atomic_dec(&monitor_promisc); 917 break; 918 case HCI_CHANNEL_RAW: 919 case HCI_CHANNEL_USER: 920 case HCI_CHANNEL_CONTROL: 921 /* Send event to monitor */ 922 skb = create_monitor_ctrl_close(sk); 923 if (skb) { 924 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 925 HCI_SOCK_TRUSTED, NULL); 926 kfree_skb(skb); 927 } 928 929 hci_sock_free_cookie(sk); 930 break; 931 } 932 933 bt_sock_unlink(&hci_sk_list, sk); 934 935 hdev = hci_pi(sk)->hdev; 936 if (hdev) { 937 if (hci_pi(sk)->channel == HCI_CHANNEL_USER && 938 !hci_dev_test_flag(hdev, HCI_UNREGISTER)) { 939 /* When releasing a user channel exclusive access, 940 * call hci_dev_do_close directly instead of calling 941 * hci_dev_close to ensure the exclusive access will 942 * be released and the controller brought back down. 943 * 944 * The checking of HCI_AUTO_OFF is not needed in this 945 * case since it will have been cleared already when 946 * opening the user channel. 947 * 948 * Make sure to also check that we haven't already 949 * unregistered since all the cleanup will have already 950 * been complete and hdev will get released when we put 951 * below. 952 */ 953 hci_dev_do_close(hdev); 954 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); 955 mgmt_index_added(hdev); 956 } 957 958 atomic_dec(&hdev->promisc); 959 hci_dev_put(hdev); 960 } 961 962 sock_orphan(sk); 963 release_sock(sk); 964 sock_put(sk); 965 return 0; 966 } 967 968 static int hci_sock_reject_list_add(struct hci_dev *hdev, void __user *arg) 969 { 970 bdaddr_t bdaddr; 971 int err; 972 973 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 974 return -EFAULT; 975 976 hci_dev_lock(hdev); 977 978 err = hci_bdaddr_list_add(&hdev->reject_list, &bdaddr, BDADDR_BREDR); 979 980 hci_dev_unlock(hdev); 981 982 return err; 983 } 984 985 static int hci_sock_reject_list_del(struct hci_dev *hdev, void __user *arg) 986 { 987 bdaddr_t bdaddr; 988 int err; 989 990 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 991 return -EFAULT; 992 993 hci_dev_lock(hdev); 994 995 err = hci_bdaddr_list_del(&hdev->reject_list, &bdaddr, BDADDR_BREDR); 996 997 hci_dev_unlock(hdev); 998 999 return err; 1000 } 1001 1002 /* Ioctls that require bound socket */ 1003 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, 1004 unsigned long arg) 1005 { 1006 struct hci_dev *hdev = hci_hdev_from_sock(sk); 1007 1008 if (IS_ERR(hdev)) 1009 return PTR_ERR(hdev); 1010 1011 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) 1012 return -EBUSY; 1013 1014 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) 1015 return -EOPNOTSUPP; 1016 1017 switch (cmd) { 1018 case HCISETRAW: 1019 if (!capable(CAP_NET_ADMIN)) 1020 return -EPERM; 1021 return -EOPNOTSUPP; 1022 1023 case HCIGETCONNINFO: 1024 return hci_get_conn_info(hdev, (void __user *)arg); 1025 1026 case HCIGETAUTHINFO: 1027 return hci_get_auth_info(hdev, (void __user *)arg); 1028 1029 case HCIBLOCKADDR: 1030 if (!capable(CAP_NET_ADMIN)) 1031 return -EPERM; 1032 return hci_sock_reject_list_add(hdev, (void __user *)arg); 1033 1034 case HCIUNBLOCKADDR: 1035 if (!capable(CAP_NET_ADMIN)) 1036 return -EPERM; 1037 return hci_sock_reject_list_del(hdev, (void __user *)arg); 1038 } 1039 1040 return -ENOIOCTLCMD; 1041 } 1042 1043 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, 1044 unsigned long arg) 1045 { 1046 void __user *argp = (void __user *)arg; 1047 struct sock *sk = sock->sk; 1048 int err; 1049 1050 BT_DBG("cmd %x arg %lx", cmd, arg); 1051 1052 /* Make sure the cmd is valid before doing anything */ 1053 switch (cmd) { 1054 case HCIGETDEVLIST: 1055 case HCIGETDEVINFO: 1056 case HCIGETCONNLIST: 1057 case HCIDEVUP: 1058 case HCIDEVDOWN: 1059 case HCIDEVRESET: 1060 case HCIDEVRESTAT: 1061 case HCISETSCAN: 1062 case HCISETAUTH: 1063 case HCISETENCRYPT: 1064 case HCISETPTYPE: 1065 case HCISETLINKPOL: 1066 case HCISETLINKMODE: 1067 case HCISETACLMTU: 1068 case HCISETSCOMTU: 1069 case HCIINQUIRY: 1070 case HCISETRAW: 1071 case HCIGETCONNINFO: 1072 case HCIGETAUTHINFO: 1073 case HCIBLOCKADDR: 1074 case HCIUNBLOCKADDR: 1075 break; 1076 default: 1077 return -ENOIOCTLCMD; 1078 } 1079 1080 lock_sock(sk); 1081 1082 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1083 err = -EBADFD; 1084 goto done; 1085 } 1086 1087 /* When calling an ioctl on an unbound raw socket, then ensure 1088 * that the monitor gets informed. Ensure that the resulting event 1089 * is only send once by checking if the cookie exists or not. The 1090 * socket cookie will be only ever generated once for the lifetime 1091 * of a given socket. 1092 */ 1093 if (hci_sock_gen_cookie(sk)) { 1094 struct sk_buff *skb; 1095 1096 /* Perform careful checks before setting the HCI_SOCK_TRUSTED 1097 * flag. Make sure that not only the current task but also 1098 * the socket opener has the required capability, since 1099 * privileged programs can be tricked into making ioctl calls 1100 * on HCI sockets, and the socket should not be marked as 1101 * trusted simply because the ioctl caller is privileged. 1102 */ 1103 if (sk_capable(sk, CAP_NET_ADMIN)) 1104 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1105 1106 /* Send event to monitor */ 1107 skb = create_monitor_ctrl_open(sk); 1108 if (skb) { 1109 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1110 HCI_SOCK_TRUSTED, NULL); 1111 kfree_skb(skb); 1112 } 1113 } 1114 1115 release_sock(sk); 1116 1117 switch (cmd) { 1118 case HCIGETDEVLIST: 1119 return hci_get_dev_list(argp); 1120 1121 case HCIGETDEVINFO: 1122 return hci_get_dev_info(argp); 1123 1124 case HCIGETCONNLIST: 1125 return hci_get_conn_list(argp); 1126 1127 case HCIDEVUP: 1128 if (!capable(CAP_NET_ADMIN)) 1129 return -EPERM; 1130 return hci_dev_open(arg); 1131 1132 case HCIDEVDOWN: 1133 if (!capable(CAP_NET_ADMIN)) 1134 return -EPERM; 1135 return hci_dev_close(arg); 1136 1137 case HCIDEVRESET: 1138 if (!capable(CAP_NET_ADMIN)) 1139 return -EPERM; 1140 return hci_dev_reset(arg); 1141 1142 case HCIDEVRESTAT: 1143 if (!capable(CAP_NET_ADMIN)) 1144 return -EPERM; 1145 return hci_dev_reset_stat(arg); 1146 1147 case HCISETSCAN: 1148 case HCISETAUTH: 1149 case HCISETENCRYPT: 1150 case HCISETPTYPE: 1151 case HCISETLINKPOL: 1152 case HCISETLINKMODE: 1153 case HCISETACLMTU: 1154 case HCISETSCOMTU: 1155 if (!capable(CAP_NET_ADMIN)) 1156 return -EPERM; 1157 return hci_dev_cmd(cmd, argp); 1158 1159 case HCIINQUIRY: 1160 return hci_inquiry(argp); 1161 } 1162 1163 lock_sock(sk); 1164 1165 err = hci_sock_bound_ioctl(sk, cmd, arg); 1166 1167 done: 1168 release_sock(sk); 1169 return err; 1170 } 1171 1172 #ifdef CONFIG_COMPAT 1173 static int hci_sock_compat_ioctl(struct socket *sock, unsigned int cmd, 1174 unsigned long arg) 1175 { 1176 switch (cmd) { 1177 case HCIDEVUP: 1178 case HCIDEVDOWN: 1179 case HCIDEVRESET: 1180 case HCIDEVRESTAT: 1181 return hci_sock_ioctl(sock, cmd, arg); 1182 } 1183 1184 return hci_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg)); 1185 } 1186 #endif 1187 1188 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, 1189 int addr_len) 1190 { 1191 struct sockaddr_hci haddr; 1192 struct sock *sk = sock->sk; 1193 struct hci_dev *hdev = NULL; 1194 struct sk_buff *skb; 1195 int len, err = 0; 1196 1197 BT_DBG("sock %p sk %p", sock, sk); 1198 1199 if (!addr) 1200 return -EINVAL; 1201 1202 memset(&haddr, 0, sizeof(haddr)); 1203 len = min_t(unsigned int, sizeof(haddr), addr_len); 1204 memcpy(&haddr, addr, len); 1205 1206 if (haddr.hci_family != AF_BLUETOOTH) 1207 return -EINVAL; 1208 1209 lock_sock(sk); 1210 1211 /* Allow detaching from dead device and attaching to alive device, if 1212 * the caller wants to re-bind (instead of close) this socket in 1213 * response to hci_sock_dev_event(HCI_DEV_UNREG) notification. 1214 */ 1215 hdev = hci_pi(sk)->hdev; 1216 if (hdev && hci_dev_test_flag(hdev, HCI_UNREGISTER)) { 1217 hci_pi(sk)->hdev = NULL; 1218 sk->sk_state = BT_OPEN; 1219 hci_dev_put(hdev); 1220 } 1221 hdev = NULL; 1222 1223 if (sk->sk_state == BT_BOUND) { 1224 err = -EALREADY; 1225 goto done; 1226 } 1227 1228 switch (haddr.hci_channel) { 1229 case HCI_CHANNEL_RAW: 1230 if (hci_pi(sk)->hdev) { 1231 err = -EALREADY; 1232 goto done; 1233 } 1234 1235 if (haddr.hci_dev != HCI_DEV_NONE) { 1236 hdev = hci_dev_get(haddr.hci_dev); 1237 if (!hdev) { 1238 err = -ENODEV; 1239 goto done; 1240 } 1241 1242 atomic_inc(&hdev->promisc); 1243 } 1244 1245 hci_pi(sk)->channel = haddr.hci_channel; 1246 1247 if (!hci_sock_gen_cookie(sk)) { 1248 /* In the case when a cookie has already been assigned, 1249 * then there has been already an ioctl issued against 1250 * an unbound socket and with that triggered an open 1251 * notification. Send a close notification first to 1252 * allow the state transition to bounded. 1253 */ 1254 skb = create_monitor_ctrl_close(sk); 1255 if (skb) { 1256 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1257 HCI_SOCK_TRUSTED, NULL); 1258 kfree_skb(skb); 1259 } 1260 } 1261 1262 if (capable(CAP_NET_ADMIN)) 1263 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1264 1265 hci_pi(sk)->hdev = hdev; 1266 1267 /* Send event to monitor */ 1268 skb = create_monitor_ctrl_open(sk); 1269 if (skb) { 1270 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1271 HCI_SOCK_TRUSTED, NULL); 1272 kfree_skb(skb); 1273 } 1274 break; 1275 1276 case HCI_CHANNEL_USER: 1277 if (hci_pi(sk)->hdev) { 1278 err = -EALREADY; 1279 goto done; 1280 } 1281 1282 if (haddr.hci_dev == HCI_DEV_NONE) { 1283 err = -EINVAL; 1284 goto done; 1285 } 1286 1287 if (!capable(CAP_NET_ADMIN)) { 1288 err = -EPERM; 1289 goto done; 1290 } 1291 1292 hdev = hci_dev_get(haddr.hci_dev); 1293 if (!hdev) { 1294 err = -ENODEV; 1295 goto done; 1296 } 1297 1298 if (test_bit(HCI_INIT, &hdev->flags) || 1299 hci_dev_test_flag(hdev, HCI_SETUP) || 1300 hci_dev_test_flag(hdev, HCI_CONFIG) || 1301 (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) && 1302 test_bit(HCI_UP, &hdev->flags))) { 1303 err = -EBUSY; 1304 hci_dev_put(hdev); 1305 goto done; 1306 } 1307 1308 if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) { 1309 err = -EUSERS; 1310 hci_dev_put(hdev); 1311 goto done; 1312 } 1313 1314 hci_dev_lock(hdev); 1315 mgmt_index_removed(hdev); 1316 hci_dev_unlock(hdev); 1317 1318 err = hci_dev_open(hdev->id); 1319 if (err) { 1320 if (err == -EALREADY) { 1321 /* In case the transport is already up and 1322 * running, clear the error here. 1323 * 1324 * This can happen when opening a user 1325 * channel and HCI_AUTO_OFF grace period 1326 * is still active. 1327 */ 1328 err = 0; 1329 } else { 1330 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); 1331 mgmt_index_added(hdev); 1332 hci_dev_put(hdev); 1333 goto done; 1334 } 1335 } 1336 1337 hci_pi(sk)->channel = haddr.hci_channel; 1338 1339 if (!hci_sock_gen_cookie(sk)) { 1340 /* In the case when a cookie has already been assigned, 1341 * this socket will transition from a raw socket into 1342 * a user channel socket. For a clean transition, send 1343 * the close notification first. 1344 */ 1345 skb = create_monitor_ctrl_close(sk); 1346 if (skb) { 1347 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1348 HCI_SOCK_TRUSTED, NULL); 1349 kfree_skb(skb); 1350 } 1351 } 1352 1353 /* The user channel is restricted to CAP_NET_ADMIN 1354 * capabilities and with that implicitly trusted. 1355 */ 1356 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1357 1358 hci_pi(sk)->hdev = hdev; 1359 1360 /* Send event to monitor */ 1361 skb = create_monitor_ctrl_open(sk); 1362 if (skb) { 1363 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1364 HCI_SOCK_TRUSTED, NULL); 1365 kfree_skb(skb); 1366 } 1367 1368 atomic_inc(&hdev->promisc); 1369 break; 1370 1371 case HCI_CHANNEL_MONITOR: 1372 if (haddr.hci_dev != HCI_DEV_NONE) { 1373 err = -EINVAL; 1374 goto done; 1375 } 1376 1377 if (!capable(CAP_NET_RAW)) { 1378 err = -EPERM; 1379 goto done; 1380 } 1381 1382 hci_pi(sk)->channel = haddr.hci_channel; 1383 1384 /* The monitor interface is restricted to CAP_NET_RAW 1385 * capabilities and with that implicitly trusted. 1386 */ 1387 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1388 1389 send_monitor_note(sk, "Linux version %s (%s)", 1390 init_utsname()->release, 1391 init_utsname()->machine); 1392 send_monitor_note(sk, "Bluetooth subsystem version %u.%u", 1393 BT_SUBSYS_VERSION, BT_SUBSYS_REVISION); 1394 send_monitor_replay(sk); 1395 send_monitor_control_replay(sk); 1396 1397 atomic_inc(&monitor_promisc); 1398 break; 1399 1400 case HCI_CHANNEL_LOGGING: 1401 if (haddr.hci_dev != HCI_DEV_NONE) { 1402 err = -EINVAL; 1403 goto done; 1404 } 1405 1406 if (!capable(CAP_NET_ADMIN)) { 1407 err = -EPERM; 1408 goto done; 1409 } 1410 1411 hci_pi(sk)->channel = haddr.hci_channel; 1412 break; 1413 1414 default: 1415 if (!hci_mgmt_chan_find(haddr.hci_channel)) { 1416 err = -EINVAL; 1417 goto done; 1418 } 1419 1420 if (haddr.hci_dev != HCI_DEV_NONE) { 1421 err = -EINVAL; 1422 goto done; 1423 } 1424 1425 /* Users with CAP_NET_ADMIN capabilities are allowed 1426 * access to all management commands and events. For 1427 * untrusted users the interface is restricted and 1428 * also only untrusted events are sent. 1429 */ 1430 if (capable(CAP_NET_ADMIN)) 1431 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); 1432 1433 hci_pi(sk)->channel = haddr.hci_channel; 1434 1435 /* At the moment the index and unconfigured index events 1436 * are enabled unconditionally. Setting them on each 1437 * socket when binding keeps this functionality. They 1438 * however might be cleared later and then sending of these 1439 * events will be disabled, but that is then intentional. 1440 * 1441 * This also enables generic events that are safe to be 1442 * received by untrusted users. Example for such events 1443 * are changes to settings, class of device, name etc. 1444 */ 1445 if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) { 1446 if (!hci_sock_gen_cookie(sk)) { 1447 /* In the case when a cookie has already been 1448 * assigned, this socket will transition from 1449 * a raw socket into a control socket. To 1450 * allow for a clean transition, send the 1451 * close notification first. 1452 */ 1453 skb = create_monitor_ctrl_close(sk); 1454 if (skb) { 1455 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1456 HCI_SOCK_TRUSTED, NULL); 1457 kfree_skb(skb); 1458 } 1459 } 1460 1461 /* Send event to monitor */ 1462 skb = create_monitor_ctrl_open(sk); 1463 if (skb) { 1464 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, 1465 HCI_SOCK_TRUSTED, NULL); 1466 kfree_skb(skb); 1467 } 1468 1469 hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS); 1470 hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS); 1471 hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS); 1472 hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS); 1473 hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS); 1474 hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS); 1475 } 1476 break; 1477 } 1478 1479 /* Default MTU to HCI_MAX_FRAME_SIZE if not set */ 1480 if (!hci_pi(sk)->mtu) 1481 hci_pi(sk)->mtu = HCI_MAX_FRAME_SIZE; 1482 1483 sk->sk_state = BT_BOUND; 1484 1485 done: 1486 release_sock(sk); 1487 return err; 1488 } 1489 1490 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, 1491 int peer) 1492 { 1493 struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr; 1494 struct sock *sk = sock->sk; 1495 struct hci_dev *hdev; 1496 int err = 0; 1497 1498 BT_DBG("sock %p sk %p", sock, sk); 1499 1500 if (peer) 1501 return -EOPNOTSUPP; 1502 1503 lock_sock(sk); 1504 1505 hdev = hci_hdev_from_sock(sk); 1506 if (IS_ERR(hdev)) { 1507 err = PTR_ERR(hdev); 1508 goto done; 1509 } 1510 1511 haddr->hci_family = AF_BLUETOOTH; 1512 haddr->hci_dev = hdev->id; 1513 haddr->hci_channel= hci_pi(sk)->channel; 1514 err = sizeof(*haddr); 1515 1516 done: 1517 release_sock(sk); 1518 return err; 1519 } 1520 1521 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, 1522 struct sk_buff *skb) 1523 { 1524 __u8 mask = hci_pi(sk)->cmsg_mask; 1525 1526 if (mask & HCI_CMSG_DIR) { 1527 int incoming = bt_cb(skb)->incoming; 1528 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming), 1529 &incoming); 1530 } 1531 1532 if (mask & HCI_CMSG_TSTAMP) { 1533 #ifdef CONFIG_COMPAT 1534 struct old_timeval32 ctv; 1535 #endif 1536 struct __kernel_old_timeval tv; 1537 void *data; 1538 int len; 1539 1540 skb_get_timestamp(skb, &tv); 1541 1542 data = &tv; 1543 len = sizeof(tv); 1544 #ifdef CONFIG_COMPAT 1545 if (!COMPAT_USE_64BIT_TIME && 1546 (msg->msg_flags & MSG_CMSG_COMPAT)) { 1547 ctv.tv_sec = tv.tv_sec; 1548 ctv.tv_usec = tv.tv_usec; 1549 data = &ctv; 1550 len = sizeof(ctv); 1551 } 1552 #endif 1553 1554 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data); 1555 } 1556 } 1557 1558 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1559 size_t len, int flags) 1560 { 1561 struct scm_cookie scm; 1562 struct sock *sk = sock->sk; 1563 struct sk_buff *skb; 1564 int copied, err; 1565 unsigned int skblen; 1566 1567 BT_DBG("sock %p, sk %p", sock, sk); 1568 1569 if (flags & MSG_OOB) 1570 return -EOPNOTSUPP; 1571 1572 if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING) 1573 return -EOPNOTSUPP; 1574 1575 if (sk->sk_state == BT_CLOSED) 1576 return 0; 1577 1578 skb = skb_recv_datagram(sk, flags, &err); 1579 if (!skb) 1580 return err; 1581 1582 skblen = skb->len; 1583 copied = skb->len; 1584 if (len < copied) { 1585 msg->msg_flags |= MSG_TRUNC; 1586 copied = len; 1587 } 1588 1589 skb_reset_transport_header(skb); 1590 err = skb_copy_datagram_msg(skb, 0, msg, copied); 1591 1592 switch (hci_pi(sk)->channel) { 1593 case HCI_CHANNEL_RAW: 1594 hci_sock_cmsg(sk, msg, skb); 1595 break; 1596 case HCI_CHANNEL_USER: 1597 case HCI_CHANNEL_MONITOR: 1598 sock_recv_timestamp(msg, sk, skb); 1599 break; 1600 default: 1601 if (hci_mgmt_chan_find(hci_pi(sk)->channel)) 1602 sock_recv_timestamp(msg, sk, skb); 1603 break; 1604 } 1605 1606 memset(&scm, 0, sizeof(scm)); 1607 scm.creds = bt_cb(skb)->creds; 1608 1609 skb_free_datagram(sk, skb); 1610 1611 if (flags & MSG_TRUNC) 1612 copied = skblen; 1613 1614 scm_recv(sock, msg, &scm, flags); 1615 1616 return err ? : copied; 1617 } 1618 1619 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk, 1620 struct sk_buff *skb) 1621 { 1622 u8 *cp; 1623 struct mgmt_hdr *hdr; 1624 u16 opcode, index, len; 1625 struct hci_dev *hdev = NULL; 1626 const struct hci_mgmt_handler *handler; 1627 bool var_len, no_hdev; 1628 int err; 1629 1630 BT_DBG("got %d bytes", skb->len); 1631 1632 if (skb->len < sizeof(*hdr)) 1633 return -EINVAL; 1634 1635 hdr = (void *)skb->data; 1636 opcode = __le16_to_cpu(hdr->opcode); 1637 index = __le16_to_cpu(hdr->index); 1638 len = __le16_to_cpu(hdr->len); 1639 1640 if (len != skb->len - sizeof(*hdr)) { 1641 err = -EINVAL; 1642 goto done; 1643 } 1644 1645 if (chan->channel == HCI_CHANNEL_CONTROL) { 1646 struct sk_buff *cmd; 1647 1648 /* Send event to monitor */ 1649 cmd = create_monitor_ctrl_command(sk, index, opcode, len, 1650 skb->data + sizeof(*hdr)); 1651 if (cmd) { 1652 hci_send_to_channel(HCI_CHANNEL_MONITOR, cmd, 1653 HCI_SOCK_TRUSTED, NULL); 1654 kfree_skb(cmd); 1655 } 1656 } 1657 1658 if (opcode >= chan->handler_count || 1659 chan->handlers[opcode].func == NULL) { 1660 BT_DBG("Unknown op %u", opcode); 1661 err = mgmt_cmd_status(sk, index, opcode, 1662 MGMT_STATUS_UNKNOWN_COMMAND); 1663 goto done; 1664 } 1665 1666 handler = &chan->handlers[opcode]; 1667 1668 if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) && 1669 !(handler->flags & HCI_MGMT_UNTRUSTED)) { 1670 err = mgmt_cmd_status(sk, index, opcode, 1671 MGMT_STATUS_PERMISSION_DENIED); 1672 goto done; 1673 } 1674 1675 if (index != MGMT_INDEX_NONE) { 1676 hdev = hci_dev_get(index); 1677 if (!hdev) { 1678 err = mgmt_cmd_status(sk, index, opcode, 1679 MGMT_STATUS_INVALID_INDEX); 1680 goto done; 1681 } 1682 1683 if (hci_dev_test_flag(hdev, HCI_SETUP) || 1684 hci_dev_test_flag(hdev, HCI_CONFIG) || 1685 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 1686 err = mgmt_cmd_status(sk, index, opcode, 1687 MGMT_STATUS_INVALID_INDEX); 1688 goto done; 1689 } 1690 1691 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) && 1692 !(handler->flags & HCI_MGMT_UNCONFIGURED)) { 1693 err = mgmt_cmd_status(sk, index, opcode, 1694 MGMT_STATUS_INVALID_INDEX); 1695 goto done; 1696 } 1697 } 1698 1699 if (!(handler->flags & HCI_MGMT_HDEV_OPTIONAL)) { 1700 no_hdev = (handler->flags & HCI_MGMT_NO_HDEV); 1701 if (no_hdev != !hdev) { 1702 err = mgmt_cmd_status(sk, index, opcode, 1703 MGMT_STATUS_INVALID_INDEX); 1704 goto done; 1705 } 1706 } 1707 1708 var_len = (handler->flags & HCI_MGMT_VAR_LEN); 1709 if ((var_len && len < handler->data_len) || 1710 (!var_len && len != handler->data_len)) { 1711 err = mgmt_cmd_status(sk, index, opcode, 1712 MGMT_STATUS_INVALID_PARAMS); 1713 goto done; 1714 } 1715 1716 if (hdev && chan->hdev_init) 1717 chan->hdev_init(sk, hdev); 1718 1719 cp = skb->data + sizeof(*hdr); 1720 1721 err = handler->func(sk, hdev, cp, len); 1722 if (err < 0) 1723 goto done; 1724 1725 err = skb->len; 1726 1727 done: 1728 if (hdev) 1729 hci_dev_put(hdev); 1730 1731 return err; 1732 } 1733 1734 static int hci_logging_frame(struct sock *sk, struct sk_buff *skb, 1735 unsigned int flags) 1736 { 1737 struct hci_mon_hdr *hdr; 1738 struct hci_dev *hdev; 1739 u16 index; 1740 int err; 1741 1742 /* The logging frame consists at minimum of the standard header, 1743 * the priority byte, the ident length byte and at least one string 1744 * terminator NUL byte. Anything shorter are invalid packets. 1745 */ 1746 if (skb->len < sizeof(*hdr) + 3) 1747 return -EINVAL; 1748 1749 hdr = (void *)skb->data; 1750 1751 if (__le16_to_cpu(hdr->len) != skb->len - sizeof(*hdr)) 1752 return -EINVAL; 1753 1754 if (__le16_to_cpu(hdr->opcode) == 0x0000) { 1755 __u8 priority = skb->data[sizeof(*hdr)]; 1756 __u8 ident_len = skb->data[sizeof(*hdr) + 1]; 1757 1758 /* Only the priorities 0-7 are valid and with that any other 1759 * value results in an invalid packet. 1760 * 1761 * The priority byte is followed by an ident length byte and 1762 * the NUL terminated ident string. Check that the ident 1763 * length is not overflowing the packet and also that the 1764 * ident string itself is NUL terminated. In case the ident 1765 * length is zero, the length value actually doubles as NUL 1766 * terminator identifier. 1767 * 1768 * The message follows the ident string (if present) and 1769 * must be NUL terminated. Otherwise it is not a valid packet. 1770 */ 1771 if (priority > 7 || skb->data[skb->len - 1] != 0x00 || 1772 ident_len > skb->len - sizeof(*hdr) - 3 || 1773 skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) 1774 return -EINVAL; 1775 } else { 1776 return -EINVAL; 1777 } 1778 1779 index = __le16_to_cpu(hdr->index); 1780 1781 if (index != MGMT_INDEX_NONE) { 1782 hdev = hci_dev_get(index); 1783 if (!hdev) 1784 return -ENODEV; 1785 } else { 1786 hdev = NULL; 1787 } 1788 1789 hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING); 1790 1791 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL); 1792 err = skb->len; 1793 1794 if (hdev) 1795 hci_dev_put(hdev); 1796 1797 return err; 1798 } 1799 1800 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1801 size_t len) 1802 { 1803 struct sock *sk = sock->sk; 1804 struct hci_mgmt_chan *chan; 1805 struct hci_dev *hdev; 1806 struct sk_buff *skb; 1807 int err; 1808 const unsigned int flags = msg->msg_flags; 1809 1810 BT_DBG("sock %p sk %p", sock, sk); 1811 1812 if (flags & MSG_OOB) 1813 return -EOPNOTSUPP; 1814 1815 if (flags & ~(MSG_DONTWAIT | MSG_NOSIGNAL | MSG_ERRQUEUE | MSG_CMSG_COMPAT)) 1816 return -EINVAL; 1817 1818 if (len < 4 || len > hci_pi(sk)->mtu) 1819 return -EINVAL; 1820 1821 skb = bt_skb_sendmsg(sk, msg, len, len, 0, 0); 1822 if (IS_ERR(skb)) 1823 return PTR_ERR(skb); 1824 1825 lock_sock(sk); 1826 1827 switch (hci_pi(sk)->channel) { 1828 case HCI_CHANNEL_RAW: 1829 case HCI_CHANNEL_USER: 1830 break; 1831 case HCI_CHANNEL_MONITOR: 1832 err = -EOPNOTSUPP; 1833 goto drop; 1834 case HCI_CHANNEL_LOGGING: 1835 err = hci_logging_frame(sk, skb, flags); 1836 goto drop; 1837 default: 1838 mutex_lock(&mgmt_chan_list_lock); 1839 chan = __hci_mgmt_chan_find(hci_pi(sk)->channel); 1840 if (chan) 1841 err = hci_mgmt_cmd(chan, sk, skb); 1842 else 1843 err = -EINVAL; 1844 1845 mutex_unlock(&mgmt_chan_list_lock); 1846 goto drop; 1847 } 1848 1849 hdev = hci_hdev_from_sock(sk); 1850 if (IS_ERR(hdev)) { 1851 err = PTR_ERR(hdev); 1852 goto drop; 1853 } 1854 1855 if (!test_bit(HCI_UP, &hdev->flags)) { 1856 err = -ENETDOWN; 1857 goto drop; 1858 } 1859 1860 hci_skb_pkt_type(skb) = skb->data[0]; 1861 skb_pull(skb, 1); 1862 1863 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 1864 /* No permission check is needed for user channel 1865 * since that gets enforced when binding the socket. 1866 * 1867 * However check that the packet type is valid. 1868 */ 1869 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT && 1870 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 1871 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && 1872 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT && 1873 hci_skb_pkt_type(skb) != HCI_DRV_PKT) { 1874 err = -EINVAL; 1875 goto drop; 1876 } 1877 1878 skb_queue_tail(&hdev->raw_q, skb); 1879 queue_work(hdev->workqueue, &hdev->tx_work); 1880 } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) { 1881 u16 opcode = get_unaligned_le16(skb->data); 1882 u16 ogf = hci_opcode_ogf(opcode); 1883 u16 ocf = hci_opcode_ocf(opcode); 1884 1885 if (((ogf > HCI_SFLT_MAX_OGF) || 1886 !hci_test_bit(ocf & HCI_FLT_OCF_BITS, 1887 &hci_sec_filter.ocf_mask[ogf])) && 1888 !capable(CAP_NET_RAW)) { 1889 err = -EPERM; 1890 goto drop; 1891 } 1892 1893 /* Since the opcode has already been extracted here, store 1894 * a copy of the value for later use by the drivers. 1895 */ 1896 hci_skb_opcode(skb) = opcode; 1897 1898 if (ogf == 0x3f) { 1899 skb_queue_tail(&hdev->raw_q, skb); 1900 queue_work(hdev->workqueue, &hdev->tx_work); 1901 } else { 1902 /* Stand-alone HCI commands must be flagged as 1903 * single-command requests. 1904 */ 1905 bt_cb(skb)->hci.req_flags |= HCI_REQ_START; 1906 1907 skb_queue_tail(&hdev->cmd_q, skb); 1908 queue_work(hdev->workqueue, &hdev->cmd_work); 1909 } 1910 } else { 1911 if (!capable(CAP_NET_RAW)) { 1912 err = -EPERM; 1913 goto drop; 1914 } 1915 1916 if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && 1917 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && 1918 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) { 1919 err = -EINVAL; 1920 goto drop; 1921 } 1922 1923 skb_queue_tail(&hdev->raw_q, skb); 1924 queue_work(hdev->workqueue, &hdev->tx_work); 1925 } 1926 1927 err = len; 1928 1929 done: 1930 release_sock(sk); 1931 return err; 1932 1933 drop: 1934 kfree_skb(skb); 1935 goto done; 1936 } 1937 1938 static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, 1939 sockptr_t optval, unsigned int optlen) 1940 { 1941 struct hci_ufilter uf = { .opcode = 0 }; 1942 struct sock *sk = sock->sk; 1943 int err = 0, opt = 0; 1944 1945 BT_DBG("sk %p, opt %d", sk, optname); 1946 1947 lock_sock(sk); 1948 1949 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1950 err = -EBADFD; 1951 goto done; 1952 } 1953 1954 switch (optname) { 1955 case HCI_DATA_DIR: 1956 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1957 if (err) 1958 break; 1959 1960 if (opt) 1961 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; 1962 else 1963 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR; 1964 break; 1965 1966 case HCI_TIME_STAMP: 1967 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1968 if (err) 1969 break; 1970 1971 if (opt) 1972 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; 1973 else 1974 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP; 1975 break; 1976 1977 case HCI_FILTER: 1978 { 1979 struct hci_filter *f = &hci_pi(sk)->filter; 1980 1981 uf.type_mask = f->type_mask; 1982 uf.opcode = f->opcode; 1983 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1984 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1985 } 1986 1987 err = copy_safe_from_sockptr(&uf, sizeof(uf), optval, optlen); 1988 if (err) 1989 break; 1990 1991 if (!capable(CAP_NET_RAW)) { 1992 uf.type_mask &= hci_sec_filter.type_mask; 1993 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0); 1994 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1); 1995 } 1996 1997 { 1998 struct hci_filter *f = &hci_pi(sk)->filter; 1999 2000 f->type_mask = uf.type_mask; 2001 f->opcode = uf.opcode; 2002 *((u32 *) f->event_mask + 0) = uf.event_mask[0]; 2003 *((u32 *) f->event_mask + 1) = uf.event_mask[1]; 2004 } 2005 break; 2006 2007 default: 2008 err = -ENOPROTOOPT; 2009 break; 2010 } 2011 2012 done: 2013 release_sock(sk); 2014 return err; 2015 } 2016 2017 static int hci_sock_setsockopt(struct socket *sock, int level, int optname, 2018 sockptr_t optval, unsigned int optlen) 2019 { 2020 struct sock *sk = sock->sk; 2021 int err = 0; 2022 u16 opt; 2023 2024 BT_DBG("sk %p, opt %d", sk, optname); 2025 2026 if (level == SOL_HCI) 2027 return hci_sock_setsockopt_old(sock, level, optname, optval, 2028 optlen); 2029 2030 if (level != SOL_BLUETOOTH) 2031 return -ENOPROTOOPT; 2032 2033 lock_sock(sk); 2034 2035 switch (optname) { 2036 case BT_SNDMTU: 2037 case BT_RCVMTU: 2038 switch (hci_pi(sk)->channel) { 2039 /* Don't allow changing MTU for channels that are meant for HCI 2040 * traffic only. 2041 */ 2042 case HCI_CHANNEL_RAW: 2043 case HCI_CHANNEL_USER: 2044 err = -ENOPROTOOPT; 2045 goto done; 2046 } 2047 2048 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 2049 if (err) 2050 break; 2051 2052 hci_pi(sk)->mtu = opt; 2053 break; 2054 2055 default: 2056 err = -ENOPROTOOPT; 2057 break; 2058 } 2059 2060 done: 2061 release_sock(sk); 2062 return err; 2063 } 2064 2065 static int hci_sock_getsockopt_old(struct socket *sock, int level, int optname, 2066 char __user *optval, int __user *optlen) 2067 { 2068 struct hci_ufilter uf; 2069 struct sock *sk = sock->sk; 2070 int len, opt, err = 0; 2071 2072 BT_DBG("sk %p, opt %d", sk, optname); 2073 2074 if (get_user(len, optlen)) 2075 return -EFAULT; 2076 2077 lock_sock(sk); 2078 2079 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 2080 err = -EBADFD; 2081 goto done; 2082 } 2083 2084 switch (optname) { 2085 case HCI_DATA_DIR: 2086 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR) 2087 opt = 1; 2088 else 2089 opt = 0; 2090 2091 if (put_user(opt, optval)) 2092 err = -EFAULT; 2093 break; 2094 2095 case HCI_TIME_STAMP: 2096 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP) 2097 opt = 1; 2098 else 2099 opt = 0; 2100 2101 if (put_user(opt, optval)) 2102 err = -EFAULT; 2103 break; 2104 2105 case HCI_FILTER: 2106 { 2107 struct hci_filter *f = &hci_pi(sk)->filter; 2108 2109 memset(&uf, 0, sizeof(uf)); 2110 uf.type_mask = f->type_mask; 2111 uf.opcode = f->opcode; 2112 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 2113 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 2114 } 2115 2116 len = min_t(unsigned int, len, sizeof(uf)); 2117 if (copy_to_user(optval, &uf, len)) 2118 err = -EFAULT; 2119 break; 2120 2121 default: 2122 err = -ENOPROTOOPT; 2123 break; 2124 } 2125 2126 done: 2127 release_sock(sk); 2128 return err; 2129 } 2130 2131 static int hci_sock_getsockopt(struct socket *sock, int level, int optname, 2132 char __user *optval, int __user *optlen) 2133 { 2134 struct sock *sk = sock->sk; 2135 int err = 0; 2136 2137 BT_DBG("sk %p, opt %d", sk, optname); 2138 2139 if (level == SOL_HCI) 2140 return hci_sock_getsockopt_old(sock, level, optname, optval, 2141 optlen); 2142 2143 if (level != SOL_BLUETOOTH) 2144 return -ENOPROTOOPT; 2145 2146 lock_sock(sk); 2147 2148 switch (optname) { 2149 case BT_SNDMTU: 2150 case BT_RCVMTU: 2151 if (put_user(hci_pi(sk)->mtu, (u16 __user *)optval)) 2152 err = -EFAULT; 2153 break; 2154 2155 default: 2156 err = -ENOPROTOOPT; 2157 break; 2158 } 2159 2160 release_sock(sk); 2161 return err; 2162 } 2163 2164 static void hci_sock_destruct(struct sock *sk) 2165 { 2166 mgmt_cleanup(sk); 2167 skb_queue_purge(&sk->sk_receive_queue); 2168 skb_queue_purge(&sk->sk_write_queue); 2169 } 2170 2171 static const struct proto_ops hci_sock_ops = { 2172 .family = PF_BLUETOOTH, 2173 .owner = THIS_MODULE, 2174 .release = hci_sock_release, 2175 .bind = hci_sock_bind, 2176 .getname = hci_sock_getname, 2177 .sendmsg = hci_sock_sendmsg, 2178 .recvmsg = hci_sock_recvmsg, 2179 .ioctl = hci_sock_ioctl, 2180 #ifdef CONFIG_COMPAT 2181 .compat_ioctl = hci_sock_compat_ioctl, 2182 #endif 2183 .poll = datagram_poll, 2184 .listen = sock_no_listen, 2185 .shutdown = sock_no_shutdown, 2186 .setsockopt = hci_sock_setsockopt, 2187 .getsockopt = hci_sock_getsockopt, 2188 .connect = sock_no_connect, 2189 .socketpair = sock_no_socketpair, 2190 .accept = sock_no_accept, 2191 .mmap = sock_no_mmap 2192 }; 2193 2194 static struct proto hci_sk_proto = { 2195 .name = "HCI", 2196 .owner = THIS_MODULE, 2197 .obj_size = sizeof(struct hci_pinfo) 2198 }; 2199 2200 static int hci_sock_create(struct net *net, struct socket *sock, int protocol, 2201 int kern) 2202 { 2203 struct sock *sk; 2204 2205 BT_DBG("sock %p", sock); 2206 2207 if (sock->type != SOCK_RAW) 2208 return -ESOCKTNOSUPPORT; 2209 2210 sock->ops = &hci_sock_ops; 2211 2212 sk = bt_sock_alloc(net, sock, &hci_sk_proto, protocol, GFP_ATOMIC, 2213 kern); 2214 if (!sk) 2215 return -ENOMEM; 2216 2217 sock->state = SS_UNCONNECTED; 2218 sk->sk_destruct = hci_sock_destruct; 2219 2220 bt_sock_link(&hci_sk_list, sk); 2221 return 0; 2222 } 2223 2224 static const struct net_proto_family hci_sock_family_ops = { 2225 .family = PF_BLUETOOTH, 2226 .owner = THIS_MODULE, 2227 .create = hci_sock_create, 2228 }; 2229 2230 int __init hci_sock_init(void) 2231 { 2232 int err; 2233 2234 BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr)); 2235 2236 err = proto_register(&hci_sk_proto, 0); 2237 if (err < 0) 2238 return err; 2239 2240 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops); 2241 if (err < 0) { 2242 BT_ERR("HCI socket registration failed"); 2243 goto error; 2244 } 2245 2246 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL); 2247 if (err < 0) { 2248 BT_ERR("Failed to create HCI proc file"); 2249 bt_sock_unregister(BTPROTO_HCI); 2250 goto error; 2251 } 2252 2253 BT_INFO("HCI socket layer initialized"); 2254 2255 return 0; 2256 2257 error: 2258 proto_unregister(&hci_sk_proto); 2259 return err; 2260 } 2261 2262 void hci_sock_cleanup(void) 2263 { 2264 bt_procfs_cleanup(&init_net, "hci"); 2265 bt_sock_unregister(BTPROTO_HCI); 2266 proto_unregister(&hci_sk_proto); 2267 } 2268