net/bluetooth/hci_sock.c

   1 /*
   2    BlueZ - Bluetooth protocol stack for Linux
   3    Copyright (C) 2000-2001 Qualcomm Incorporated
   4
   5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License version 2 as
   9    published by the Free Software Foundation;
  10
  11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22    SOFTWARE IS DISCLAIMED.
  23 */
  24
  25 /* Bluetooth HCI sockets. */
  26
  27 #include <linux/export.h>
  28 #include <asm/unaligned.h>
  29
  30 #include <net/bluetooth/bluetooth.h>
  31 #include <net/bluetooth/hci_core.h>
  32 #include <net/bluetooth/hci_mon.h>
  33
  34 static atomic_t monitor_promisc = ATOMIC_INIT(0);
  35
  36 /* ----- HCI socket interface ----- */
  37
  38 /* Socket info */
  39 #define hci_pi(sk) ((struct hci_pinfo *) sk)
  40
  41 struct hci_pinfo {
  42         struct bt_sock    bt;
  43         struct hci_dev    *hdev;
  44         struct hci_filter filter;
  45         __u32             cmsg_mask;
  46         unsigned short    channel;
  47 };
  48
  49 static inline int hci_test_bit(int nr, const void *addr)
  50 {
  51         return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
  52 }
  53
  54 /* Security filter */
  55 #define HCI_SFLT_MAX_OGF  5
  56
  57 struct hci_sec_filter {
  58         __u32 type_mask;
  59         __u32 event_mask[2];
  60         __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
  61 };
  62
  63 static const struct hci_sec_filter hci_sec_filter = {
  64         /* Packet types */
  65         0x10,
  66         /* Events */
  67         { 0x1000d9fe, 0x0000b00c },
  68         /* Commands */
  69         {
  70                 { 0x0 },
  71                 /* OGF_LINK_CTL */
  72                 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
  73                 /* OGF_LINK_POLICY */
  74                 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
  75                 /* OGF_HOST_CTL */
  76                 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
  77                 /* OGF_INFO_PARAM */
  78                 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
  79                 /* OGF_STATUS_PARAM */
  80                 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
  81         }
  82 };
  83
  84 static struct bt_sock_list hci_sk_list = {
  85         .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
  86 };
  87
  88 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
  89 {
  90         struct hci_filter *flt;
  91         int flt_type, flt_event;
  92
  93         /* Apply filter */
  94         flt = &hci_pi(sk)->filter;
  95
  96         if (bt_cb(skb)->pkt_type == HCI_VENDOR_PKT)
  97                 flt_type = 0;
  98         else
  99                 flt_type = bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS;
 100
 101         if (!test_bit(flt_type, &flt->type_mask))
 102                 return true;
 103
 104         /* Extra filter for event packets only */
 105         if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT)
 106                 return false;
 107
 108         flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
 109
 110         if (!hci_test_bit(flt_event, &flt->event_mask))
 111                 return true;
 112
 113         /* Check filter only when opcode is set */
 114         if (!flt->opcode)
 115                 return false;
 116
 117         if (flt_event == HCI_EV_CMD_COMPLETE &&
 118             flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
 119                 return true;
 120
 121         if (flt_event == HCI_EV_CMD_STATUS &&
 122             flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
 123                 return true;
 124
 125         return false;
 126 }
 127
 128 /* Send frame to RAW socket */
 129 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
 130 {
 131         struct sock *sk;
 132         struct sk_buff *skb_copy = NULL;
 133
 134         BT_DBG("hdev %p len %d", hdev, skb->len);
 135
 136         read_lock(&hci_sk_list.lock);
 137
 138         sk_for_each(sk, &hci_sk_list.head) {
 139                 struct sk_buff *nskb;
 140
 141                 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
 142                         continue;
 143
 144                 /* Don't send frame to the socket it came from */
 145                 if (skb->sk == sk)
 146                         continue;
 147
 148                 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
 149                         if (is_filtered_packet(sk, skb))
 150                                 continue;
 151                 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 152                         if (!bt_cb(skb)->incoming)
 153                                 continue;
 154                         if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT &&
 155                             bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
 156                             bt_cb(skb)->pkt_type != HCI_SCODATA_PKT)
 157                                 continue;
 158                 } else {
 159                         /* Don't send frame to other channel types */
 160                         continue;
 161                 }
 162
 163                 if (!skb_copy) {
 164                         /* Create a private copy with headroom */
 165                         skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
 166                         if (!skb_copy)
 167                                 continue;
 168
 169                         /* Put type byte before the data */
 170                         memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1);
 171                 }
 172
 173                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 174                 if (!nskb)
 175                         continue;
 176
 177                 if (sock_queue_rcv_skb(sk, nskb))
 178                         kfree_skb(nskb);
 179         }
 180
 181         read_unlock(&hci_sk_list.lock);
 182
 183         kfree_skb(skb_copy);
 184 }
 185
 186 /* Send frame to sockets with specific channel */
 187 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
 188                          struct sock *skip_sk)
 189 {
 190         struct sock *sk;
 191
 192         BT_DBG("channel %u len %d", channel, skb->len);
 193
 194         read_lock(&hci_sk_list.lock);
 195
 196         sk_for_each(sk, &hci_sk_list.head) {
 197                 struct sk_buff *nskb;
 198
 199                 /* Skip the original socket */
 200                 if (sk == skip_sk)
 201                         continue;
 202
 203                 if (sk->sk_state != BT_BOUND)
 204                         continue;
 205
 206                 if (hci_pi(sk)->channel != channel)
 207                         continue;
 208
 209                 nskb = skb_clone(skb, GFP_ATOMIC);
 210                 if (!nskb)
 211                         continue;
 212
 213                 if (sock_queue_rcv_skb(sk, nskb))
 214                         kfree_skb(nskb);
 215         }
 216
 217         read_unlock(&hci_sk_list.lock);
 218 }
 219
 220 /* Send frame to monitor socket */
 221 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
 222 {
 223         struct sk_buff *skb_copy = NULL;
 224         struct hci_mon_hdr *hdr;
 225         __le16 opcode;
 226
 227         if (!atomic_read(&monitor_promisc))
 228                 return;
 229
 230         BT_DBG("hdev %p len %d", hdev, skb->len);
 231
 232         switch (bt_cb(skb)->pkt_type) {
 233         case HCI_COMMAND_PKT:
 234                 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
 235                 break;
 236         case HCI_EVENT_PKT:
 237                 opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
 238                 break;
 239         case HCI_ACLDATA_PKT:
 240                 if (bt_cb(skb)->incoming)
 241                         opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
 242                 else
 243                         opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
 244                 break;
 245         case HCI_SCODATA_PKT:
 246                 if (bt_cb(skb)->incoming)
 247                         opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
 248                 else
 249                         opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
 250                 break;
 251         default:
 252                 return;
 253         }
 254
 255         /* Create a private copy with headroom */
 256         skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true);
 257         if (!skb_copy)
 258                 return;
 259
 260         /* Put header before the data */
 261         hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE);
 262         hdr->opcode = opcode;
 263         hdr->index = cpu_to_le16(hdev->id);
 264         hdr->len = cpu_to_le16(skb->len);
 265
 266         hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy, NULL);
 267         kfree_skb(skb_copy);
 268 }
 269
 270 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
 271 {
 272         struct hci_mon_hdr *hdr;
 273         struct hci_mon_new_index *ni;
 274         struct sk_buff *skb;
 275         __le16 opcode;
 276
 277         switch (event) {
 278         case HCI_DEV_REG:
 279                 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
 280                 if (!skb)
 281                         return NULL;
 282
 283                 ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
 284                 ni->type = hdev->dev_type;
 285                 ni->bus = hdev->bus;
 286                 bacpy(&ni->bdaddr, &hdev->bdaddr);
 287                 memcpy(ni->name, hdev->name, 8);
 288
 289                 opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
 290                 break;
 291
 292         case HCI_DEV_UNREG:
 293                 skb = bt_skb_alloc(0, GFP_ATOMIC);
 294                 if (!skb)
 295                         return NULL;
 296
 297                 opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
 298                 break;
 299
 300         default:
 301                 return NULL;
 302         }
 303
 304         __net_timestamp(skb);
 305
 306         hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE);
 307         hdr->opcode = opcode;
 308         hdr->index = cpu_to_le16(hdev->id);
 309         hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
 310
 311         return skb;
 312 }
 313
 314 static void send_monitor_replay(struct sock *sk)
 315 {
 316         struct hci_dev *hdev;
 317
 318         read_lock(&hci_dev_list_lock);
 319
 320         list_for_each_entry(hdev, &hci_dev_list, list) {
 321                 struct sk_buff *skb;
 322
 323                 skb = create_monitor_event(hdev, HCI_DEV_REG);
 324                 if (!skb)
 325                         continue;
 326
 327                 if (sock_queue_rcv_skb(sk, skb))
 328                         kfree_skb(skb);
 329         }
 330
 331         read_unlock(&hci_dev_list_lock);
 332 }
 333
 334 /* Generate internal stack event */
 335 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
 336 {
 337         struct hci_event_hdr *hdr;
 338         struct hci_ev_stack_internal *ev;
 339         struct sk_buff *skb;
 340
 341         skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
 342         if (!skb)
 343                 return;
 344
 345         hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
 346         hdr->evt  = HCI_EV_STACK_INTERNAL;
 347         hdr->plen = sizeof(*ev) + dlen;
 348
 349         ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
 350         ev->type = type;
 351         memcpy(ev->data, data, dlen);
 352
 353         bt_cb(skb)->incoming = 1;
 354         __net_timestamp(skb);
 355
 356         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
 357         hci_send_to_sock(hdev, skb);
 358         kfree_skb(skb);
 359 }
 360
 361 void hci_sock_dev_event(struct hci_dev *hdev, int event)
 362 {
 363         struct hci_ev_si_device ev;
 364
 365         BT_DBG("hdev %s event %d", hdev->name, event);
 366
 367         /* Send event to monitor */
 368         if (atomic_read(&monitor_promisc)) {
 369                 struct sk_buff *skb;
 370
 371                 skb = create_monitor_event(hdev, event);
 372                 if (skb) {
 373                         hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, NULL);
 374                         kfree_skb(skb);
 375                 }
 376         }
 377
 378         /* Send event to sockets */
 379         ev.event  = event;
 380         ev.dev_id = hdev->id;
 381         hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
 382
 383         if (event == HCI_DEV_UNREG) {
 384                 struct sock *sk;
 385
 386                 /* Detach sockets from device */
 387                 read_lock(&hci_sk_list.lock);
 388                 sk_for_each(sk, &hci_sk_list.head) {
 389                         bh_lock_sock_nested(sk);
 390                         if (hci_pi(sk)->hdev == hdev) {
 391                                 hci_pi(sk)->hdev = NULL;
 392                                 sk->sk_err = EPIPE;
 393                                 sk->sk_state = BT_OPEN;
 394                                 sk->sk_state_change(sk);
 395
 396                                 hci_dev_put(hdev);
 397                         }
 398                         bh_unlock_sock(sk);
 399                 }
 400                 read_unlock(&hci_sk_list.lock);
 401         }
 402 }
 403
 404 static int hci_sock_release(struct socket *sock)
 405 {
 406         struct sock *sk = sock->sk;
 407         struct hci_dev *hdev;
 408
 409         BT_DBG("sock %p sk %p", sock, sk);
 410
 411         if (!sk)
 412                 return 0;
 413
 414         hdev = hci_pi(sk)->hdev;
 415
 416         if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
 417                 atomic_dec(&monitor_promisc);
 418
 419         bt_sock_unlink(&hci_sk_list, sk);
 420
 421         if (hdev) {
 422                 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 423                         mgmt_index_added(hdev);
 424                         clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags);
 425                         hci_dev_close(hdev->id);
 426                 }
 427
 428                 atomic_dec(&hdev->promisc);
 429                 hci_dev_put(hdev);
 430         }
 431
 432         sock_orphan(sk);
 433
 434         skb_queue_purge(&sk->sk_receive_queue);
 435         skb_queue_purge(&sk->sk_write_queue);
 436
 437         sock_put(sk);
 438         return 0;
 439 }
 440
 441 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
 442 {
 443         bdaddr_t bdaddr;
 444         int err;
 445
 446         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 447                 return -EFAULT;
 448
 449         hci_dev_lock(hdev);
 450
 451         err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
 452
 453         hci_dev_unlock(hdev);
 454
 455         return err;
 456 }
 457
 458 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
 459 {
 460         bdaddr_t bdaddr;
 461         int err;
 462
 463         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 464                 return -EFAULT;
 465
 466         hci_dev_lock(hdev);
 467
 468         err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
 469
 470         hci_dev_unlock(hdev);
 471
 472         return err;
 473 }
 474
 475 /* Ioctls that require bound socket */
 476 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
 477                                 unsigned long arg)
 478 {
 479         struct hci_dev *hdev = hci_pi(sk)->hdev;
 480
 481         if (!hdev)
 482                 return -EBADFD;
 483
 484         if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
 485                 return -EBUSY;
 486
 487         if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags))
 488                 return -EOPNOTSUPP;
 489
 490         if (hdev->dev_type != HCI_BREDR)
 491                 return -EOPNOTSUPP;
 492
 493         switch (cmd) {
 494         case HCISETRAW:
 495                 if (!capable(CAP_NET_ADMIN))
 496                         return -EPERM;
 497                 return -EOPNOTSUPP;
 498
 499         case HCIGETCONNINFO:
 500                 return hci_get_conn_info(hdev, (void __user *) arg);
 501
 502         case HCIGETAUTHINFO:
 503                 return hci_get_auth_info(hdev, (void __user *) arg);
 504
 505         case HCIBLOCKADDR:
 506                 if (!capable(CAP_NET_ADMIN))
 507                         return -EPERM;
 508                 return hci_sock_blacklist_add(hdev, (void __user *) arg);
 509
 510         case HCIUNBLOCKADDR:
 511                 if (!capable(CAP_NET_ADMIN))
 512                         return -EPERM;
 513                 return hci_sock_blacklist_del(hdev, (void __user *) arg);
 514         }
 515
 516         return -ENOIOCTLCMD;
 517 }
 518
 519 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 520                           unsigned long arg)
 521 {
 522         void __user *argp = (void __user *) arg;
 523         struct sock *sk = sock->sk;
 524         int err;
 525
 526         BT_DBG("cmd %x arg %lx", cmd, arg);
 527
 528         lock_sock(sk);
 529
 530         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
 531                 err = -EBADFD;
 532                 goto done;
 533         }
 534
 535         release_sock(sk);
 536
 537         switch (cmd) {
 538         case HCIGETDEVLIST:
 539                 return hci_get_dev_list(argp);
 540
 541         case HCIGETDEVINFO:
 542                 return hci_get_dev_info(argp);
 543
 544         case HCIGETCONNLIST:
 545                 return hci_get_conn_list(argp);
 546
 547         case HCIDEVUP:
 548                 if (!capable(CAP_NET_ADMIN))
 549                         return -EPERM;
 550                 return hci_dev_open(arg);
 551
 552         case HCIDEVDOWN:
 553                 if (!capable(CAP_NET_ADMIN))
 554                         return -EPERM;
 555                 return hci_dev_close(arg);
 556
 557         case HCIDEVRESET:
 558                 if (!capable(CAP_NET_ADMIN))
 559                         return -EPERM;
 560                 return hci_dev_reset(arg);
 561
 562         case HCIDEVRESTAT:
 563                 if (!capable(CAP_NET_ADMIN))
 564                         return -EPERM;
 565                 return hci_dev_reset_stat(arg);
 566
 567         case HCISETSCAN:
 568         case HCISETAUTH:
 569         case HCISETENCRYPT:
 570         case HCISETPTYPE:
 571         case HCISETLINKPOL:
 572         case HCISETLINKMODE:
 573         case HCISETACLMTU:
 574         case HCISETSCOMTU:
 575                 if (!capable(CAP_NET_ADMIN))
 576                         return -EPERM;
 577                 return hci_dev_cmd(cmd, argp);
 578
 579         case HCIINQUIRY:
 580                 return hci_inquiry(argp);
 581         }
 582
 583         lock_sock(sk);
 584
 585         err = hci_sock_bound_ioctl(sk, cmd, arg);
 586
 587 done:
 588         release_sock(sk);
 589         return err;
 590 }
 591
 592 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
 593                          int addr_len)
 594 {
 595         struct sockaddr_hci haddr;
 596         struct sock *sk = sock->sk;
 597         struct hci_dev *hdev = NULL;
 598         int len, err = 0;
 599
 600         BT_DBG("sock %p sk %p", sock, sk);
 601
 602         if (!addr)
 603                 return -EINVAL;
 604
 605         memset(&haddr, 0, sizeof(haddr));
 606         len = min_t(unsigned int, sizeof(haddr), addr_len);
 607         memcpy(&haddr, addr, len);
 608
 609         if (haddr.hci_family != AF_BLUETOOTH)
 610                 return -EINVAL;
 611
 612         lock_sock(sk);
 613
 614         if (sk->sk_state == BT_BOUND) {
 615                 err = -EALREADY;
 616                 goto done;
 617         }
 618
 619         switch (haddr.hci_channel) {
 620         case HCI_CHANNEL_RAW:
 621                 if (hci_pi(sk)->hdev) {
 622                         err = -EALREADY;
 623                         goto done;
 624                 }
 625
 626                 if (haddr.hci_dev != HCI_DEV_NONE) {
 627                         hdev = hci_dev_get(haddr.hci_dev);
 628                         if (!hdev) {
 629                                 err = -ENODEV;
 630                                 goto done;
 631                         }
 632
 633                         atomic_inc(&hdev->promisc);
 634                 }
 635
 636                 hci_pi(sk)->hdev = hdev;
 637                 break;
 638
 639         case HCI_CHANNEL_USER:
 640                 if (hci_pi(sk)->hdev) {
 641                         err = -EALREADY;
 642                         goto done;
 643                 }
 644
 645                 if (haddr.hci_dev == HCI_DEV_NONE) {
 646                         err = -EINVAL;
 647                         goto done;
 648                 }
 649
 650                 if (!capable(CAP_NET_ADMIN)) {
 651                         err = -EPERM;
 652                         goto done;
 653                 }
 654
 655                 hdev = hci_dev_get(haddr.hci_dev);
 656                 if (!hdev) {
 657                         err = -ENODEV;
 658                         goto done;
 659                 }
 660
 661                 if (test_bit(HCI_UP, &hdev->flags) ||
 662                     test_bit(HCI_INIT, &hdev->flags) ||
 663                     test_bit(HCI_SETUP, &hdev->dev_flags) ||
 664                     test_bit(HCI_CONFIG, &hdev->dev_flags)) {
 665                         err = -EBUSY;
 666                         hci_dev_put(hdev);
 667                         goto done;
 668                 }
 669
 670                 if (test_and_set_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
 671                         err = -EUSERS;
 672                         hci_dev_put(hdev);
 673                         goto done;
 674                 }
 675
 676                 mgmt_index_removed(hdev);
 677
 678                 err = hci_dev_open(hdev->id);
 679                 if (err) {
 680                         clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags);
 681                         mgmt_index_added(hdev);
 682                         hci_dev_put(hdev);
 683                         goto done;
 684                 }
 685
 686                 atomic_inc(&hdev->promisc);
 687
 688                 hci_pi(sk)->hdev = hdev;
 689                 break;
 690
 691         case HCI_CHANNEL_CONTROL:
 692                 if (haddr.hci_dev != HCI_DEV_NONE) {
 693                         err = -EINVAL;
 694                         goto done;
 695                 }
 696
 697                 if (!capable(CAP_NET_ADMIN)) {
 698                         err = -EPERM;
 699                         goto done;
 700                 }
 701
 702                 break;
 703
 704         case HCI_CHANNEL_MONITOR:
 705                 if (haddr.hci_dev != HCI_DEV_NONE) {
 706                         err = -EINVAL;
 707                         goto done;
 708                 }
 709
 710                 if (!capable(CAP_NET_RAW)) {
 711                         err = -EPERM;
 712                         goto done;
 713                 }
 714
 715                 send_monitor_replay(sk);
 716
 717                 atomic_inc(&monitor_promisc);
 718                 break;
 719
 720         default:
 721                 err = -EINVAL;
 722                 goto done;
 723         }
 724
 725
 726         hci_pi(sk)->channel = haddr.hci_channel;
 727         sk->sk_state = BT_BOUND;
 728
 729 done:
 730         release_sock(sk);
 731         return err;
 732 }
 733
 734 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
 735                             int *addr_len, int peer)
 736 {
 737         struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
 738         struct sock *sk = sock->sk;
 739         struct hci_dev *hdev;
 740         int err = 0;
 741
 742         BT_DBG("sock %p sk %p", sock, sk);
 743
 744         if (peer)
 745                 return -EOPNOTSUPP;
 746
 747         lock_sock(sk);
 748
 749         hdev = hci_pi(sk)->hdev;
 750         if (!hdev) {
 751                 err = -EBADFD;
 752                 goto done;
 753         }
 754
 755         *addr_len = sizeof(*haddr);
 756         haddr->hci_family = AF_BLUETOOTH;
 757         haddr->hci_dev    = hdev->id;
 758         haddr->hci_channel= hci_pi(sk)->channel;
 759
 760 done:
 761         release_sock(sk);
 762         return err;
 763 }
 764
 765 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
 766                           struct sk_buff *skb)
 767 {
 768         __u32 mask = hci_pi(sk)->cmsg_mask;
 769
 770         if (mask & HCI_CMSG_DIR) {
 771                 int incoming = bt_cb(skb)->incoming;
 772                 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
 773                          &incoming);
 774         }
 775
 776         if (mask & HCI_CMSG_TSTAMP) {
 777 #ifdef CONFIG_COMPAT
 778                 struct compat_timeval ctv;
 779 #endif
 780                 struct timeval tv;
 781                 void *data;
 782                 int len;
 783
 784                 skb_get_timestamp(skb, &tv);
 785
 786                 data = &tv;
 787                 len = sizeof(tv);
 788 #ifdef CONFIG_COMPAT
 789                 if (!COMPAT_USE_64BIT_TIME &&
 790                     (msg->msg_flags & MSG_CMSG_COMPAT)) {
 791                         ctv.tv_sec = tv.tv_sec;
 792                         ctv.tv_usec = tv.tv_usec;
 793                         data = &ctv;
 794                         len = sizeof(ctv);
 795                 }
 796 #endif
 797
 798                 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
 799         }
 800 }
 801
 802 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
 803                             int flags)
 804 {
 805         int noblock = flags & MSG_DONTWAIT;
 806         struct sock *sk = sock->sk;
 807         struct sk_buff *skb;
 808         int copied, err;
 809
 810         BT_DBG("sock %p, sk %p", sock, sk);
 811
 812         if (flags & (MSG_OOB))
 813                 return -EOPNOTSUPP;
 814
 815         if (sk->sk_state == BT_CLOSED)
 816                 return 0;
 817
 818         skb = skb_recv_datagram(sk, flags, noblock, &err);
 819         if (!skb)
 820                 return err;
 821
 822         copied = skb->len;
 823         if (len < copied) {
 824                 msg->msg_flags |= MSG_TRUNC;
 825                 copied = len;
 826         }
 827
 828         skb_reset_transport_header(skb);
 829         err = skb_copy_datagram_msg(skb, 0, msg, copied);
 830
 831         switch (hci_pi(sk)->channel) {
 832         case HCI_CHANNEL_RAW:
 833                 hci_sock_cmsg(sk, msg, skb);
 834                 break;
 835         case HCI_CHANNEL_USER:
 836         case HCI_CHANNEL_CONTROL:
 837         case HCI_CHANNEL_MONITOR:
 838                 sock_recv_timestamp(msg, sk, skb);
 839                 break;
 840         }
 841
 842         skb_free_datagram(sk, skb);
 843
 844         return err ? : copied;
 845 }
 846
 847 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
 848                             size_t len)
 849 {
 850         struct sock *sk = sock->sk;
 851         struct hci_dev *hdev;
 852         struct sk_buff *skb;
 853         int err;
 854
 855         BT_DBG("sock %p sk %p", sock, sk);
 856
 857         if (msg->msg_flags & MSG_OOB)
 858                 return -EOPNOTSUPP;
 859
 860         if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
 861                 return -EINVAL;
 862
 863         if (len < 4 || len > HCI_MAX_FRAME_SIZE)
 864                 return -EINVAL;
 865
 866         lock_sock(sk);
 867
 868         switch (hci_pi(sk)->channel) {
 869         case HCI_CHANNEL_RAW:
 870         case HCI_CHANNEL_USER:
 871                 break;
 872         case HCI_CHANNEL_CONTROL:
 873                 err = mgmt_control(sk, msg, len);
 874                 goto done;
 875         case HCI_CHANNEL_MONITOR:
 876                 err = -EOPNOTSUPP;
 877                 goto done;
 878         default:
 879                 err = -EINVAL;
 880                 goto done;
 881         }
 882
 883         hdev = hci_pi(sk)->hdev;
 884         if (!hdev) {
 885                 err = -EBADFD;
 886                 goto done;
 887         }
 888
 889         if (!test_bit(HCI_UP, &hdev->flags)) {
 890                 err = -ENETDOWN;
 891                 goto done;
 892         }
 893
 894         skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
 895         if (!skb)
 896                 goto done;
 897
 898         if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
 899                 err = -EFAULT;
 900                 goto drop;
 901         }
 902
 903         bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
 904         skb_pull(skb, 1);
 905
 906         if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 907                 /* No permission check is needed for user channel
 908                  * since that gets enforced when binding the socket.
 909                  *
 910                  * However check that the packet type is valid.
 911                  */
 912                 if (bt_cb(skb)->pkt_type != HCI_COMMAND_PKT &&
 913                     bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
 914                     bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) {
 915                         err = -EINVAL;
 916                         goto drop;
 917                 }
 918
 919                 skb_queue_tail(&hdev->raw_q, skb);
 920                 queue_work(hdev->workqueue, &hdev->tx_work);
 921         } else if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
 922                 u16 opcode = get_unaligned_le16(skb->data);
 923                 u16 ogf = hci_opcode_ogf(opcode);
 924                 u16 ocf = hci_opcode_ocf(opcode);
 925
 926                 if (((ogf > HCI_SFLT_MAX_OGF) ||
 927                      !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
 928                                    &hci_sec_filter.ocf_mask[ogf])) &&
 929                     !capable(CAP_NET_RAW)) {
 930                         err = -EPERM;
 931                         goto drop;
 932                 }
 933
 934                 if (ogf == 0x3f) {
 935                         skb_queue_tail(&hdev->raw_q, skb);
 936                         queue_work(hdev->workqueue, &hdev->tx_work);
 937                 } else {
 938                         /* Stand-alone HCI commands must be flagged as
 939                          * single-command requests.
 940                          */
 941                         bt_cb(skb)->req_start = 1;
 942
 943                         skb_queue_tail(&hdev->cmd_q, skb);
 944                         queue_work(hdev->workqueue, &hdev->cmd_work);
 945                 }
 946         } else {
 947                 if (!capable(CAP_NET_RAW)) {
 948                         err = -EPERM;
 949                         goto drop;
 950                 }
 951
 952                 skb_queue_tail(&hdev->raw_q, skb);
 953                 queue_work(hdev->workqueue, &hdev->tx_work);
 954         }
 955
 956         err = len;
 957
 958 done:
 959         release_sock(sk);
 960         return err;
 961
 962 drop:
 963         kfree_skb(skb);
 964         goto done;
 965 }
 966
 967 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
 968                                char __user *optval, unsigned int len)
 969 {
 970         struct hci_ufilter uf = { .opcode = 0 };
 971         struct sock *sk = sock->sk;
 972         int err = 0, opt = 0;
 973
 974         BT_DBG("sk %p, opt %d", sk, optname);
 975
 976         lock_sock(sk);
 977
 978         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
 979                 err = -EBADFD;
 980                 goto done;
 981         }
 982
 983         switch (optname) {
 984         case HCI_DATA_DIR:
 985                 if (get_user(opt, (int __user *)optval)) {
 986                         err = -EFAULT;
 987                         break;
 988                 }
 989
 990                 if (opt)
 991                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
 992                 else
 993                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
 994                 break;
 995
 996         case HCI_TIME_STAMP:
 997                 if (get_user(opt, (int __user *)optval)) {
 998                         err = -EFAULT;
 999                         break;
1000                 }
1001
1002                 if (opt)
1003                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1004                 else
1005                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1006                 break;
1007
1008         case HCI_FILTER:
1009                 {
1010                         struct hci_filter *f = &hci_pi(sk)->filter;
1011
1012                         uf.type_mask = f->type_mask;
1013                         uf.opcode    = f->opcode;
1014                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1015                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1016                 }
1017
1018                 len = min_t(unsigned int, len, sizeof(uf));
1019                 if (copy_from_user(&uf, optval, len)) {
1020                         err = -EFAULT;
1021                         break;
1022                 }
1023
1024                 if (!capable(CAP_NET_RAW)) {
1025                         uf.type_mask &= hci_sec_filter.type_mask;
1026                         uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1027                         uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1028                 }
1029
1030                 {
1031                         struct hci_filter *f = &hci_pi(sk)->filter;
1032
1033                         f->type_mask = uf.type_mask;
1034                         f->opcode    = uf.opcode;
1035                         *((u32 *) f->event_mask + 0) = uf.event_mask[0];
1036                         *((u32 *) f->event_mask + 1) = uf.event_mask[1];
1037                 }
1038                 break;
1039
1040         default:
1041                 err = -ENOPROTOOPT;
1042                 break;
1043         }
1044
1045 done:
1046         release_sock(sk);
1047         return err;
1048 }
1049
1050 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1051                                char __user *optval, int __user *optlen)
1052 {
1053         struct hci_ufilter uf;
1054         struct sock *sk = sock->sk;
1055         int len, opt, err = 0;
1056
1057         BT_DBG("sk %p, opt %d", sk, optname);
1058
1059         if (get_user(len, optlen))
1060                 return -EFAULT;
1061
1062         lock_sock(sk);
1063
1064         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1065                 err = -EBADFD;
1066                 goto done;
1067         }
1068
1069         switch (optname) {
1070         case HCI_DATA_DIR:
1071                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1072                         opt = 1;
1073                 else
1074                         opt = 0;
1075
1076                 if (put_user(opt, optval))
1077                         err = -EFAULT;
1078                 break;
1079
1080         case HCI_TIME_STAMP:
1081                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1082                         opt = 1;
1083                 else
1084                         opt = 0;
1085
1086                 if (put_user(opt, optval))
1087                         err = -EFAULT;
1088                 break;
1089
1090         case HCI_FILTER:
1091                 {
1092                         struct hci_filter *f = &hci_pi(sk)->filter;
1093
1094                         memset(&uf, 0, sizeof(uf));
1095                         uf.type_mask = f->type_mask;
1096                         uf.opcode    = f->opcode;
1097                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1098                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1099                 }
1100
1101                 len = min_t(unsigned int, len, sizeof(uf));
1102                 if (copy_to_user(optval, &uf, len))
1103                         err = -EFAULT;
1104                 break;
1105
1106         default:
1107                 err = -ENOPROTOOPT;
1108                 break;
1109         }
1110
1111 done:
1112         release_sock(sk);
1113         return err;
1114 }
1115
1116 static const struct proto_ops hci_sock_ops = {
1117         .family         = PF_BLUETOOTH,
1118         .owner          = THIS_MODULE,
1119         .release        = hci_sock_release,
1120         .bind           = hci_sock_bind,
1121         .getname        = hci_sock_getname,
1122         .sendmsg        = hci_sock_sendmsg,
1123         .recvmsg        = hci_sock_recvmsg,
1124         .ioctl          = hci_sock_ioctl,
1125         .poll           = datagram_poll,
1126         .listen         = sock_no_listen,
1127         .shutdown       = sock_no_shutdown,
1128         .setsockopt     = hci_sock_setsockopt,
1129         .getsockopt     = hci_sock_getsockopt,
1130         .connect        = sock_no_connect,
1131         .socketpair     = sock_no_socketpair,
1132         .accept         = sock_no_accept,
1133         .mmap           = sock_no_mmap
1134 };
1135
1136 static struct proto hci_sk_proto = {
1137         .name           = "HCI",
1138         .owner          = THIS_MODULE,
1139         .obj_size       = sizeof(struct hci_pinfo)
1140 };
1141
1142 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1143                            int kern)
1144 {
1145         struct sock *sk;
1146
1147         BT_DBG("sock %p", sock);
1148
1149         if (sock->type != SOCK_RAW)
1150                 return -ESOCKTNOSUPPORT;
1151
1152         sock->ops = &hci_sock_ops;
1153
1154         sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto);
1155         if (!sk)
1156                 return -ENOMEM;
1157
1158         sock_init_data(sock, sk);
1159
1160         sock_reset_flag(sk, SOCK_ZAPPED);
1161
1162         sk->sk_protocol = protocol;
1163
1164         sock->state = SS_UNCONNECTED;
1165         sk->sk_state = BT_OPEN;
1166
1167         bt_sock_link(&hci_sk_list, sk);
1168         return 0;
1169 }
1170
1171 static const struct net_proto_family hci_sock_family_ops = {
1172         .family = PF_BLUETOOTH,
1173         .owner  = THIS_MODULE,
1174         .create = hci_sock_create,
1175 };
1176
1177 int __init hci_sock_init(void)
1178 {
1179         int err;
1180
1181         BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr));
1182
1183         err = proto_register(&hci_sk_proto, 0);
1184         if (err < 0)
1185                 return err;
1186
1187         err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1188         if (err < 0) {
1189                 BT_ERR("HCI socket registration failed");
1190                 goto error;
1191         }
1192
1193         err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
1194         if (err < 0) {
1195                 BT_ERR("Failed to create HCI proc file");
1196                 bt_sock_unregister(BTPROTO_HCI);
1197                 goto error;
1198         }
1199
1200         BT_INFO("HCI socket layer initialized");
1201
1202         return 0;
1203
1204 error:
1205         proto_unregister(&hci_sk_proto);
1206         return err;
1207 }
1208
1209 void hci_sock_cleanup(void)
1210 {
1211         bt_procfs_cleanup(&init_net, "hci");
1212         bt_sock_unregister(BTPROTO_HCI);
1213         proto_unregister(&hci_sk_proto);
1214 }