2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI sockets. */
27 #include <linux/export.h>
28 #include <linux/utsname.h>
29 #include <asm/unaligned.h>
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/hci_mon.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "mgmt_util.h"
38 static LIST_HEAD(mgmt_chan_list);
39 static DEFINE_MUTEX(mgmt_chan_list_lock);
41 static atomic_t monitor_promisc = ATOMIC_INIT(0);
43 /* ----- HCI socket interface ----- */
46 #define hci_pi(sk) ((struct hci_pinfo *) sk)
51 struct hci_filter filter;
53 unsigned short channel;
57 void hci_sock_set_flag(struct sock *sk, int nr)
59 set_bit(nr, &hci_pi(sk)->flags);
62 void hci_sock_clear_flag(struct sock *sk, int nr)
64 clear_bit(nr, &hci_pi(sk)->flags);
67 int hci_sock_test_flag(struct sock *sk, int nr)
69 return test_bit(nr, &hci_pi(sk)->flags);
72 unsigned short hci_sock_get_channel(struct sock *sk)
74 return hci_pi(sk)->channel;
77 static inline int hci_test_bit(int nr, const void *addr)
79 return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
83 #define HCI_SFLT_MAX_OGF 5
85 struct hci_sec_filter {
88 __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
91 static const struct hci_sec_filter hci_sec_filter = {
95 { 0x1000d9fe, 0x0000b00c },
100 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
101 /* OGF_LINK_POLICY */
102 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
104 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
106 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
107 /* OGF_STATUS_PARAM */
108 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
112 static struct bt_sock_list hci_sk_list = {
113 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
116 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
118 struct hci_filter *flt;
119 int flt_type, flt_event;
122 flt = &hci_pi(sk)->filter;
124 flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS;
126 if (!test_bit(flt_type, &flt->type_mask))
129 /* Extra filter for event packets only */
130 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT)
133 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
135 if (!hci_test_bit(flt_event, &flt->event_mask))
138 /* Check filter only when opcode is set */
142 if (flt_event == HCI_EV_CMD_COMPLETE &&
143 flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
146 if (flt_event == HCI_EV_CMD_STATUS &&
147 flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
153 /* Send frame to RAW socket */
154 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
157 struct sk_buff *skb_copy = NULL;
159 BT_DBG("hdev %p len %d", hdev, skb->len);
161 read_lock(&hci_sk_list.lock);
163 sk_for_each(sk, &hci_sk_list.head) {
164 struct sk_buff *nskb;
166 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
169 /* Don't send frame to the socket it came from */
173 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
174 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
175 hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
176 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
177 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT)
179 if (is_filtered_packet(sk, skb))
181 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
182 if (!bt_cb(skb)->incoming)
184 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
185 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
186 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT)
189 /* Don't send frame to other channel types */
194 /* Create a private copy with headroom */
195 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
199 /* Put type byte before the data */
200 memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1);
203 nskb = skb_clone(skb_copy, GFP_ATOMIC);
207 if (sock_queue_rcv_skb(sk, nskb))
211 read_unlock(&hci_sk_list.lock);
216 /* Send frame to sockets with specific channel */
217 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
218 int flag, struct sock *skip_sk)
222 BT_DBG("channel %u len %d", channel, skb->len);
224 read_lock(&hci_sk_list.lock);
226 sk_for_each(sk, &hci_sk_list.head) {
227 struct sk_buff *nskb;
229 /* Ignore socket without the flag set */
230 if (!hci_sock_test_flag(sk, flag))
233 /* Skip the original socket */
237 if (sk->sk_state != BT_BOUND)
240 if (hci_pi(sk)->channel != channel)
243 nskb = skb_clone(skb, GFP_ATOMIC);
247 if (sock_queue_rcv_skb(sk, nskb))
251 read_unlock(&hci_sk_list.lock);
254 /* Send frame to monitor socket */
255 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
257 struct sk_buff *skb_copy = NULL;
258 struct hci_mon_hdr *hdr;
261 if (!atomic_read(&monitor_promisc))
264 BT_DBG("hdev %p len %d", hdev, skb->len);
266 switch (hci_skb_pkt_type(skb)) {
267 case HCI_COMMAND_PKT:
268 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
271 opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
273 case HCI_ACLDATA_PKT:
274 if (bt_cb(skb)->incoming)
275 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
277 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
279 case HCI_SCODATA_PKT:
280 if (bt_cb(skb)->incoming)
281 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
283 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
286 opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG);
292 /* Create a private copy with headroom */
293 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true);
297 /* Put header before the data */
298 hdr = (void *)skb_push(skb_copy, HCI_MON_HDR_SIZE);
299 hdr->opcode = opcode;
300 hdr->index = cpu_to_le16(hdev->id);
301 hdr->len = cpu_to_le16(skb->len);
303 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy,
304 HCI_SOCK_TRUSTED, NULL);
308 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
310 struct hci_mon_hdr *hdr;
311 struct hci_mon_new_index *ni;
312 struct hci_mon_index_info *ii;
318 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
322 ni = (void *)skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
323 ni->type = hdev->dev_type;
325 bacpy(&ni->bdaddr, &hdev->bdaddr);
326 memcpy(ni->name, hdev->name, 8);
328 opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
332 skb = bt_skb_alloc(0, GFP_ATOMIC);
336 opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
340 if (hdev->manufacturer == 0xffff)
346 skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC);
350 ii = (void *)skb_put(skb, HCI_MON_INDEX_INFO_SIZE);
351 bacpy(&ii->bdaddr, &hdev->bdaddr);
352 ii->manufacturer = cpu_to_le16(hdev->manufacturer);
354 opcode = cpu_to_le16(HCI_MON_INDEX_INFO);
358 skb = bt_skb_alloc(0, GFP_ATOMIC);
362 opcode = cpu_to_le16(HCI_MON_OPEN_INDEX);
366 skb = bt_skb_alloc(0, GFP_ATOMIC);
370 opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX);
377 __net_timestamp(skb);
379 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
380 hdr->opcode = opcode;
381 hdr->index = cpu_to_le16(hdev->id);
382 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
387 static void __printf(2, 3)
388 send_monitor_note(struct sock *sk, const char *fmt, ...)
391 struct hci_mon_hdr *hdr;
396 len = vsnprintf(NULL, 0, fmt, args);
399 skb = bt_skb_alloc(len + 1, GFP_ATOMIC);
404 vsprintf(skb_put(skb, len), fmt, args);
405 *skb_put(skb, 1) = 0;
408 __net_timestamp(skb);
410 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
411 hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE);
412 hdr->index = cpu_to_le16(HCI_DEV_NONE);
413 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
415 if (sock_queue_rcv_skb(sk, skb))
419 static void send_monitor_replay(struct sock *sk)
421 struct hci_dev *hdev;
423 read_lock(&hci_dev_list_lock);
425 list_for_each_entry(hdev, &hci_dev_list, list) {
428 skb = create_monitor_event(hdev, HCI_DEV_REG);
432 if (sock_queue_rcv_skb(sk, skb))
435 if (!test_bit(HCI_RUNNING, &hdev->flags))
438 skb = create_monitor_event(hdev, HCI_DEV_OPEN);
442 if (sock_queue_rcv_skb(sk, skb))
445 if (test_bit(HCI_UP, &hdev->flags))
446 skb = create_monitor_event(hdev, HCI_DEV_UP);
447 else if (hci_dev_test_flag(hdev, HCI_SETUP))
448 skb = create_monitor_event(hdev, HCI_DEV_SETUP);
453 if (sock_queue_rcv_skb(sk, skb))
458 read_unlock(&hci_dev_list_lock);
461 /* Generate internal stack event */
462 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
464 struct hci_event_hdr *hdr;
465 struct hci_ev_stack_internal *ev;
468 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
472 hdr = (void *)skb_put(skb, HCI_EVENT_HDR_SIZE);
473 hdr->evt = HCI_EV_STACK_INTERNAL;
474 hdr->plen = sizeof(*ev) + dlen;
476 ev = (void *)skb_put(skb, sizeof(*ev) + dlen);
478 memcpy(ev->data, data, dlen);
480 bt_cb(skb)->incoming = 1;
481 __net_timestamp(skb);
483 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
484 hci_send_to_sock(hdev, skb);
488 void hci_sock_dev_event(struct hci_dev *hdev, int event)
490 BT_DBG("hdev %s event %d", hdev->name, event);
492 if (atomic_read(&monitor_promisc)) {
495 /* Send event to monitor */
496 skb = create_monitor_event(hdev, event);
498 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
499 HCI_SOCK_TRUSTED, NULL);
504 if (event <= HCI_DEV_DOWN) {
505 struct hci_ev_si_device ev;
507 /* Send event to sockets */
509 ev.dev_id = hdev->id;
510 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
513 if (event == HCI_DEV_UNREG) {
516 /* Detach sockets from device */
517 read_lock(&hci_sk_list.lock);
518 sk_for_each(sk, &hci_sk_list.head) {
519 bh_lock_sock_nested(sk);
520 if (hci_pi(sk)->hdev == hdev) {
521 hci_pi(sk)->hdev = NULL;
523 sk->sk_state = BT_OPEN;
524 sk->sk_state_change(sk);
530 read_unlock(&hci_sk_list.lock);
534 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel)
536 struct hci_mgmt_chan *c;
538 list_for_each_entry(c, &mgmt_chan_list, list) {
539 if (c->channel == channel)
546 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel)
548 struct hci_mgmt_chan *c;
550 mutex_lock(&mgmt_chan_list_lock);
551 c = __hci_mgmt_chan_find(channel);
552 mutex_unlock(&mgmt_chan_list_lock);
557 int hci_mgmt_chan_register(struct hci_mgmt_chan *c)
559 if (c->channel < HCI_CHANNEL_CONTROL)
562 mutex_lock(&mgmt_chan_list_lock);
563 if (__hci_mgmt_chan_find(c->channel)) {
564 mutex_unlock(&mgmt_chan_list_lock);
568 list_add_tail(&c->list, &mgmt_chan_list);
570 mutex_unlock(&mgmt_chan_list_lock);
574 EXPORT_SYMBOL(hci_mgmt_chan_register);
576 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c)
578 mutex_lock(&mgmt_chan_list_lock);
580 mutex_unlock(&mgmt_chan_list_lock);
582 EXPORT_SYMBOL(hci_mgmt_chan_unregister);
584 static int hci_sock_release(struct socket *sock)
586 struct sock *sk = sock->sk;
587 struct hci_dev *hdev;
589 BT_DBG("sock %p sk %p", sock, sk);
594 hdev = hci_pi(sk)->hdev;
596 if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
597 atomic_dec(&monitor_promisc);
599 bt_sock_unlink(&hci_sk_list, sk);
602 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
603 /* When releasing an user channel exclusive access,
604 * call hci_dev_do_close directly instead of calling
605 * hci_dev_close to ensure the exclusive access will
606 * be released and the controller brought back down.
608 * The checking of HCI_AUTO_OFF is not needed in this
609 * case since it will have been cleared already when
610 * opening the user channel.
612 hci_dev_do_close(hdev);
613 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
614 mgmt_index_added(hdev);
617 atomic_dec(&hdev->promisc);
623 skb_queue_purge(&sk->sk_receive_queue);
624 skb_queue_purge(&sk->sk_write_queue);
630 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
635 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
640 err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
642 hci_dev_unlock(hdev);
647 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
652 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
657 err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
659 hci_dev_unlock(hdev);
664 /* Ioctls that require bound socket */
665 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
668 struct hci_dev *hdev = hci_pi(sk)->hdev;
673 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
676 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
679 if (hdev->dev_type != HCI_BREDR)
684 if (!capable(CAP_NET_ADMIN))
689 return hci_get_conn_info(hdev, (void __user *)arg);
692 return hci_get_auth_info(hdev, (void __user *)arg);
695 if (!capable(CAP_NET_ADMIN))
697 return hci_sock_blacklist_add(hdev, (void __user *)arg);
700 if (!capable(CAP_NET_ADMIN))
702 return hci_sock_blacklist_del(hdev, (void __user *)arg);
708 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
711 void __user *argp = (void __user *)arg;
712 struct sock *sk = sock->sk;
715 BT_DBG("cmd %x arg %lx", cmd, arg);
719 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
728 return hci_get_dev_list(argp);
731 return hci_get_dev_info(argp);
734 return hci_get_conn_list(argp);
737 if (!capable(CAP_NET_ADMIN))
739 return hci_dev_open(arg);
742 if (!capable(CAP_NET_ADMIN))
744 return hci_dev_close(arg);
747 if (!capable(CAP_NET_ADMIN))
749 return hci_dev_reset(arg);
752 if (!capable(CAP_NET_ADMIN))
754 return hci_dev_reset_stat(arg);
764 if (!capable(CAP_NET_ADMIN))
766 return hci_dev_cmd(cmd, argp);
769 return hci_inquiry(argp);
774 err = hci_sock_bound_ioctl(sk, cmd, arg);
781 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
784 struct sockaddr_hci haddr;
785 struct sock *sk = sock->sk;
786 struct hci_dev *hdev = NULL;
789 BT_DBG("sock %p sk %p", sock, sk);
794 memset(&haddr, 0, sizeof(haddr));
795 len = min_t(unsigned int, sizeof(haddr), addr_len);
796 memcpy(&haddr, addr, len);
798 if (haddr.hci_family != AF_BLUETOOTH)
803 if (sk->sk_state == BT_BOUND) {
808 switch (haddr.hci_channel) {
809 case HCI_CHANNEL_RAW:
810 if (hci_pi(sk)->hdev) {
815 if (haddr.hci_dev != HCI_DEV_NONE) {
816 hdev = hci_dev_get(haddr.hci_dev);
822 atomic_inc(&hdev->promisc);
825 hci_pi(sk)->hdev = hdev;
828 case HCI_CHANNEL_USER:
829 if (hci_pi(sk)->hdev) {
834 if (haddr.hci_dev == HCI_DEV_NONE) {
839 if (!capable(CAP_NET_ADMIN)) {
844 hdev = hci_dev_get(haddr.hci_dev);
850 if (test_bit(HCI_INIT, &hdev->flags) ||
851 hci_dev_test_flag(hdev, HCI_SETUP) ||
852 hci_dev_test_flag(hdev, HCI_CONFIG) ||
853 (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) &&
854 test_bit(HCI_UP, &hdev->flags))) {
860 if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) {
866 mgmt_index_removed(hdev);
868 err = hci_dev_open(hdev->id);
870 if (err == -EALREADY) {
871 /* In case the transport is already up and
872 * running, clear the error here.
874 * This can happen when opening an user
875 * channel and HCI_AUTO_OFF grace period
880 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
881 mgmt_index_added(hdev);
887 atomic_inc(&hdev->promisc);
889 hci_pi(sk)->hdev = hdev;
892 case HCI_CHANNEL_MONITOR:
893 if (haddr.hci_dev != HCI_DEV_NONE) {
898 if (!capable(CAP_NET_RAW)) {
903 /* The monitor interface is restricted to CAP_NET_RAW
904 * capabilities and with that implicitly trusted.
906 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
908 send_monitor_note(sk, "Linux version %s (%s)",
909 init_utsname()->release,
910 init_utsname()->machine);
911 send_monitor_note(sk, "Bluetooth subsystem version %s",
913 send_monitor_replay(sk);
915 atomic_inc(&monitor_promisc);
918 case HCI_CHANNEL_LOGGING:
919 if (haddr.hci_dev != HCI_DEV_NONE) {
924 if (!capable(CAP_NET_ADMIN)) {
931 if (!hci_mgmt_chan_find(haddr.hci_channel)) {
936 if (haddr.hci_dev != HCI_DEV_NONE) {
941 /* Users with CAP_NET_ADMIN capabilities are allowed
942 * access to all management commands and events. For
943 * untrusted users the interface is restricted and
944 * also only untrusted events are sent.
946 if (capable(CAP_NET_ADMIN))
947 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
949 /* At the moment the index and unconfigured index events
950 * are enabled unconditionally. Setting them on each
951 * socket when binding keeps this functionality. They
952 * however might be cleared later and then sending of these
953 * events will be disabled, but that is then intentional.
955 * This also enables generic events that are safe to be
956 * received by untrusted users. Example for such events
957 * are changes to settings, class of device, name etc.
959 if (haddr.hci_channel == HCI_CHANNEL_CONTROL) {
960 hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS);
961 hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
962 hci_sock_set_flag(sk, HCI_MGMT_GENERIC_EVENTS);
968 hci_pi(sk)->channel = haddr.hci_channel;
969 sk->sk_state = BT_BOUND;
976 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
977 int *addr_len, int peer)
979 struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr;
980 struct sock *sk = sock->sk;
981 struct hci_dev *hdev;
984 BT_DBG("sock %p sk %p", sock, sk);
991 hdev = hci_pi(sk)->hdev;
997 *addr_len = sizeof(*haddr);
998 haddr->hci_family = AF_BLUETOOTH;
999 haddr->hci_dev = hdev->id;
1000 haddr->hci_channel= hci_pi(sk)->channel;
1007 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
1008 struct sk_buff *skb)
1010 __u32 mask = hci_pi(sk)->cmsg_mask;
1012 if (mask & HCI_CMSG_DIR) {
1013 int incoming = bt_cb(skb)->incoming;
1014 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
1018 if (mask & HCI_CMSG_TSTAMP) {
1019 #ifdef CONFIG_COMPAT
1020 struct compat_timeval ctv;
1026 skb_get_timestamp(skb, &tv);
1030 #ifdef CONFIG_COMPAT
1031 if (!COMPAT_USE_64BIT_TIME &&
1032 (msg->msg_flags & MSG_CMSG_COMPAT)) {
1033 ctv.tv_sec = tv.tv_sec;
1034 ctv.tv_usec = tv.tv_usec;
1040 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
1044 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1045 size_t len, int flags)
1047 int noblock = flags & MSG_DONTWAIT;
1048 struct sock *sk = sock->sk;
1049 struct sk_buff *skb;
1052 BT_DBG("sock %p, sk %p", sock, sk);
1054 if (flags & MSG_OOB)
1057 if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING)
1060 if (sk->sk_state == BT_CLOSED)
1063 skb = skb_recv_datagram(sk, flags, noblock, &err);
1069 msg->msg_flags |= MSG_TRUNC;
1073 skb_reset_transport_header(skb);
1074 err = skb_copy_datagram_msg(skb, 0, msg, copied);
1076 switch (hci_pi(sk)->channel) {
1077 case HCI_CHANNEL_RAW:
1078 hci_sock_cmsg(sk, msg, skb);
1080 case HCI_CHANNEL_USER:
1081 case HCI_CHANNEL_MONITOR:
1082 sock_recv_timestamp(msg, sk, skb);
1085 if (hci_mgmt_chan_find(hci_pi(sk)->channel))
1086 sock_recv_timestamp(msg, sk, skb);
1090 skb_free_datagram(sk, skb);
1092 return err ? : copied;
1095 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk,
1096 struct msghdr *msg, size_t msglen)
1100 struct mgmt_hdr *hdr;
1101 u16 opcode, index, len;
1102 struct hci_dev *hdev = NULL;
1103 const struct hci_mgmt_handler *handler;
1104 bool var_len, no_hdev;
1107 BT_DBG("got %zu bytes", msglen);
1109 if (msglen < sizeof(*hdr))
1112 buf = kmalloc(msglen, GFP_KERNEL);
1116 if (memcpy_from_msg(buf, msg, msglen)) {
1122 opcode = __le16_to_cpu(hdr->opcode);
1123 index = __le16_to_cpu(hdr->index);
1124 len = __le16_to_cpu(hdr->len);
1126 if (len != msglen - sizeof(*hdr)) {
1131 if (opcode >= chan->handler_count ||
1132 chan->handlers[opcode].func == NULL) {
1133 BT_DBG("Unknown op %u", opcode);
1134 err = mgmt_cmd_status(sk, index, opcode,
1135 MGMT_STATUS_UNKNOWN_COMMAND);
1139 handler = &chan->handlers[opcode];
1141 if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) &&
1142 !(handler->flags & HCI_MGMT_UNTRUSTED)) {
1143 err = mgmt_cmd_status(sk, index, opcode,
1144 MGMT_STATUS_PERMISSION_DENIED);
1148 if (index != MGMT_INDEX_NONE) {
1149 hdev = hci_dev_get(index);
1151 err = mgmt_cmd_status(sk, index, opcode,
1152 MGMT_STATUS_INVALID_INDEX);
1156 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1157 hci_dev_test_flag(hdev, HCI_CONFIG) ||
1158 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1159 err = mgmt_cmd_status(sk, index, opcode,
1160 MGMT_STATUS_INVALID_INDEX);
1164 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1165 !(handler->flags & HCI_MGMT_UNCONFIGURED)) {
1166 err = mgmt_cmd_status(sk, index, opcode,
1167 MGMT_STATUS_INVALID_INDEX);
1172 no_hdev = (handler->flags & HCI_MGMT_NO_HDEV);
1173 if (no_hdev != !hdev) {
1174 err = mgmt_cmd_status(sk, index, opcode,
1175 MGMT_STATUS_INVALID_INDEX);
1179 var_len = (handler->flags & HCI_MGMT_VAR_LEN);
1180 if ((var_len && len < handler->data_len) ||
1181 (!var_len && len != handler->data_len)) {
1182 err = mgmt_cmd_status(sk, index, opcode,
1183 MGMT_STATUS_INVALID_PARAMS);
1187 if (hdev && chan->hdev_init)
1188 chan->hdev_init(sk, hdev);
1190 cp = buf + sizeof(*hdr);
1192 err = handler->func(sk, hdev, cp, len);
1206 static int hci_logging_frame(struct sock *sk, struct msghdr *msg, int len)
1208 struct hci_mon_hdr *hdr;
1209 struct sk_buff *skb;
1210 struct hci_dev *hdev;
1214 /* The logging frame consists at minimum of the standard header,
1215 * the priority byte, the ident length byte and at least one string
1216 * terminator NUL byte. Anything shorter are invalid packets.
1218 if (len < sizeof(*hdr) + 3)
1221 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1225 if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1230 hdr = (void *)skb->data;
1232 if (__le16_to_cpu(hdr->len) != len - sizeof(*hdr)) {
1237 if (__le16_to_cpu(hdr->opcode) == 0x0000) {
1238 __u8 priority = skb->data[sizeof(*hdr)];
1239 __u8 ident_len = skb->data[sizeof(*hdr) + 1];
1241 /* Only the priorities 0-7 are valid and with that any other
1242 * value results in an invalid packet.
1244 * The priority byte is followed by an ident length byte and
1245 * the NUL terminated ident string. Check that the ident
1246 * length is not overflowing the packet and also that the
1247 * ident string itself is NUL terminated. In case the ident
1248 * length is zero, the length value actually doubles as NUL
1249 * terminator identifier.
1251 * The message follows the ident string (if present) and
1252 * must be NUL terminated. Otherwise it is not a valid packet.
1254 if (priority > 7 || skb->data[len - 1] != 0x00 ||
1255 ident_len > len - sizeof(*hdr) - 3 ||
1256 skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) {
1265 index = __le16_to_cpu(hdr->index);
1267 if (index != MGMT_INDEX_NONE) {
1268 hdev = hci_dev_get(index);
1277 hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING);
1279 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL);
1290 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1293 struct sock *sk = sock->sk;
1294 struct hci_mgmt_chan *chan;
1295 struct hci_dev *hdev;
1296 struct sk_buff *skb;
1299 BT_DBG("sock %p sk %p", sock, sk);
1301 if (msg->msg_flags & MSG_OOB)
1304 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
1307 if (len < 4 || len > HCI_MAX_FRAME_SIZE)
1312 switch (hci_pi(sk)->channel) {
1313 case HCI_CHANNEL_RAW:
1314 case HCI_CHANNEL_USER:
1316 case HCI_CHANNEL_MONITOR:
1319 case HCI_CHANNEL_LOGGING:
1320 err = hci_logging_frame(sk, msg, len);
1323 mutex_lock(&mgmt_chan_list_lock);
1324 chan = __hci_mgmt_chan_find(hci_pi(sk)->channel);
1326 err = hci_mgmt_cmd(chan, sk, msg, len);
1330 mutex_unlock(&mgmt_chan_list_lock);
1334 hdev = hci_pi(sk)->hdev;
1340 if (!test_bit(HCI_UP, &hdev->flags)) {
1345 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1349 if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1354 hci_skb_pkt_type(skb) = skb->data[0];
1357 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
1358 /* No permission check is needed for user channel
1359 * since that gets enforced when binding the socket.
1361 * However check that the packet type is valid.
1363 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
1364 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1365 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
1370 skb_queue_tail(&hdev->raw_q, skb);
1371 queue_work(hdev->workqueue, &hdev->tx_work);
1372 } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) {
1373 u16 opcode = get_unaligned_le16(skb->data);
1374 u16 ogf = hci_opcode_ogf(opcode);
1375 u16 ocf = hci_opcode_ocf(opcode);
1377 if (((ogf > HCI_SFLT_MAX_OGF) ||
1378 !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
1379 &hci_sec_filter.ocf_mask[ogf])) &&
1380 !capable(CAP_NET_RAW)) {
1385 /* Since the opcode has already been extracted here, store
1386 * a copy of the value for later use by the drivers.
1388 hci_skb_opcode(skb) = opcode;
1391 skb_queue_tail(&hdev->raw_q, skb);
1392 queue_work(hdev->workqueue, &hdev->tx_work);
1394 /* Stand-alone HCI commands must be flagged as
1395 * single-command requests.
1397 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
1399 skb_queue_tail(&hdev->cmd_q, skb);
1400 queue_work(hdev->workqueue, &hdev->cmd_work);
1403 if (!capable(CAP_NET_RAW)) {
1408 if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1409 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
1414 skb_queue_tail(&hdev->raw_q, skb);
1415 queue_work(hdev->workqueue, &hdev->tx_work);
1429 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
1430 char __user *optval, unsigned int len)
1432 struct hci_ufilter uf = { .opcode = 0 };
1433 struct sock *sk = sock->sk;
1434 int err = 0, opt = 0;
1436 BT_DBG("sk %p, opt %d", sk, optname);
1440 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1447 if (get_user(opt, (int __user *)optval)) {
1453 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1455 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1458 case HCI_TIME_STAMP:
1459 if (get_user(opt, (int __user *)optval)) {
1465 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1467 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1472 struct hci_filter *f = &hci_pi(sk)->filter;
1474 uf.type_mask = f->type_mask;
1475 uf.opcode = f->opcode;
1476 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1477 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1480 len = min_t(unsigned int, len, sizeof(uf));
1481 if (copy_from_user(&uf, optval, len)) {
1486 if (!capable(CAP_NET_RAW)) {
1487 uf.type_mask &= hci_sec_filter.type_mask;
1488 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1489 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1493 struct hci_filter *f = &hci_pi(sk)->filter;
1495 f->type_mask = uf.type_mask;
1496 f->opcode = uf.opcode;
1497 *((u32 *) f->event_mask + 0) = uf.event_mask[0];
1498 *((u32 *) f->event_mask + 1) = uf.event_mask[1];
1512 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1513 char __user *optval, int __user *optlen)
1515 struct hci_ufilter uf;
1516 struct sock *sk = sock->sk;
1517 int len, opt, err = 0;
1519 BT_DBG("sk %p, opt %d", sk, optname);
1521 if (get_user(len, optlen))
1526 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1533 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1538 if (put_user(opt, optval))
1542 case HCI_TIME_STAMP:
1543 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1548 if (put_user(opt, optval))
1554 struct hci_filter *f = &hci_pi(sk)->filter;
1556 memset(&uf, 0, sizeof(uf));
1557 uf.type_mask = f->type_mask;
1558 uf.opcode = f->opcode;
1559 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1560 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1563 len = min_t(unsigned int, len, sizeof(uf));
1564 if (copy_to_user(optval, &uf, len))
1578 static const struct proto_ops hci_sock_ops = {
1579 .family = PF_BLUETOOTH,
1580 .owner = THIS_MODULE,
1581 .release = hci_sock_release,
1582 .bind = hci_sock_bind,
1583 .getname = hci_sock_getname,
1584 .sendmsg = hci_sock_sendmsg,
1585 .recvmsg = hci_sock_recvmsg,
1586 .ioctl = hci_sock_ioctl,
1587 .poll = datagram_poll,
1588 .listen = sock_no_listen,
1589 .shutdown = sock_no_shutdown,
1590 .setsockopt = hci_sock_setsockopt,
1591 .getsockopt = hci_sock_getsockopt,
1592 .connect = sock_no_connect,
1593 .socketpair = sock_no_socketpair,
1594 .accept = sock_no_accept,
1595 .mmap = sock_no_mmap
1598 static struct proto hci_sk_proto = {
1600 .owner = THIS_MODULE,
1601 .obj_size = sizeof(struct hci_pinfo)
1604 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1609 BT_DBG("sock %p", sock);
1611 if (sock->type != SOCK_RAW)
1612 return -ESOCKTNOSUPPORT;
1614 sock->ops = &hci_sock_ops;
1616 sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern);
1620 sock_init_data(sock, sk);
1622 sock_reset_flag(sk, SOCK_ZAPPED);
1624 sk->sk_protocol = protocol;
1626 sock->state = SS_UNCONNECTED;
1627 sk->sk_state = BT_OPEN;
1629 bt_sock_link(&hci_sk_list, sk);
1633 static const struct net_proto_family hci_sock_family_ops = {
1634 .family = PF_BLUETOOTH,
1635 .owner = THIS_MODULE,
1636 .create = hci_sock_create,
1639 int __init hci_sock_init(void)
1643 BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr));
1645 err = proto_register(&hci_sk_proto, 0);
1649 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1651 BT_ERR("HCI socket registration failed");
1655 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
1657 BT_ERR("Failed to create HCI proc file");
1658 bt_sock_unregister(BTPROTO_HCI);
1662 BT_INFO("HCI socket layer initialized");
1667 proto_unregister(&hci_sk_proto);
1671 void hci_sock_cleanup(void)
1673 bt_procfs_cleanup(&init_net, "hci");
1674 bt_sock_unregister(BTPROTO_HCI);
1675 proto_unregister(&hci_sk_proto);
projects / cascardo / linux.git / blob