1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI sockets. */ 26 27 #include <linux/export.h> 28 #include <asm/unaligned.h> 29 30 #include <net/bluetooth/bluetooth.h> 31 #include <net/bluetooth/hci_core.h> 32 #include <net/bluetooth/hci_mon.h> 33 34 static atomic_t monitor_promisc = ATOMIC_INIT(0); 35 36 /* ----- HCI socket interface ----- */ 37 38 /* Socket info */ 39 #define hci_pi(sk) ((struct hci_pinfo *) sk) 40 41 struct hci_pinfo { 42 struct bt_sock bt; 43 struct hci_dev *hdev; 44 struct hci_filter filter; 45 __u32 cmsg_mask; 46 unsigned short channel; 47 }; 48 49 static inline int hci_test_bit(int nr, void *addr) 50 { 51 return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); 52 } 53 54 /* Security filter */ 55 #define HCI_SFLT_MAX_OGF 5 56 57 struct hci_sec_filter { 58 __u32 type_mask; 59 __u32 event_mask[2]; 60 __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4]; 61 }; 62 63 static const struct hci_sec_filter hci_sec_filter = { 64 /* Packet types */ 65 0x10, 66 /* Events */ 67 { 0x1000d9fe, 0x0000b00c }, 68 /* Commands */ 69 { 70 { 0x0 }, 71 /* OGF_LINK_CTL */ 72 { 0xbe000006, 0x00000001, 0x00000000, 0x00 }, 73 /* OGF_LINK_POLICY */ 74 { 0x00005200, 0x00000000, 0x00000000, 0x00 }, 75 /* OGF_HOST_CTL */ 76 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 }, 77 /* OGF_INFO_PARAM */ 78 { 0x000002be, 0x00000000, 0x00000000, 0x00 }, 79 /* OGF_STATUS_PARAM */ 80 { 0x000000ea, 0x00000000, 0x00000000, 0x00 } 81 } 82 }; 83 84 static struct bt_sock_list hci_sk_list = { 85 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock) 86 }; 87 88 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb) 89 { 90 struct hci_filter *flt; 91 int flt_type, flt_event; 92 93 /* Apply filter */ 94 flt = &hci_pi(sk)->filter; 95 96 if (bt_cb(skb)->pkt_type == HCI_VENDOR_PKT) 97 flt_type = 0; 98 else 99 flt_type = bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS; 100 101 if (!test_bit(flt_type, &flt->type_mask)) 102 return true; 103 104 /* Extra filter for event packets only */ 105 if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT) 106 return false; 107 108 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS); 109 110 if (!hci_test_bit(flt_event, &flt->event_mask)) 111 return true; 112 113 /* Check filter only when opcode is set */ 114 if (!flt->opcode) 115 return false; 116 117 if (flt_event == HCI_EV_CMD_COMPLETE && 118 flt->opcode != get_unaligned((__le16 *)(skb->data + 3))) 119 return true; 120 121 if (flt_event == HCI_EV_CMD_STATUS && 122 flt->opcode != get_unaligned((__le16 *)(skb->data + 4))) 123 return true; 124 125 return false; 126 } 127 128 /* Send frame to RAW socket */ 129 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) 130 { 131 struct sock *sk; 132 struct sk_buff *skb_copy = NULL; 133 134 BT_DBG("hdev %p len %d", hdev, skb->len); 135 136 read_lock(&hci_sk_list.lock); 137 138 sk_for_each(sk, &hci_sk_list.head) { 139 struct sk_buff *nskb; 140 141 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev) 142 continue; 143 144 /* Don't send frame to the socket it came from */ 145 if (skb->sk == sk) 146 continue; 147 148 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) { 149 if (is_filtered_packet(sk, skb)) 150 continue; 151 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 152 if (!bt_cb(skb)->incoming) 153 continue; 154 if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT && 155 bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT && 156 bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) 157 continue; 158 } else { 159 /* Don't send frame to other channel types */ 160 continue; 161 } 162 163 if (!skb_copy) { 164 /* Create a private copy with headroom */ 165 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true); 166 if (!skb_copy) 167 continue; 168 169 /* Put type byte before the data */ 170 memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1); 171 } 172 173 nskb = skb_clone(skb_copy, GFP_ATOMIC); 174 if (!nskb) 175 continue; 176 177 if (sock_queue_rcv_skb(sk, nskb)) 178 kfree_skb(nskb); 179 } 180 181 read_unlock(&hci_sk_list.lock); 182 183 kfree_skb(skb_copy); 184 } 185 186 /* Send frame to control socket */ 187 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk) 188 { 189 struct sock *sk; 190 191 BT_DBG("len %d", skb->len); 192 193 read_lock(&hci_sk_list.lock); 194 195 sk_for_each(sk, &hci_sk_list.head) { 196 struct sk_buff *nskb; 197 198 /* Skip the original socket */ 199 if (sk == skip_sk) 200 continue; 201 202 if (sk->sk_state != BT_BOUND) 203 continue; 204 205 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL) 206 continue; 207 208 nskb = skb_clone(skb, GFP_ATOMIC); 209 if (!nskb) 210 continue; 211 212 if (sock_queue_rcv_skb(sk, nskb)) 213 kfree_skb(nskb); 214 } 215 216 read_unlock(&hci_sk_list.lock); 217 } 218 219 static void queue_monitor_skb(struct sk_buff *skb) 220 { 221 struct sock *sk; 222 223 BT_DBG("len %d", skb->len); 224 225 read_lock(&hci_sk_list.lock); 226 227 sk_for_each(sk, &hci_sk_list.head) { 228 struct sk_buff *nskb; 229 230 if (sk->sk_state != BT_BOUND) 231 continue; 232 233 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR) 234 continue; 235 236 nskb = skb_clone(skb, GFP_ATOMIC); 237 if (!nskb) 238 continue; 239 240 if (sock_queue_rcv_skb(sk, nskb)) 241 kfree_skb(nskb); 242 } 243 244 read_unlock(&hci_sk_list.lock); 245 } 246 247 /* Send frame to monitor socket */ 248 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb) 249 { 250 struct sk_buff *skb_copy = NULL; 251 struct hci_mon_hdr *hdr; 252 __le16 opcode; 253 254 if (!atomic_read(&monitor_promisc)) 255 return; 256 257 BT_DBG("hdev %p len %d", hdev, skb->len); 258 259 switch (bt_cb(skb)->pkt_type) { 260 case HCI_COMMAND_PKT: 261 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT); 262 break; 263 case HCI_EVENT_PKT: 264 opcode = cpu_to_le16(HCI_MON_EVENT_PKT); 265 break; 266 case HCI_ACLDATA_PKT: 267 if (bt_cb(skb)->incoming) 268 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT); 269 else 270 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT); 271 break; 272 case HCI_SCODATA_PKT: 273 if (bt_cb(skb)->incoming) 274 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT); 275 else 276 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT); 277 break; 278 default: 279 return; 280 } 281 282 /* Create a private copy with headroom */ 283 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true); 284 if (!skb_copy) 285 return; 286 287 /* Put header before the data */ 288 hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE); 289 hdr->opcode = opcode; 290 hdr->index = cpu_to_le16(hdev->id); 291 hdr->len = cpu_to_le16(skb->len); 292 293 queue_monitor_skb(skb_copy); 294 kfree_skb(skb_copy); 295 } 296 297 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event) 298 { 299 struct hci_mon_hdr *hdr; 300 struct hci_mon_new_index *ni; 301 struct sk_buff *skb; 302 __le16 opcode; 303 304 switch (event) { 305 case HCI_DEV_REG: 306 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC); 307 if (!skb) 308 return NULL; 309 310 ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE); 311 ni->type = hdev->dev_type; 312 ni->bus = hdev->bus; 313 bacpy(&ni->bdaddr, &hdev->bdaddr); 314 memcpy(ni->name, hdev->name, 8); 315 316 opcode = cpu_to_le16(HCI_MON_NEW_INDEX); 317 break; 318 319 case HCI_DEV_UNREG: 320 skb = bt_skb_alloc(0, GFP_ATOMIC); 321 if (!skb) 322 return NULL; 323 324 opcode = cpu_to_le16(HCI_MON_DEL_INDEX); 325 break; 326 327 default: 328 return NULL; 329 } 330 331 __net_timestamp(skb); 332 333 hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE); 334 hdr->opcode = opcode; 335 hdr->index = cpu_to_le16(hdev->id); 336 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); 337 338 return skb; 339 } 340 341 static void send_monitor_replay(struct sock *sk) 342 { 343 struct hci_dev *hdev; 344 345 read_lock(&hci_dev_list_lock); 346 347 list_for_each_entry(hdev, &hci_dev_list, list) { 348 struct sk_buff *skb; 349 350 skb = create_monitor_event(hdev, HCI_DEV_REG); 351 if (!skb) 352 continue; 353 354 if (sock_queue_rcv_skb(sk, skb)) 355 kfree_skb(skb); 356 } 357 358 read_unlock(&hci_dev_list_lock); 359 } 360 361 /* Generate internal stack event */ 362 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data) 363 { 364 struct hci_event_hdr *hdr; 365 struct hci_ev_stack_internal *ev; 366 struct sk_buff *skb; 367 368 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC); 369 if (!skb) 370 return; 371 372 hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE); 373 hdr->evt = HCI_EV_STACK_INTERNAL; 374 hdr->plen = sizeof(*ev) + dlen; 375 376 ev = (void *) skb_put(skb, sizeof(*ev) + dlen); 377 ev->type = type; 378 memcpy(ev->data, data, dlen); 379 380 bt_cb(skb)->incoming = 1; 381 __net_timestamp(skb); 382 383 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 384 hci_send_to_sock(hdev, skb); 385 kfree_skb(skb); 386 } 387 388 void hci_sock_dev_event(struct hci_dev *hdev, int event) 389 { 390 struct hci_ev_si_device ev; 391 392 BT_DBG("hdev %s event %d", hdev->name, event); 393 394 /* Send event to monitor */ 395 if (atomic_read(&monitor_promisc)) { 396 struct sk_buff *skb; 397 398 skb = create_monitor_event(hdev, event); 399 if (skb) { 400 queue_monitor_skb(skb); 401 kfree_skb(skb); 402 } 403 } 404 405 /* Send event to sockets */ 406 ev.event = event; 407 ev.dev_id = hdev->id; 408 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev); 409 410 if (event == HCI_DEV_UNREG) { 411 struct sock *sk; 412 413 /* Detach sockets from device */ 414 read_lock(&hci_sk_list.lock); 415 sk_for_each(sk, &hci_sk_list.head) { 416 bh_lock_sock_nested(sk); 417 if (hci_pi(sk)->hdev == hdev) { 418 hci_pi(sk)->hdev = NULL; 419 sk->sk_err = EPIPE; 420 sk->sk_state = BT_OPEN; 421 sk->sk_state_change(sk); 422 423 hci_dev_put(hdev); 424 } 425 bh_unlock_sock(sk); 426 } 427 read_unlock(&hci_sk_list.lock); 428 } 429 } 430 431 static int hci_sock_release(struct socket *sock) 432 { 433 struct sock *sk = sock->sk; 434 struct hci_dev *hdev; 435 436 BT_DBG("sock %p sk %p", sock, sk); 437 438 if (!sk) 439 return 0; 440 441 hdev = hci_pi(sk)->hdev; 442 443 if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR) 444 atomic_dec(&monitor_promisc); 445 446 bt_sock_unlink(&hci_sk_list, sk); 447 448 if (hdev) { 449 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 450 mgmt_index_added(hdev); 451 clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags); 452 hci_dev_close(hdev->id); 453 } 454 455 atomic_dec(&hdev->promisc); 456 hci_dev_put(hdev); 457 } 458 459 sock_orphan(sk); 460 461 skb_queue_purge(&sk->sk_receive_queue); 462 skb_queue_purge(&sk->sk_write_queue); 463 464 sock_put(sk); 465 return 0; 466 } 467 468 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg) 469 { 470 bdaddr_t bdaddr; 471 int err; 472 473 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 474 return -EFAULT; 475 476 hci_dev_lock(hdev); 477 478 err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR); 479 480 hci_dev_unlock(hdev); 481 482 return err; 483 } 484 485 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg) 486 { 487 bdaddr_t bdaddr; 488 int err; 489 490 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 491 return -EFAULT; 492 493 hci_dev_lock(hdev); 494 495 err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR); 496 497 hci_dev_unlock(hdev); 498 499 return err; 500 } 501 502 /* Ioctls that require bound socket */ 503 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, 504 unsigned long arg) 505 { 506 struct hci_dev *hdev = hci_pi(sk)->hdev; 507 508 if (!hdev) 509 return -EBADFD; 510 511 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) 512 return -EBUSY; 513 514 if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags)) 515 return -EOPNOTSUPP; 516 517 if (hdev->dev_type != HCI_BREDR) 518 return -EOPNOTSUPP; 519 520 switch (cmd) { 521 case HCISETRAW: 522 if (!capable(CAP_NET_ADMIN)) 523 return -EPERM; 524 return -EOPNOTSUPP; 525 526 case HCIGETCONNINFO: 527 return hci_get_conn_info(hdev, (void __user *) arg); 528 529 case HCIGETAUTHINFO: 530 return hci_get_auth_info(hdev, (void __user *) arg); 531 532 case HCIBLOCKADDR: 533 if (!capable(CAP_NET_ADMIN)) 534 return -EPERM; 535 return hci_sock_blacklist_add(hdev, (void __user *) arg); 536 537 case HCIUNBLOCKADDR: 538 if (!capable(CAP_NET_ADMIN)) 539 return -EPERM; 540 return hci_sock_blacklist_del(hdev, (void __user *) arg); 541 } 542 543 return -ENOIOCTLCMD; 544 } 545 546 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, 547 unsigned long arg) 548 { 549 void __user *argp = (void __user *) arg; 550 struct sock *sk = sock->sk; 551 int err; 552 553 BT_DBG("cmd %x arg %lx", cmd, arg); 554 555 lock_sock(sk); 556 557 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 558 err = -EBADFD; 559 goto done; 560 } 561 562 release_sock(sk); 563 564 switch (cmd) { 565 case HCIGETDEVLIST: 566 return hci_get_dev_list(argp); 567 568 case HCIGETDEVINFO: 569 return hci_get_dev_info(argp); 570 571 case HCIGETCONNLIST: 572 return hci_get_conn_list(argp); 573 574 case HCIDEVUP: 575 if (!capable(CAP_NET_ADMIN)) 576 return -EPERM; 577 return hci_dev_open(arg); 578 579 case HCIDEVDOWN: 580 if (!capable(CAP_NET_ADMIN)) 581 return -EPERM; 582 return hci_dev_close(arg); 583 584 case HCIDEVRESET: 585 if (!capable(CAP_NET_ADMIN)) 586 return -EPERM; 587 return hci_dev_reset(arg); 588 589 case HCIDEVRESTAT: 590 if (!capable(CAP_NET_ADMIN)) 591 return -EPERM; 592 return hci_dev_reset_stat(arg); 593 594 case HCISETSCAN: 595 case HCISETAUTH: 596 case HCISETENCRYPT: 597 case HCISETPTYPE: 598 case HCISETLINKPOL: 599 case HCISETLINKMODE: 600 case HCISETACLMTU: 601 case HCISETSCOMTU: 602 if (!capable(CAP_NET_ADMIN)) 603 return -EPERM; 604 return hci_dev_cmd(cmd, argp); 605 606 case HCIINQUIRY: 607 return hci_inquiry(argp); 608 } 609 610 lock_sock(sk); 611 612 err = hci_sock_bound_ioctl(sk, cmd, arg); 613 614 done: 615 release_sock(sk); 616 return err; 617 } 618 619 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, 620 int addr_len) 621 { 622 struct sockaddr_hci haddr; 623 struct sock *sk = sock->sk; 624 struct hci_dev *hdev = NULL; 625 int len, err = 0; 626 627 BT_DBG("sock %p sk %p", sock, sk); 628 629 if (!addr) 630 return -EINVAL; 631 632 memset(&haddr, 0, sizeof(haddr)); 633 len = min_t(unsigned int, sizeof(haddr), addr_len); 634 memcpy(&haddr, addr, len); 635 636 if (haddr.hci_family != AF_BLUETOOTH) 637 return -EINVAL; 638 639 lock_sock(sk); 640 641 if (sk->sk_state == BT_BOUND) { 642 err = -EALREADY; 643 goto done; 644 } 645 646 switch (haddr.hci_channel) { 647 case HCI_CHANNEL_RAW: 648 if (hci_pi(sk)->hdev) { 649 err = -EALREADY; 650 goto done; 651 } 652 653 if (haddr.hci_dev != HCI_DEV_NONE) { 654 hdev = hci_dev_get(haddr.hci_dev); 655 if (!hdev) { 656 err = -ENODEV; 657 goto done; 658 } 659 660 atomic_inc(&hdev->promisc); 661 } 662 663 hci_pi(sk)->hdev = hdev; 664 break; 665 666 case HCI_CHANNEL_USER: 667 if (hci_pi(sk)->hdev) { 668 err = -EALREADY; 669 goto done; 670 } 671 672 if (haddr.hci_dev == HCI_DEV_NONE) { 673 err = -EINVAL; 674 goto done; 675 } 676 677 if (!capable(CAP_NET_ADMIN)) { 678 err = -EPERM; 679 goto done; 680 } 681 682 hdev = hci_dev_get(haddr.hci_dev); 683 if (!hdev) { 684 err = -ENODEV; 685 goto done; 686 } 687 688 if (test_bit(HCI_UP, &hdev->flags) || 689 test_bit(HCI_INIT, &hdev->flags) || 690 test_bit(HCI_SETUP, &hdev->dev_flags) || 691 test_bit(HCI_CONFIG, &hdev->dev_flags)) { 692 err = -EBUSY; 693 hci_dev_put(hdev); 694 goto done; 695 } 696 697 if (test_and_set_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) { 698 err = -EUSERS; 699 hci_dev_put(hdev); 700 goto done; 701 } 702 703 mgmt_index_removed(hdev); 704 705 err = hci_dev_open(hdev->id); 706 if (err) { 707 clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags); 708 mgmt_index_added(hdev); 709 hci_dev_put(hdev); 710 goto done; 711 } 712 713 atomic_inc(&hdev->promisc); 714 715 hci_pi(sk)->hdev = hdev; 716 break; 717 718 case HCI_CHANNEL_CONTROL: 719 if (haddr.hci_dev != HCI_DEV_NONE) { 720 err = -EINVAL; 721 goto done; 722 } 723 724 if (!capable(CAP_NET_ADMIN)) { 725 err = -EPERM; 726 goto done; 727 } 728 729 break; 730 731 case HCI_CHANNEL_MONITOR: 732 if (haddr.hci_dev != HCI_DEV_NONE) { 733 err = -EINVAL; 734 goto done; 735 } 736 737 if (!capable(CAP_NET_RAW)) { 738 err = -EPERM; 739 goto done; 740 } 741 742 send_monitor_replay(sk); 743 744 atomic_inc(&monitor_promisc); 745 break; 746 747 default: 748 err = -EINVAL; 749 goto done; 750 } 751 752 753 hci_pi(sk)->channel = haddr.hci_channel; 754 sk->sk_state = BT_BOUND; 755 756 done: 757 release_sock(sk); 758 return err; 759 } 760 761 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, 762 int *addr_len, int peer) 763 { 764 struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr; 765 struct sock *sk = sock->sk; 766 struct hci_dev *hdev; 767 int err = 0; 768 769 BT_DBG("sock %p sk %p", sock, sk); 770 771 if (peer) 772 return -EOPNOTSUPP; 773 774 lock_sock(sk); 775 776 hdev = hci_pi(sk)->hdev; 777 if (!hdev) { 778 err = -EBADFD; 779 goto done; 780 } 781 782 *addr_len = sizeof(*haddr); 783 haddr->hci_family = AF_BLUETOOTH; 784 haddr->hci_dev = hdev->id; 785 haddr->hci_channel= hci_pi(sk)->channel; 786 787 done: 788 release_sock(sk); 789 return err; 790 } 791 792 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, 793 struct sk_buff *skb) 794 { 795 __u32 mask = hci_pi(sk)->cmsg_mask; 796 797 if (mask & HCI_CMSG_DIR) { 798 int incoming = bt_cb(skb)->incoming; 799 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming), 800 &incoming); 801 } 802 803 if (mask & HCI_CMSG_TSTAMP) { 804 #ifdef CONFIG_COMPAT 805 struct compat_timeval ctv; 806 #endif 807 struct timeval tv; 808 void *data; 809 int len; 810 811 skb_get_timestamp(skb, &tv); 812 813 data = &tv; 814 len = sizeof(tv); 815 #ifdef CONFIG_COMPAT 816 if (!COMPAT_USE_64BIT_TIME && 817 (msg->msg_flags & MSG_CMSG_COMPAT)) { 818 ctv.tv_sec = tv.tv_sec; 819 ctv.tv_usec = tv.tv_usec; 820 data = &ctv; 821 len = sizeof(ctv); 822 } 823 #endif 824 825 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data); 826 } 827 } 828 829 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock, 830 struct msghdr *msg, size_t len, int flags) 831 { 832 int noblock = flags & MSG_DONTWAIT; 833 struct sock *sk = sock->sk; 834 struct sk_buff *skb; 835 int copied, err; 836 837 BT_DBG("sock %p, sk %p", sock, sk); 838 839 if (flags & (MSG_OOB)) 840 return -EOPNOTSUPP; 841 842 if (sk->sk_state == BT_CLOSED) 843 return 0; 844 845 skb = skb_recv_datagram(sk, flags, noblock, &err); 846 if (!skb) 847 return err; 848 849 copied = skb->len; 850 if (len < copied) { 851 msg->msg_flags |= MSG_TRUNC; 852 copied = len; 853 } 854 855 skb_reset_transport_header(skb); 856 err = skb_copy_datagram_msg(skb, 0, msg, copied); 857 858 switch (hci_pi(sk)->channel) { 859 case HCI_CHANNEL_RAW: 860 hci_sock_cmsg(sk, msg, skb); 861 break; 862 case HCI_CHANNEL_USER: 863 case HCI_CHANNEL_CONTROL: 864 case HCI_CHANNEL_MONITOR: 865 sock_recv_timestamp(msg, sk, skb); 866 break; 867 } 868 869 skb_free_datagram(sk, skb); 870 871 return err ? : copied; 872 } 873 874 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 875 struct msghdr *msg, size_t len) 876 { 877 struct sock *sk = sock->sk; 878 struct hci_dev *hdev; 879 struct sk_buff *skb; 880 int err; 881 882 BT_DBG("sock %p sk %p", sock, sk); 883 884 if (msg->msg_flags & MSG_OOB) 885 return -EOPNOTSUPP; 886 887 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE)) 888 return -EINVAL; 889 890 if (len < 4 || len > HCI_MAX_FRAME_SIZE) 891 return -EINVAL; 892 893 lock_sock(sk); 894 895 switch (hci_pi(sk)->channel) { 896 case HCI_CHANNEL_RAW: 897 case HCI_CHANNEL_USER: 898 break; 899 case HCI_CHANNEL_CONTROL: 900 err = mgmt_control(sk, msg, len); 901 goto done; 902 case HCI_CHANNEL_MONITOR: 903 err = -EOPNOTSUPP; 904 goto done; 905 default: 906 err = -EINVAL; 907 goto done; 908 } 909 910 hdev = hci_pi(sk)->hdev; 911 if (!hdev) { 912 err = -EBADFD; 913 goto done; 914 } 915 916 if (!test_bit(HCI_UP, &hdev->flags)) { 917 err = -ENETDOWN; 918 goto done; 919 } 920 921 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); 922 if (!skb) 923 goto done; 924 925 if (memcpy_from_msg(skb_put(skb, len), msg, len)) { 926 err = -EFAULT; 927 goto drop; 928 } 929 930 bt_cb(skb)->pkt_type = *((unsigned char *) skb->data); 931 skb_pull(skb, 1); 932 933 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { 934 /* No permission check is needed for user channel 935 * since that gets enforced when binding the socket. 936 * 937 * However check that the packet type is valid. 938 */ 939 if (bt_cb(skb)->pkt_type != HCI_COMMAND_PKT && 940 bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT && 941 bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) { 942 err = -EINVAL; 943 goto drop; 944 } 945 946 skb_queue_tail(&hdev->raw_q, skb); 947 queue_work(hdev->workqueue, &hdev->tx_work); 948 } else if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) { 949 u16 opcode = get_unaligned_le16(skb->data); 950 u16 ogf = hci_opcode_ogf(opcode); 951 u16 ocf = hci_opcode_ocf(opcode); 952 953 if (((ogf > HCI_SFLT_MAX_OGF) || 954 !hci_test_bit(ocf & HCI_FLT_OCF_BITS, 955 &hci_sec_filter.ocf_mask[ogf])) && 956 !capable(CAP_NET_RAW)) { 957 err = -EPERM; 958 goto drop; 959 } 960 961 if (ogf == 0x3f) { 962 skb_queue_tail(&hdev->raw_q, skb); 963 queue_work(hdev->workqueue, &hdev->tx_work); 964 } else { 965 /* Stand-alone HCI commands must be flagged as 966 * single-command requests. 967 */ 968 bt_cb(skb)->req.start = true; 969 970 skb_queue_tail(&hdev->cmd_q, skb); 971 queue_work(hdev->workqueue, &hdev->cmd_work); 972 } 973 } else { 974 if (!capable(CAP_NET_RAW)) { 975 err = -EPERM; 976 goto drop; 977 } 978 979 skb_queue_tail(&hdev->raw_q, skb); 980 queue_work(hdev->workqueue, &hdev->tx_work); 981 } 982 983 err = len; 984 985 done: 986 release_sock(sk); 987 return err; 988 989 drop: 990 kfree_skb(skb); 991 goto done; 992 } 993 994 static int hci_sock_setsockopt(struct socket *sock, int level, int optname, 995 char __user *optval, unsigned int len) 996 { 997 struct hci_ufilter uf = { .opcode = 0 }; 998 struct sock *sk = sock->sk; 999 int err = 0, opt = 0; 1000 1001 BT_DBG("sk %p, opt %d", sk, optname); 1002 1003 lock_sock(sk); 1004 1005 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1006 err = -EBADFD; 1007 goto done; 1008 } 1009 1010 switch (optname) { 1011 case HCI_DATA_DIR: 1012 if (get_user(opt, (int __user *)optval)) { 1013 err = -EFAULT; 1014 break; 1015 } 1016 1017 if (opt) 1018 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; 1019 else 1020 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR; 1021 break; 1022 1023 case HCI_TIME_STAMP: 1024 if (get_user(opt, (int __user *)optval)) { 1025 err = -EFAULT; 1026 break; 1027 } 1028 1029 if (opt) 1030 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; 1031 else 1032 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP; 1033 break; 1034 1035 case HCI_FILTER: 1036 { 1037 struct hci_filter *f = &hci_pi(sk)->filter; 1038 1039 uf.type_mask = f->type_mask; 1040 uf.opcode = f->opcode; 1041 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1042 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1043 } 1044 1045 len = min_t(unsigned int, len, sizeof(uf)); 1046 if (copy_from_user(&uf, optval, len)) { 1047 err = -EFAULT; 1048 break; 1049 } 1050 1051 if (!capable(CAP_NET_RAW)) { 1052 uf.type_mask &= hci_sec_filter.type_mask; 1053 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0); 1054 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1); 1055 } 1056 1057 { 1058 struct hci_filter *f = &hci_pi(sk)->filter; 1059 1060 f->type_mask = uf.type_mask; 1061 f->opcode = uf.opcode; 1062 *((u32 *) f->event_mask + 0) = uf.event_mask[0]; 1063 *((u32 *) f->event_mask + 1) = uf.event_mask[1]; 1064 } 1065 break; 1066 1067 default: 1068 err = -ENOPROTOOPT; 1069 break; 1070 } 1071 1072 done: 1073 release_sock(sk); 1074 return err; 1075 } 1076 1077 static int hci_sock_getsockopt(struct socket *sock, int level, int optname, 1078 char __user *optval, int __user *optlen) 1079 { 1080 struct hci_ufilter uf; 1081 struct sock *sk = sock->sk; 1082 int len, opt, err = 0; 1083 1084 BT_DBG("sk %p, opt %d", sk, optname); 1085 1086 if (get_user(len, optlen)) 1087 return -EFAULT; 1088 1089 lock_sock(sk); 1090 1091 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { 1092 err = -EBADFD; 1093 goto done; 1094 } 1095 1096 switch (optname) { 1097 case HCI_DATA_DIR: 1098 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR) 1099 opt = 1; 1100 else 1101 opt = 0; 1102 1103 if (put_user(opt, optval)) 1104 err = -EFAULT; 1105 break; 1106 1107 case HCI_TIME_STAMP: 1108 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP) 1109 opt = 1; 1110 else 1111 opt = 0; 1112 1113 if (put_user(opt, optval)) 1114 err = -EFAULT; 1115 break; 1116 1117 case HCI_FILTER: 1118 { 1119 struct hci_filter *f = &hci_pi(sk)->filter; 1120 1121 memset(&uf, 0, sizeof(uf)); 1122 uf.type_mask = f->type_mask; 1123 uf.opcode = f->opcode; 1124 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1125 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1126 } 1127 1128 len = min_t(unsigned int, len, sizeof(uf)); 1129 if (copy_to_user(optval, &uf, len)) 1130 err = -EFAULT; 1131 break; 1132 1133 default: 1134 err = -ENOPROTOOPT; 1135 break; 1136 } 1137 1138 done: 1139 release_sock(sk); 1140 return err; 1141 } 1142 1143 static const struct proto_ops hci_sock_ops = { 1144 .family = PF_BLUETOOTH, 1145 .owner = THIS_MODULE, 1146 .release = hci_sock_release, 1147 .bind = hci_sock_bind, 1148 .getname = hci_sock_getname, 1149 .sendmsg = hci_sock_sendmsg, 1150 .recvmsg = hci_sock_recvmsg, 1151 .ioctl = hci_sock_ioctl, 1152 .poll = datagram_poll, 1153 .listen = sock_no_listen, 1154 .shutdown = sock_no_shutdown, 1155 .setsockopt = hci_sock_setsockopt, 1156 .getsockopt = hci_sock_getsockopt, 1157 .connect = sock_no_connect, 1158 .socketpair = sock_no_socketpair, 1159 .accept = sock_no_accept, 1160 .mmap = sock_no_mmap 1161 }; 1162 1163 static struct proto hci_sk_proto = { 1164 .name = "HCI", 1165 .owner = THIS_MODULE, 1166 .obj_size = sizeof(struct hci_pinfo) 1167 }; 1168 1169 static int hci_sock_create(struct net *net, struct socket *sock, int protocol, 1170 int kern) 1171 { 1172 struct sock *sk; 1173 1174 BT_DBG("sock %p", sock); 1175 1176 if (sock->type != SOCK_RAW) 1177 return -ESOCKTNOSUPPORT; 1178 1179 sock->ops = &hci_sock_ops; 1180 1181 sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto); 1182 if (!sk) 1183 return -ENOMEM; 1184 1185 sock_init_data(sock, sk); 1186 1187 sock_reset_flag(sk, SOCK_ZAPPED); 1188 1189 sk->sk_protocol = protocol; 1190 1191 sock->state = SS_UNCONNECTED; 1192 sk->sk_state = BT_OPEN; 1193 1194 bt_sock_link(&hci_sk_list, sk); 1195 return 0; 1196 } 1197 1198 static const struct net_proto_family hci_sock_family_ops = { 1199 .family = PF_BLUETOOTH, 1200 .owner = THIS_MODULE, 1201 .create = hci_sock_create, 1202 }; 1203 1204 int __init hci_sock_init(void) 1205 { 1206 int err; 1207 1208 BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr)); 1209 1210 err = proto_register(&hci_sk_proto, 0); 1211 if (err < 0) 1212 return err; 1213 1214 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops); 1215 if (err < 0) { 1216 BT_ERR("HCI socket registration failed"); 1217 goto error; 1218 } 1219 1220 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL); 1221 if (err < 0) { 1222 BT_ERR("Failed to create HCI proc file"); 1223 bt_sock_unregister(BTPROTO_HCI); 1224 goto error; 1225 } 1226 1227 BT_INFO("HCI socket layer initialized"); 1228 1229 return 0; 1230 1231 error: 1232 proto_unregister(&hci_sk_proto); 1233 return err; 1234 } 1235 1236 void hci_sock_cleanup(void) 1237 { 1238 bt_procfs_cleanup(&init_net, "hci"); 1239 bt_sock_unregister(BTPROTO_HCI); 1240 proto_unregister(&hci_sk_proto); 1241 } 1242