1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI sockets. */ 26 27 #include <linux/module.h> 28 29 #include <linux/types.h> 30 #include <linux/capability.h> 31 #include <linux/errno.h> 32 #include <linux/kernel.h> 33 #include <linux/slab.h> 34 #include <linux/poll.h> 35 #include <linux/fcntl.h> 36 #include <linux/init.h> 37 #include <linux/skbuff.h> 38 #include <linux/workqueue.h> 39 #include <linux/interrupt.h> 40 #include <linux/compat.h> 41 #include <linux/socket.h> 42 #include <linux/ioctl.h> 43 #include <net/sock.h> 44 45 #include <asm/system.h> 46 #include <asm/uaccess.h> 47 #include <asm/unaligned.h> 48 49 #include <net/bluetooth/bluetooth.h> 50 #include <net/bluetooth/hci_core.h> 51 52 /* ----- HCI socket interface ----- */ 53 54 static inline int hci_test_bit(int nr, void *addr) 55 { 56 return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); 57 } 58 59 /* Security filter */ 60 static struct hci_sec_filter hci_sec_filter = { 61 /* Packet types */ 62 0x10, 63 /* Events */ 64 { 0x1000d9fe, 0x0000b00c }, 65 /* Commands */ 66 { 67 { 0x0 }, 68 /* OGF_LINK_CTL */ 69 { 0xbe000006, 0x00000001, 0x00000000, 0x00 }, 70 /* OGF_LINK_POLICY */ 71 { 0x00005200, 0x00000000, 0x00000000, 0x00 }, 72 /* OGF_HOST_CTL */ 73 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 }, 74 /* OGF_INFO_PARAM */ 75 { 0x000002be, 0x00000000, 0x00000000, 0x00 }, 76 /* OGF_STATUS_PARAM */ 77 { 0x000000ea, 0x00000000, 0x00000000, 0x00 } 78 } 79 }; 80 81 static struct bt_sock_list hci_sk_list = { 82 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock) 83 }; 84 85 /* Send frame to RAW socket */ 86 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) 87 { 88 struct sock *sk; 89 struct hlist_node *node; 90 91 BT_DBG("hdev %p len %d", hdev, skb->len); 92 93 read_lock(&hci_sk_list.lock); 94 sk_for_each(sk, node, &hci_sk_list.head) { 95 struct hci_filter *flt; 96 struct sk_buff *nskb; 97 98 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev) 99 continue; 100 101 /* Don't send frame to the socket it came from */ 102 if (skb->sk == sk) 103 continue; 104 105 /* Apply filter */ 106 flt = &hci_pi(sk)->filter; 107 108 if (!test_bit((bt_cb(skb)->pkt_type == HCI_VENDOR_PKT) ? 109 0 : (bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS), &flt->type_mask)) 110 continue; 111 112 if (bt_cb(skb)->pkt_type == HCI_EVENT_PKT) { 113 register int evt = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS); 114 115 if (!hci_test_bit(evt, &flt->event_mask)) 116 continue; 117 118 if (flt->opcode && 119 ((evt == HCI_EV_CMD_COMPLETE && 120 flt->opcode != 121 get_unaligned((__le16 *)(skb->data + 3))) || 122 (evt == HCI_EV_CMD_STATUS && 123 flt->opcode != 124 get_unaligned((__le16 *)(skb->data + 4))))) 125 continue; 126 } 127 128 if (!(nskb = skb_clone(skb, GFP_ATOMIC))) 129 continue; 130 131 /* Put type byte before the data */ 132 memcpy(skb_push(nskb, 1), &bt_cb(nskb)->pkt_type, 1); 133 134 if (sock_queue_rcv_skb(sk, nskb)) 135 kfree_skb(nskb); 136 } 137 read_unlock(&hci_sk_list.lock); 138 } 139 140 static int hci_sock_release(struct socket *sock) 141 { 142 struct sock *sk = sock->sk; 143 struct hci_dev *hdev; 144 145 BT_DBG("sock %p sk %p", sock, sk); 146 147 if (!sk) 148 return 0; 149 150 hdev = hci_pi(sk)->hdev; 151 152 bt_sock_unlink(&hci_sk_list, sk); 153 154 if (hdev) { 155 atomic_dec(&hdev->promisc); 156 hci_dev_put(hdev); 157 } 158 159 sock_orphan(sk); 160 161 skb_queue_purge(&sk->sk_receive_queue); 162 skb_queue_purge(&sk->sk_write_queue); 163 164 sock_put(sk); 165 return 0; 166 } 167 168 /* Ioctls that require bound socket */ 169 static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg) 170 { 171 struct hci_dev *hdev = hci_pi(sk)->hdev; 172 173 if (!hdev) 174 return -EBADFD; 175 176 switch (cmd) { 177 case HCISETRAW: 178 if (!capable(CAP_NET_ADMIN)) 179 return -EACCES; 180 181 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks)) 182 return -EPERM; 183 184 if (arg) 185 set_bit(HCI_RAW, &hdev->flags); 186 else 187 clear_bit(HCI_RAW, &hdev->flags); 188 189 return 0; 190 191 case HCIGETCONNINFO: 192 return hci_get_conn_info(hdev, (void __user *) arg); 193 194 case HCIGETAUTHINFO: 195 return hci_get_auth_info(hdev, (void __user *) arg); 196 197 default: 198 if (hdev->ioctl) 199 return hdev->ioctl(hdev, cmd, arg); 200 return -EINVAL; 201 } 202 } 203 204 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 205 { 206 struct sock *sk = sock->sk; 207 void __user *argp = (void __user *) arg; 208 int err; 209 210 BT_DBG("cmd %x arg %lx", cmd, arg); 211 212 switch (cmd) { 213 case HCIGETDEVLIST: 214 return hci_get_dev_list(argp); 215 216 case HCIGETDEVINFO: 217 return hci_get_dev_info(argp); 218 219 case HCIGETCONNLIST: 220 return hci_get_conn_list(argp); 221 222 case HCIDEVUP: 223 if (!capable(CAP_NET_ADMIN)) 224 return -EACCES; 225 return hci_dev_open(arg); 226 227 case HCIDEVDOWN: 228 if (!capable(CAP_NET_ADMIN)) 229 return -EACCES; 230 return hci_dev_close(arg); 231 232 case HCIDEVRESET: 233 if (!capable(CAP_NET_ADMIN)) 234 return -EACCES; 235 return hci_dev_reset(arg); 236 237 case HCIDEVRESTAT: 238 if (!capable(CAP_NET_ADMIN)) 239 return -EACCES; 240 return hci_dev_reset_stat(arg); 241 242 case HCISETSCAN: 243 case HCISETAUTH: 244 case HCISETENCRYPT: 245 case HCISETPTYPE: 246 case HCISETLINKPOL: 247 case HCISETLINKMODE: 248 case HCISETACLMTU: 249 case HCISETSCOMTU: 250 if (!capable(CAP_NET_ADMIN)) 251 return -EACCES; 252 return hci_dev_cmd(cmd, argp); 253 254 case HCIINQUIRY: 255 return hci_inquiry(argp); 256 257 default: 258 lock_sock(sk); 259 err = hci_sock_bound_ioctl(sk, cmd, arg); 260 release_sock(sk); 261 return err; 262 } 263 } 264 265 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len) 266 { 267 struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr; 268 struct sock *sk = sock->sk; 269 struct hci_dev *hdev = NULL; 270 int err = 0; 271 272 BT_DBG("sock %p sk %p", sock, sk); 273 274 if (!haddr || haddr->hci_family != AF_BLUETOOTH) 275 return -EINVAL; 276 277 lock_sock(sk); 278 279 if (hci_pi(sk)->hdev) { 280 err = -EALREADY; 281 goto done; 282 } 283 284 if (haddr->hci_dev != HCI_DEV_NONE) { 285 if (!(hdev = hci_dev_get(haddr->hci_dev))) { 286 err = -ENODEV; 287 goto done; 288 } 289 290 atomic_inc(&hdev->promisc); 291 } 292 293 hci_pi(sk)->hdev = hdev; 294 sk->sk_state = BT_BOUND; 295 296 done: 297 release_sock(sk); 298 return err; 299 } 300 301 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *addr_len, int peer) 302 { 303 struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr; 304 struct sock *sk = sock->sk; 305 struct hci_dev *hdev = hci_pi(sk)->hdev; 306 307 BT_DBG("sock %p sk %p", sock, sk); 308 309 if (!hdev) 310 return -EBADFD; 311 312 lock_sock(sk); 313 314 *addr_len = sizeof(*haddr); 315 haddr->hci_family = AF_BLUETOOTH; 316 haddr->hci_dev = hdev->id; 317 318 release_sock(sk); 319 return 0; 320 } 321 322 static inline void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, struct sk_buff *skb) 323 { 324 __u32 mask = hci_pi(sk)->cmsg_mask; 325 326 if (mask & HCI_CMSG_DIR) { 327 int incoming = bt_cb(skb)->incoming; 328 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming), &incoming); 329 } 330 331 if (mask & HCI_CMSG_TSTAMP) { 332 struct timeval tv; 333 void *data; 334 int len; 335 336 skb_get_timestamp(skb, &tv); 337 338 data = &tv; 339 len = sizeof(tv); 340 #ifdef CONFIG_COMPAT 341 if (msg->msg_flags & MSG_CMSG_COMPAT) { 342 struct compat_timeval ctv; 343 ctv.tv_sec = tv.tv_sec; 344 ctv.tv_usec = tv.tv_usec; 345 data = &ctv; 346 len = sizeof(ctv); 347 } 348 #endif 349 350 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data); 351 } 352 } 353 354 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock, 355 struct msghdr *msg, size_t len, int flags) 356 { 357 int noblock = flags & MSG_DONTWAIT; 358 struct sock *sk = sock->sk; 359 struct sk_buff *skb; 360 int copied, err; 361 362 BT_DBG("sock %p, sk %p", sock, sk); 363 364 if (flags & (MSG_OOB)) 365 return -EOPNOTSUPP; 366 367 if (sk->sk_state == BT_CLOSED) 368 return 0; 369 370 if (!(skb = skb_recv_datagram(sk, flags, noblock, &err))) 371 return err; 372 373 msg->msg_namelen = 0; 374 375 copied = skb->len; 376 if (len < copied) { 377 msg->msg_flags |= MSG_TRUNC; 378 copied = len; 379 } 380 381 skb_reset_transport_header(skb); 382 err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); 383 384 hci_sock_cmsg(sk, msg, skb); 385 386 skb_free_datagram(sk, skb); 387 388 return err ? : copied; 389 } 390 391 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 392 struct msghdr *msg, size_t len) 393 { 394 struct sock *sk = sock->sk; 395 struct hci_dev *hdev; 396 struct sk_buff *skb; 397 int err; 398 399 BT_DBG("sock %p sk %p", sock, sk); 400 401 if (msg->msg_flags & MSG_OOB) 402 return -EOPNOTSUPP; 403 404 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE)) 405 return -EINVAL; 406 407 if (len < 4 || len > HCI_MAX_FRAME_SIZE) 408 return -EINVAL; 409 410 lock_sock(sk); 411 412 if (!(hdev = hci_pi(sk)->hdev)) { 413 err = -EBADFD; 414 goto done; 415 } 416 417 if (!(skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err))) 418 goto done; 419 420 if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) { 421 err = -EFAULT; 422 goto drop; 423 } 424 425 bt_cb(skb)->pkt_type = *((unsigned char *) skb->data); 426 skb_pull(skb, 1); 427 skb->dev = (void *) hdev; 428 429 if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) { 430 u16 opcode = get_unaligned_le16(skb->data); 431 u16 ogf = hci_opcode_ogf(opcode); 432 u16 ocf = hci_opcode_ocf(opcode); 433 434 if (((ogf > HCI_SFLT_MAX_OGF) || 435 !hci_test_bit(ocf & HCI_FLT_OCF_BITS, &hci_sec_filter.ocf_mask[ogf])) && 436 !capable(CAP_NET_RAW)) { 437 err = -EPERM; 438 goto drop; 439 } 440 441 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) { 442 skb_queue_tail(&hdev->raw_q, skb); 443 hci_sched_tx(hdev); 444 } else { 445 skb_queue_tail(&hdev->cmd_q, skb); 446 hci_sched_cmd(hdev); 447 } 448 } else { 449 if (!capable(CAP_NET_RAW)) { 450 err = -EPERM; 451 goto drop; 452 } 453 454 skb_queue_tail(&hdev->raw_q, skb); 455 hci_sched_tx(hdev); 456 } 457 458 err = len; 459 460 done: 461 release_sock(sk); 462 return err; 463 464 drop: 465 kfree_skb(skb); 466 goto done; 467 } 468 469 static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int len) 470 { 471 struct hci_ufilter uf = { .opcode = 0 }; 472 struct sock *sk = sock->sk; 473 int err = 0, opt = 0; 474 475 BT_DBG("sk %p, opt %d", sk, optname); 476 477 lock_sock(sk); 478 479 switch (optname) { 480 case HCI_DATA_DIR: 481 if (get_user(opt, (int __user *)optval)) { 482 err = -EFAULT; 483 break; 484 } 485 486 if (opt) 487 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; 488 else 489 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR; 490 break; 491 492 case HCI_TIME_STAMP: 493 if (get_user(opt, (int __user *)optval)) { 494 err = -EFAULT; 495 break; 496 } 497 498 if (opt) 499 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; 500 else 501 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP; 502 break; 503 504 case HCI_FILTER: 505 { 506 struct hci_filter *f = &hci_pi(sk)->filter; 507 508 uf.type_mask = f->type_mask; 509 uf.opcode = f->opcode; 510 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 511 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 512 } 513 514 len = min_t(unsigned int, len, sizeof(uf)); 515 if (copy_from_user(&uf, optval, len)) { 516 err = -EFAULT; 517 break; 518 } 519 520 if (!capable(CAP_NET_RAW)) { 521 uf.type_mask &= hci_sec_filter.type_mask; 522 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0); 523 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1); 524 } 525 526 { 527 struct hci_filter *f = &hci_pi(sk)->filter; 528 529 f->type_mask = uf.type_mask; 530 f->opcode = uf.opcode; 531 *((u32 *) f->event_mask + 0) = uf.event_mask[0]; 532 *((u32 *) f->event_mask + 1) = uf.event_mask[1]; 533 } 534 break; 535 536 default: 537 err = -ENOPROTOOPT; 538 break; 539 } 540 541 release_sock(sk); 542 return err; 543 } 544 545 static int hci_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) 546 { 547 struct hci_ufilter uf; 548 struct sock *sk = sock->sk; 549 int len, opt; 550 551 if (get_user(len, optlen)) 552 return -EFAULT; 553 554 switch (optname) { 555 case HCI_DATA_DIR: 556 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR) 557 opt = 1; 558 else 559 opt = 0; 560 561 if (put_user(opt, optval)) 562 return -EFAULT; 563 break; 564 565 case HCI_TIME_STAMP: 566 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP) 567 opt = 1; 568 else 569 opt = 0; 570 571 if (put_user(opt, optval)) 572 return -EFAULT; 573 break; 574 575 case HCI_FILTER: 576 { 577 struct hci_filter *f = &hci_pi(sk)->filter; 578 579 uf.type_mask = f->type_mask; 580 uf.opcode = f->opcode; 581 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 582 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 583 } 584 585 len = min_t(unsigned int, len, sizeof(uf)); 586 if (copy_to_user(optval, &uf, len)) 587 return -EFAULT; 588 break; 589 590 default: 591 return -ENOPROTOOPT; 592 break; 593 } 594 595 return 0; 596 } 597 598 static const struct proto_ops hci_sock_ops = { 599 .family = PF_BLUETOOTH, 600 .owner = THIS_MODULE, 601 .release = hci_sock_release, 602 .bind = hci_sock_bind, 603 .getname = hci_sock_getname, 604 .sendmsg = hci_sock_sendmsg, 605 .recvmsg = hci_sock_recvmsg, 606 .ioctl = hci_sock_ioctl, 607 .poll = datagram_poll, 608 .listen = sock_no_listen, 609 .shutdown = sock_no_shutdown, 610 .setsockopt = hci_sock_setsockopt, 611 .getsockopt = hci_sock_getsockopt, 612 .connect = sock_no_connect, 613 .socketpair = sock_no_socketpair, 614 .accept = sock_no_accept, 615 .mmap = sock_no_mmap 616 }; 617 618 static struct proto hci_sk_proto = { 619 .name = "HCI", 620 .owner = THIS_MODULE, 621 .obj_size = sizeof(struct hci_pinfo) 622 }; 623 624 static int hci_sock_create(struct net *net, struct socket *sock, int protocol) 625 { 626 struct sock *sk; 627 628 BT_DBG("sock %p", sock); 629 630 if (sock->type != SOCK_RAW) 631 return -ESOCKTNOSUPPORT; 632 633 sock->ops = &hci_sock_ops; 634 635 sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto); 636 if (!sk) 637 return -ENOMEM; 638 639 sock_init_data(sock, sk); 640 641 sock_reset_flag(sk, SOCK_ZAPPED); 642 643 sk->sk_protocol = protocol; 644 645 sock->state = SS_UNCONNECTED; 646 sk->sk_state = BT_OPEN; 647 648 bt_sock_link(&hci_sk_list, sk); 649 return 0; 650 } 651 652 static int hci_sock_dev_event(struct notifier_block *this, unsigned long event, void *ptr) 653 { 654 struct hci_dev *hdev = (struct hci_dev *) ptr; 655 struct hci_ev_si_device ev; 656 657 BT_DBG("hdev %s event %ld", hdev->name, event); 658 659 /* Send event to sockets */ 660 ev.event = event; 661 ev.dev_id = hdev->id; 662 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev); 663 664 if (event == HCI_DEV_UNREG) { 665 struct sock *sk; 666 struct hlist_node *node; 667 668 /* Detach sockets from device */ 669 read_lock(&hci_sk_list.lock); 670 sk_for_each(sk, node, &hci_sk_list.head) { 671 local_bh_disable(); 672 bh_lock_sock_nested(sk); 673 if (hci_pi(sk)->hdev == hdev) { 674 hci_pi(sk)->hdev = NULL; 675 sk->sk_err = EPIPE; 676 sk->sk_state = BT_OPEN; 677 sk->sk_state_change(sk); 678 679 hci_dev_put(hdev); 680 } 681 bh_unlock_sock(sk); 682 local_bh_enable(); 683 } 684 read_unlock(&hci_sk_list.lock); 685 } 686 687 return NOTIFY_DONE; 688 } 689 690 static struct net_proto_family hci_sock_family_ops = { 691 .family = PF_BLUETOOTH, 692 .owner = THIS_MODULE, 693 .create = hci_sock_create, 694 }; 695 696 static struct notifier_block hci_sock_nblock = { 697 .notifier_call = hci_sock_dev_event 698 }; 699 700 int __init hci_sock_init(void) 701 { 702 int err; 703 704 err = proto_register(&hci_sk_proto, 0); 705 if (err < 0) 706 return err; 707 708 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops); 709 if (err < 0) 710 goto error; 711 712 hci_register_notifier(&hci_sock_nblock); 713 714 BT_INFO("HCI socket layer initialized"); 715 716 return 0; 717 718 error: 719 BT_ERR("HCI socket registration failed"); 720 proto_unregister(&hci_sk_proto); 721 return err; 722 } 723 724 void __exit hci_sock_cleanup(void) 725 { 726 if (bt_sock_unregister(BTPROTO_HCI) < 0) 727 BT_ERR("HCI socket unregistration failed"); 728 729 hci_unregister_notifier(&hci_sock_nblock); 730 731 proto_unregister(&hci_sk_proto); 732 } 733