net/bluetooth/hci_sock.c

   1 /*
   2    BlueZ - Bluetooth protocol stack for Linux
   3    Copyright (C) 2000-2001 Qualcomm Incorporated
   4
   5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License version 2 as
   9    published by the Free Software Foundation;
  10
  11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22    SOFTWARE IS DISCLAIMED.
  23 */
  24
  25 /* Bluetooth HCI sockets. */
  26
  27 #include <linux/export.h>
  28 #include <asm/unaligned.h>
  29
  30 #include <net/bluetooth/bluetooth.h>
  31 #include <net/bluetooth/hci_core.h>
  32 #include <net/bluetooth/hci_mon.h>
  33
  34 static atomic_t monitor_promisc = ATOMIC_INIT(0);
  35
  36 /* ----- HCI socket interface ----- */
  37
  38 /* Socket info */
  39 #define hci_pi(sk) ((struct hci_pinfo *) sk)
  40
  41 struct hci_pinfo {
  42         struct bt_sock    bt;
  43         struct hci_dev    *hdev;
  44         struct hci_filter filter;
  45         __u32             cmsg_mask;
  46         unsigned short    channel;
  47 };
  48
  49 static inline int hci_test_bit(int nr, void *addr)
  50 {
  51         return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
  52 }
  53
  54 /* Security filter */
  55 #define HCI_SFLT_MAX_OGF  5
  56
  57 struct hci_sec_filter {
  58         __u32 type_mask;
  59         __u32 event_mask[2];
  60         __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
  61 };
  62
  63 static const struct hci_sec_filter hci_sec_filter = {
  64         /* Packet types */
  65         0x10,
  66         /* Events */
  67         { 0x1000d9fe, 0x0000b00c },
  68         /* Commands */
  69         {
  70                 { 0x0 },
  71                 /* OGF_LINK_CTL */
  72                 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
  73                 /* OGF_LINK_POLICY */
  74                 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
  75                 /* OGF_HOST_CTL */
  76                 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
  77                 /* OGF_INFO_PARAM */
  78                 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
  79                 /* OGF_STATUS_PARAM */
  80                 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
  81         }
  82 };
  83
  84 static struct bt_sock_list hci_sk_list = {
  85         .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
  86 };
  87
  88 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
  89 {
  90         struct hci_filter *flt;
  91         int flt_type, flt_event;
  92
  93         /* Apply filter */
  94         flt = &hci_pi(sk)->filter;
  95
  96         if (bt_cb(skb)->pkt_type == HCI_VENDOR_PKT)
  97                 flt_type = 0;
  98         else
  99                 flt_type = bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS;
 100
 101         if (!test_bit(flt_type, &flt->type_mask))
 102                 return true;
 103
 104         /* Extra filter for event packets only */
 105         if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT)
 106                 return false;
 107
 108         flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
 109
 110         if (!hci_test_bit(flt_event, &flt->event_mask))
 111                 return true;
 112
 113         /* Check filter only when opcode is set */
 114         if (!flt->opcode)
 115                 return false;
 116
 117         if (flt_event == HCI_EV_CMD_COMPLETE &&
 118             flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
 119                 return true;
 120
 121         if (flt_event == HCI_EV_CMD_STATUS &&
 122             flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
 123                 return true;
 124
 125         return false;
 126 }
 127
 128 /* Send frame to RAW socket */
 129 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
 130 {
 131         struct sock *sk;
 132         struct sk_buff *skb_copy = NULL;
 133
 134         BT_DBG("hdev %p len %d", hdev, skb->len);
 135
 136         read_lock(&hci_sk_list.lock);
 137
 138         sk_for_each(sk, &hci_sk_list.head) {
 139                 struct sk_buff *nskb;
 140
 141                 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
 142                         continue;
 143
 144                 /* Don't send frame to the socket it came from */
 145                 if (skb->sk == sk)
 146                         continue;
 147
 148                 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
 149                         if (is_filtered_packet(sk, skb))
 150                                 continue;
 151                 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 152                         if (!bt_cb(skb)->incoming)
 153                                 continue;
 154                         if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT &&
 155                             bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
 156                             bt_cb(skb)->pkt_type != HCI_SCODATA_PKT)
 157                                 continue;
 158                 } else {
 159                         /* Don't send frame to other channel types */
 160                         continue;
 161                 }
 162
 163                 if (!skb_copy) {
 164                         /* Create a private copy with headroom */
 165                         skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
 166                         if (!skb_copy)
 167                                 continue;
 168
 169                         /* Put type byte before the data */
 170                         memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1);
 171                 }
 172
 173                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 174                 if (!nskb)
 175                         continue;
 176
 177                 if (sock_queue_rcv_skb(sk, nskb))
 178                         kfree_skb(nskb);
 179         }
 180
 181         read_unlock(&hci_sk_list.lock);
 182
 183         kfree_skb(skb_copy);
 184 }
 185
 186 /* Send frame to control socket */
 187 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk)
 188 {
 189         struct sock *sk;
 190
 191         BT_DBG("len %d", skb->len);
 192
 193         read_lock(&hci_sk_list.lock);
 194
 195         sk_for_each(sk, &hci_sk_list.head) {
 196                 struct sk_buff *nskb;
 197
 198                 /* Skip the original socket */
 199                 if (sk == skip_sk)
 200                         continue;
 201
 202                 if (sk->sk_state != BT_BOUND)
 203                         continue;
 204
 205                 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
 206                         continue;
 207
 208                 nskb = skb_clone(skb, GFP_ATOMIC);
 209                 if (!nskb)
 210                         continue;
 211
 212                 if (sock_queue_rcv_skb(sk, nskb))
 213                         kfree_skb(nskb);
 214         }
 215
 216         read_unlock(&hci_sk_list.lock);
 217 }
 218
 219 /* Send frame to monitor socket */
 220 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
 221 {
 222         struct sock *sk;
 223         struct sk_buff *skb_copy = NULL;
 224         __le16 opcode;
 225
 226         if (!atomic_read(&monitor_promisc))
 227                 return;
 228
 229         BT_DBG("hdev %p len %d", hdev, skb->len);
 230
 231         switch (bt_cb(skb)->pkt_type) {
 232         case HCI_COMMAND_PKT:
 233                 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
 234                 break;
 235         case HCI_EVENT_PKT:
 236                 opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
 237                 break;
 238         case HCI_ACLDATA_PKT:
 239                 if (bt_cb(skb)->incoming)
 240                         opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
 241                 else
 242                         opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
 243                 break;
 244         case HCI_SCODATA_PKT:
 245                 if (bt_cb(skb)->incoming)
 246                         opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
 247                 else
 248                         opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
 249                 break;
 250         default:
 251                 return;
 252         }
 253
 254         read_lock(&hci_sk_list.lock);
 255
 256         sk_for_each(sk, &hci_sk_list.head) {
 257                 struct sk_buff *nskb;
 258
 259                 if (sk->sk_state != BT_BOUND)
 260                         continue;
 261
 262                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 263                         continue;
 264
 265                 if (!skb_copy) {
 266                         struct hci_mon_hdr *hdr;
 267
 268                         /* Create a private copy with headroom */
 269                         skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE,
 270                                                       GFP_ATOMIC, true);
 271                         if (!skb_copy)
 272                                 continue;
 273
 274                         /* Put header before the data */
 275                         hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE);
 276                         hdr->opcode = opcode;
 277                         hdr->index = cpu_to_le16(hdev->id);
 278                         hdr->len = cpu_to_le16(skb->len);
 279                 }
 280
 281                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 282                 if (!nskb)
 283                         continue;
 284
 285                 if (sock_queue_rcv_skb(sk, nskb))
 286                         kfree_skb(nskb);
 287         }
 288
 289         read_unlock(&hci_sk_list.lock);
 290
 291         kfree_skb(skb_copy);
 292 }
 293
 294 static void send_monitor_event(struct sk_buff *skb)
 295 {
 296         struct sock *sk;
 297
 298         BT_DBG("len %d", skb->len);
 299
 300         read_lock(&hci_sk_list.lock);
 301
 302         sk_for_each(sk, &hci_sk_list.head) {
 303                 struct sk_buff *nskb;
 304
 305                 if (sk->sk_state != BT_BOUND)
 306                         continue;
 307
 308                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 309                         continue;
 310
 311                 nskb = skb_clone(skb, GFP_ATOMIC);
 312                 if (!nskb)
 313                         continue;
 314
 315                 if (sock_queue_rcv_skb(sk, nskb))
 316                         kfree_skb(nskb);
 317         }
 318
 319         read_unlock(&hci_sk_list.lock);
 320 }
 321
 322 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
 323 {
 324         struct hci_mon_hdr *hdr;
 325         struct hci_mon_new_index *ni;
 326         struct sk_buff *skb;
 327         __le16 opcode;
 328
 329         switch (event) {
 330         case HCI_DEV_REG:
 331                 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
 332                 if (!skb)
 333                         return NULL;
 334
 335                 ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
 336                 ni->type = hdev->dev_type;
 337                 ni->bus = hdev->bus;
 338                 bacpy(&ni->bdaddr, &hdev->bdaddr);
 339                 memcpy(ni->name, hdev->name, 8);
 340
 341                 opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
 342                 break;
 343
 344         case HCI_DEV_UNREG:
 345                 skb = bt_skb_alloc(0, GFP_ATOMIC);
 346                 if (!skb)
 347                         return NULL;
 348
 349                 opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
 350                 break;
 351
 352         default:
 353                 return NULL;
 354         }
 355
 356         __net_timestamp(skb);
 357
 358         hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE);
 359         hdr->opcode = opcode;
 360         hdr->index = cpu_to_le16(hdev->id);
 361         hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
 362
 363         return skb;
 364 }
 365
 366 static void send_monitor_replay(struct sock *sk)
 367 {
 368         struct hci_dev *hdev;
 369
 370         read_lock(&hci_dev_list_lock);
 371
 372         list_for_each_entry(hdev, &hci_dev_list, list) {
 373                 struct sk_buff *skb;
 374
 375                 skb = create_monitor_event(hdev, HCI_DEV_REG);
 376                 if (!skb)
 377                         continue;
 378
 379                 if (sock_queue_rcv_skb(sk, skb))
 380                         kfree_skb(skb);
 381         }
 382
 383         read_unlock(&hci_dev_list_lock);
 384 }
 385
 386 /* Generate internal stack event */
 387 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
 388 {
 389         struct hci_event_hdr *hdr;
 390         struct hci_ev_stack_internal *ev;
 391         struct sk_buff *skb;
 392
 393         skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
 394         if (!skb)
 395                 return;
 396
 397         hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
 398         hdr->evt  = HCI_EV_STACK_INTERNAL;
 399         hdr->plen = sizeof(*ev) + dlen;
 400
 401         ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
 402         ev->type = type;
 403         memcpy(ev->data, data, dlen);
 404
 405         bt_cb(skb)->incoming = 1;
 406         __net_timestamp(skb);
 407
 408         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
 409         hci_send_to_sock(hdev, skb);
 410         kfree_skb(skb);
 411 }
 412
 413 void hci_sock_dev_event(struct hci_dev *hdev, int event)
 414 {
 415         struct hci_ev_si_device ev;
 416
 417         BT_DBG("hdev %s event %d", hdev->name, event);
 418
 419         /* Send event to monitor */
 420         if (atomic_read(&monitor_promisc)) {
 421                 struct sk_buff *skb;
 422
 423                 skb = create_monitor_event(hdev, event);
 424                 if (skb) {
 425                         send_monitor_event(skb);
 426                         kfree_skb(skb);
 427                 }
 428         }
 429
 430         /* Send event to sockets */
 431         ev.event  = event;
 432         ev.dev_id = hdev->id;
 433         hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
 434
 435         if (event == HCI_DEV_UNREG) {
 436                 struct sock *sk;
 437
 438                 /* Detach sockets from device */
 439                 read_lock(&hci_sk_list.lock);
 440                 sk_for_each(sk, &hci_sk_list.head) {
 441                         bh_lock_sock_nested(sk);
 442                         if (hci_pi(sk)->hdev == hdev) {
 443                                 hci_pi(sk)->hdev = NULL;
 444                                 sk->sk_err = EPIPE;
 445                                 sk->sk_state = BT_OPEN;
 446                                 sk->sk_state_change(sk);
 447
 448                                 hci_dev_put(hdev);
 449                         }
 450                         bh_unlock_sock(sk);
 451                 }
 452                 read_unlock(&hci_sk_list.lock);
 453         }
 454 }
 455
 456 static int hci_sock_release(struct socket *sock)
 457 {
 458         struct sock *sk = sock->sk;
 459         struct hci_dev *hdev;
 460
 461         BT_DBG("sock %p sk %p", sock, sk);
 462
 463         if (!sk)
 464                 return 0;
 465
 466         hdev = hci_pi(sk)->hdev;
 467
 468         if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
 469                 atomic_dec(&monitor_promisc);
 470
 471         bt_sock_unlink(&hci_sk_list, sk);
 472
 473         if (hdev) {
 474                 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 475                         mgmt_index_added(hdev);
 476                         clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags);
 477                         hci_dev_close(hdev->id);
 478                 }
 479
 480                 atomic_dec(&hdev->promisc);
 481                 hci_dev_put(hdev);
 482         }
 483
 484         sock_orphan(sk);
 485
 486         skb_queue_purge(&sk->sk_receive_queue);
 487         skb_queue_purge(&sk->sk_write_queue);
 488
 489         sock_put(sk);
 490         return 0;
 491 }
 492
 493 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
 494 {
 495         bdaddr_t bdaddr;
 496         int err;
 497
 498         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 499                 return -EFAULT;
 500
 501         hci_dev_lock(hdev);
 502
 503         err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
 504
 505         hci_dev_unlock(hdev);
 506
 507         return err;
 508 }
 509
 510 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
 511 {
 512         bdaddr_t bdaddr;
 513         int err;
 514
 515         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 516                 return -EFAULT;
 517
 518         hci_dev_lock(hdev);
 519
 520         err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
 521
 522         hci_dev_unlock(hdev);
 523
 524         return err;
 525 }
 526
 527 /* Ioctls that require bound socket */
 528 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
 529                                 unsigned long arg)
 530 {
 531         struct hci_dev *hdev = hci_pi(sk)->hdev;
 532
 533         if (!hdev)
 534                 return -EBADFD;
 535
 536         if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
 537                 return -EBUSY;
 538
 539         if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags))
 540                 return -EOPNOTSUPP;
 541
 542         if (hdev->dev_type != HCI_BREDR)
 543                 return -EOPNOTSUPP;
 544
 545         switch (cmd) {
 546         case HCISETRAW:
 547                 if (!capable(CAP_NET_ADMIN))
 548                         return -EPERM;
 549                 return -EOPNOTSUPP;
 550
 551         case HCIGETCONNINFO:
 552                 return hci_get_conn_info(hdev, (void __user *) arg);
 553
 554         case HCIGETAUTHINFO:
 555                 return hci_get_auth_info(hdev, (void __user *) arg);
 556
 557         case HCIBLOCKADDR:
 558                 if (!capable(CAP_NET_ADMIN))
 559                         return -EPERM;
 560                 return hci_sock_blacklist_add(hdev, (void __user *) arg);
 561
 562         case HCIUNBLOCKADDR:
 563                 if (!capable(CAP_NET_ADMIN))
 564                         return -EPERM;
 565                 return hci_sock_blacklist_del(hdev, (void __user *) arg);
 566         }
 567
 568         return -ENOIOCTLCMD;
 569 }
 570
 571 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 572                           unsigned long arg)
 573 {
 574         void __user *argp = (void __user *) arg;
 575         struct sock *sk = sock->sk;
 576         int err;
 577
 578         BT_DBG("cmd %x arg %lx", cmd, arg);
 579
 580         lock_sock(sk);
 581
 582         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
 583                 err = -EBADFD;
 584                 goto done;
 585         }
 586
 587         release_sock(sk);
 588
 589         switch (cmd) {
 590         case HCIGETDEVLIST:
 591                 return hci_get_dev_list(argp);
 592
 593         case HCIGETDEVINFO:
 594                 return hci_get_dev_info(argp);
 595
 596         case HCIGETCONNLIST:
 597                 return hci_get_conn_list(argp);
 598
 599         case HCIDEVUP:
 600                 if (!capable(CAP_NET_ADMIN))
 601                         return -EPERM;
 602                 return hci_dev_open(arg);
 603
 604         case HCIDEVDOWN:
 605                 if (!capable(CAP_NET_ADMIN))
 606                         return -EPERM;
 607                 return hci_dev_close(arg);
 608
 609         case HCIDEVRESET:
 610                 if (!capable(CAP_NET_ADMIN))
 611                         return -EPERM;
 612                 return hci_dev_reset(arg);
 613
 614         case HCIDEVRESTAT:
 615                 if (!capable(CAP_NET_ADMIN))
 616                         return -EPERM;
 617                 return hci_dev_reset_stat(arg);
 618
 619         case HCISETSCAN:
 620         case HCISETAUTH:
 621         case HCISETENCRYPT:
 622         case HCISETPTYPE:
 623         case HCISETLINKPOL:
 624         case HCISETLINKMODE:
 625         case HCISETACLMTU:
 626         case HCISETSCOMTU:
 627                 if (!capable(CAP_NET_ADMIN))
 628                         return -EPERM;
 629                 return hci_dev_cmd(cmd, argp);
 630
 631         case HCIINQUIRY:
 632                 return hci_inquiry(argp);
 633         }
 634
 635         lock_sock(sk);
 636
 637         err = hci_sock_bound_ioctl(sk, cmd, arg);
 638
 639 done:
 640         release_sock(sk);
 641         return err;
 642 }
 643
 644 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
 645                          int addr_len)
 646 {
 647         struct sockaddr_hci haddr;
 648         struct sock *sk = sock->sk;
 649         struct hci_dev *hdev = NULL;
 650         int len, err = 0;
 651
 652         BT_DBG("sock %p sk %p", sock, sk);
 653
 654         if (!addr)
 655                 return -EINVAL;
 656
 657         memset(&haddr, 0, sizeof(haddr));
 658         len = min_t(unsigned int, sizeof(haddr), addr_len);
 659         memcpy(&haddr, addr, len);
 660
 661         if (haddr.hci_family != AF_BLUETOOTH)
 662                 return -EINVAL;
 663
 664         lock_sock(sk);
 665
 666         if (sk->sk_state == BT_BOUND) {
 667                 err = -EALREADY;
 668                 goto done;
 669         }
 670
 671         switch (haddr.hci_channel) {
 672         case HCI_CHANNEL_RAW:
 673                 if (hci_pi(sk)->hdev) {
 674                         err = -EALREADY;
 675                         goto done;
 676                 }
 677
 678                 if (haddr.hci_dev != HCI_DEV_NONE) {
 679                         hdev = hci_dev_get(haddr.hci_dev);
 680                         if (!hdev) {
 681                                 err = -ENODEV;
 682                                 goto done;
 683                         }
 684
 685                         atomic_inc(&hdev->promisc);
 686                 }
 687
 688                 hci_pi(sk)->hdev = hdev;
 689                 break;
 690
 691         case HCI_CHANNEL_USER:
 692                 if (hci_pi(sk)->hdev) {
 693                         err = -EALREADY;
 694                         goto done;
 695                 }
 696
 697                 if (haddr.hci_dev == HCI_DEV_NONE) {
 698                         err = -EINVAL;
 699                         goto done;
 700                 }
 701
 702                 if (!capable(CAP_NET_ADMIN)) {
 703                         err = -EPERM;
 704                         goto done;
 705                 }
 706
 707                 hdev = hci_dev_get(haddr.hci_dev);
 708                 if (!hdev) {
 709                         err = -ENODEV;
 710                         goto done;
 711                 }
 712
 713                 if (test_bit(HCI_UP, &hdev->flags) ||
 714                     test_bit(HCI_INIT, &hdev->flags) ||
 715                     test_bit(HCI_SETUP, &hdev->dev_flags) ||
 716                     test_bit(HCI_CONFIG, &hdev->dev_flags)) {
 717                         err = -EBUSY;
 718                         hci_dev_put(hdev);
 719                         goto done;
 720                 }
 721
 722                 if (test_and_set_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
 723                         err = -EUSERS;
 724                         hci_dev_put(hdev);
 725                         goto done;
 726                 }
 727
 728                 mgmt_index_removed(hdev);
 729
 730                 err = hci_dev_open(hdev->id);
 731                 if (err) {
 732                         clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags);
 733                         mgmt_index_added(hdev);
 734                         hci_dev_put(hdev);
 735                         goto done;
 736                 }
 737
 738                 atomic_inc(&hdev->promisc);
 739
 740                 hci_pi(sk)->hdev = hdev;
 741                 break;
 742
 743         case HCI_CHANNEL_CONTROL:
 744                 if (haddr.hci_dev != HCI_DEV_NONE) {
 745                         err = -EINVAL;
 746                         goto done;
 747                 }
 748
 749                 if (!capable(CAP_NET_ADMIN)) {
 750                         err = -EPERM;
 751                         goto done;
 752                 }
 753
 754                 break;
 755
 756         case HCI_CHANNEL_MONITOR:
 757                 if (haddr.hci_dev != HCI_DEV_NONE) {
 758                         err = -EINVAL;
 759                         goto done;
 760                 }
 761
 762                 if (!capable(CAP_NET_RAW)) {
 763                         err = -EPERM;
 764                         goto done;
 765                 }
 766
 767                 send_monitor_replay(sk);
 768
 769                 atomic_inc(&monitor_promisc);
 770                 break;
 771
 772         default:
 773                 err = -EINVAL;
 774                 goto done;
 775         }
 776
 777
 778         hci_pi(sk)->channel = haddr.hci_channel;
 779         sk->sk_state = BT_BOUND;
 780
 781 done:
 782         release_sock(sk);
 783         return err;
 784 }
 785
 786 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
 787                             int *addr_len, int peer)
 788 {
 789         struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
 790         struct sock *sk = sock->sk;
 791         struct hci_dev *hdev;
 792         int err = 0;
 793
 794         BT_DBG("sock %p sk %p", sock, sk);
 795
 796         if (peer)
 797                 return -EOPNOTSUPP;
 798
 799         lock_sock(sk);
 800
 801         hdev = hci_pi(sk)->hdev;
 802         if (!hdev) {
 803                 err = -EBADFD;
 804                 goto done;
 805         }
 806
 807         *addr_len = sizeof(*haddr);
 808         haddr->hci_family = AF_BLUETOOTH;
 809         haddr->hci_dev    = hdev->id;
 810         haddr->hci_channel= hci_pi(sk)->channel;
 811
 812 done:
 813         release_sock(sk);
 814         return err;
 815 }
 816
 817 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
 818                           struct sk_buff *skb)
 819 {
 820         __u32 mask = hci_pi(sk)->cmsg_mask;
 821
 822         if (mask & HCI_CMSG_DIR) {
 823                 int incoming = bt_cb(skb)->incoming;
 824                 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
 825                          &incoming);
 826         }
 827
 828         if (mask & HCI_CMSG_TSTAMP) {
 829 #ifdef CONFIG_COMPAT
 830                 struct compat_timeval ctv;
 831 #endif
 832                 struct timeval tv;
 833                 void *data;
 834                 int len;
 835
 836                 skb_get_timestamp(skb, &tv);
 837
 838                 data = &tv;
 839                 len = sizeof(tv);
 840 #ifdef CONFIG_COMPAT
 841                 if (!COMPAT_USE_64BIT_TIME &&
 842                     (msg->msg_flags & MSG_CMSG_COMPAT)) {
 843                         ctv.tv_sec = tv.tv_sec;
 844                         ctv.tv_usec = tv.tv_usec;
 845                         data = &ctv;
 846                         len = sizeof(ctv);
 847                 }
 848 #endif
 849
 850                 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
 851         }
 852 }
 853
 854 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
 855                             struct msghdr *msg, size_t len, int flags)
 856 {
 857         int noblock = flags & MSG_DONTWAIT;
 858         struct sock *sk = sock->sk;
 859         struct sk_buff *skb;
 860         int copied, err;
 861
 862         BT_DBG("sock %p, sk %p", sock, sk);
 863
 864         if (flags & (MSG_OOB))
 865                 return -EOPNOTSUPP;
 866
 867         if (sk->sk_state == BT_CLOSED)
 868                 return 0;
 869
 870         skb = skb_recv_datagram(sk, flags, noblock, &err);
 871         if (!skb)
 872                 return err;
 873
 874         copied = skb->len;
 875         if (len < copied) {
 876                 msg->msg_flags |= MSG_TRUNC;
 877                 copied = len;
 878         }
 879
 880         skb_reset_transport_header(skb);
 881         err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
 882
 883         switch (hci_pi(sk)->channel) {
 884         case HCI_CHANNEL_RAW:
 885                 hci_sock_cmsg(sk, msg, skb);
 886                 break;
 887         case HCI_CHANNEL_USER:
 888         case HCI_CHANNEL_CONTROL:
 889         case HCI_CHANNEL_MONITOR:
 890                 sock_recv_timestamp(msg, sk, skb);
 891                 break;
 892         }
 893
 894         skb_free_datagram(sk, skb);
 895
 896         return err ? : copied;
 897 }
 898
 899 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
 900                             struct msghdr *msg, size_t len)
 901 {
 902         struct sock *sk = sock->sk;
 903         struct hci_dev *hdev;
 904         struct sk_buff *skb;
 905         int err;
 906
 907         BT_DBG("sock %p sk %p", sock, sk);
 908
 909         if (msg->msg_flags & MSG_OOB)
 910                 return -EOPNOTSUPP;
 911
 912         if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
 913                 return -EINVAL;
 914
 915         if (len < 4 || len > HCI_MAX_FRAME_SIZE)
 916                 return -EINVAL;
 917
 918         lock_sock(sk);
 919
 920         switch (hci_pi(sk)->channel) {
 921         case HCI_CHANNEL_RAW:
 922         case HCI_CHANNEL_USER:
 923                 break;
 924         case HCI_CHANNEL_CONTROL:
 925                 err = mgmt_control(sk, msg, len);
 926                 goto done;
 927         case HCI_CHANNEL_MONITOR:
 928                 err = -EOPNOTSUPP;
 929                 goto done;
 930         default:
 931                 err = -EINVAL;
 932                 goto done;
 933         }
 934
 935         hdev = hci_pi(sk)->hdev;
 936         if (!hdev) {
 937                 err = -EBADFD;
 938                 goto done;
 939         }
 940
 941         if (!test_bit(HCI_UP, &hdev->flags)) {
 942                 err = -ENETDOWN;
 943                 goto done;
 944         }
 945
 946         skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
 947         if (!skb)
 948                 goto done;
 949
 950         if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
 951                 err = -EFAULT;
 952                 goto drop;
 953         }
 954
 955         bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
 956         skb_pull(skb, 1);
 957
 958         if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 959                 /* No permission check is needed for user channel
 960                  * since that gets enforced when binding the socket.
 961                  *
 962                  * However check that the packet type is valid.
 963                  */
 964                 if (bt_cb(skb)->pkt_type != HCI_COMMAND_PKT &&
 965                     bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
 966                     bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) {
 967                         err = -EINVAL;
 968                         goto drop;
 969                 }
 970
 971                 skb_queue_tail(&hdev->raw_q, skb);
 972                 queue_work(hdev->workqueue, &hdev->tx_work);
 973         } else if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
 974                 u16 opcode = get_unaligned_le16(skb->data);
 975                 u16 ogf = hci_opcode_ogf(opcode);
 976                 u16 ocf = hci_opcode_ocf(opcode);
 977
 978                 if (((ogf > HCI_SFLT_MAX_OGF) ||
 979                      !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
 980                                    &hci_sec_filter.ocf_mask[ogf])) &&
 981                     !capable(CAP_NET_RAW)) {
 982                         err = -EPERM;
 983                         goto drop;
 984                 }
 985
 986                 if (ogf == 0x3f) {
 987                         skb_queue_tail(&hdev->raw_q, skb);
 988                         queue_work(hdev->workqueue, &hdev->tx_work);
 989                 } else {
 990                         /* Stand-alone HCI commands must be flaged as
 991                          * single-command requests.
 992                          */
 993                         bt_cb(skb)->req.start = true;
 994
 995                         skb_queue_tail(&hdev->cmd_q, skb);
 996                         queue_work(hdev->workqueue, &hdev->cmd_work);
 997                 }
 998         } else {
 999                 if (!capable(CAP_NET_RAW)) {
1000                         err = -EPERM;
1001                         goto drop;
1002                 }
1003
1004                 skb_queue_tail(&hdev->raw_q, skb);
1005                 queue_work(hdev->workqueue, &hdev->tx_work);
1006         }
1007
1008         err = len;
1009
1010 done:
1011         release_sock(sk);
1012         return err;
1013
1014 drop:
1015         kfree_skb(skb);
1016         goto done;
1017 }
1018
1019 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
1020                                char __user *optval, unsigned int len)
1021 {
1022         struct hci_ufilter uf = { .opcode = 0 };
1023         struct sock *sk = sock->sk;
1024         int err = 0, opt = 0;
1025
1026         BT_DBG("sk %p, opt %d", sk, optname);
1027
1028         lock_sock(sk);
1029
1030         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1031                 err = -EBADFD;
1032                 goto done;
1033         }
1034
1035         switch (optname) {
1036         case HCI_DATA_DIR:
1037                 if (get_user(opt, (int __user *)optval)) {
1038                         err = -EFAULT;
1039                         break;
1040                 }
1041
1042                 if (opt)
1043                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1044                 else
1045                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1046                 break;
1047
1048         case HCI_TIME_STAMP:
1049                 if (get_user(opt, (int __user *)optval)) {
1050                         err = -EFAULT;
1051                         break;
1052                 }
1053
1054                 if (opt)
1055                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1056                 else
1057                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1058                 break;
1059
1060         case HCI_FILTER:
1061                 {
1062                         struct hci_filter *f = &hci_pi(sk)->filter;
1063
1064                         uf.type_mask = f->type_mask;
1065                         uf.opcode    = f->opcode;
1066                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1067                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1068                 }
1069
1070                 len = min_t(unsigned int, len, sizeof(uf));
1071                 if (copy_from_user(&uf, optval, len)) {
1072                         err = -EFAULT;
1073                         break;
1074                 }
1075
1076                 if (!capable(CAP_NET_RAW)) {
1077                         uf.type_mask &= hci_sec_filter.type_mask;
1078                         uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1079                         uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1080                 }
1081
1082                 {
1083                         struct hci_filter *f = &hci_pi(sk)->filter;
1084
1085                         f->type_mask = uf.type_mask;
1086                         f->opcode    = uf.opcode;
1087                         *((u32 *) f->event_mask + 0) = uf.event_mask[0];
1088                         *((u32 *) f->event_mask + 1) = uf.event_mask[1];
1089                 }
1090                 break;
1091
1092         default:
1093                 err = -ENOPROTOOPT;
1094                 break;
1095         }
1096
1097 done:
1098         release_sock(sk);
1099         return err;
1100 }
1101
1102 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1103                                char __user *optval, int __user *optlen)
1104 {
1105         struct hci_ufilter uf;
1106         struct sock *sk = sock->sk;
1107         int len, opt, err = 0;
1108
1109         BT_DBG("sk %p, opt %d", sk, optname);
1110
1111         if (get_user(len, optlen))
1112                 return -EFAULT;
1113
1114         lock_sock(sk);
1115
1116         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1117                 err = -EBADFD;
1118                 goto done;
1119         }
1120
1121         switch (optname) {
1122         case HCI_DATA_DIR:
1123                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1124                         opt = 1;
1125                 else
1126                         opt = 0;
1127
1128                 if (put_user(opt, optval))
1129                         err = -EFAULT;
1130                 break;
1131
1132         case HCI_TIME_STAMP:
1133                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1134                         opt = 1;
1135                 else
1136                         opt = 0;
1137
1138                 if (put_user(opt, optval))
1139                         err = -EFAULT;
1140                 break;
1141
1142         case HCI_FILTER:
1143                 {
1144                         struct hci_filter *f = &hci_pi(sk)->filter;
1145
1146                         memset(&uf, 0, sizeof(uf));
1147                         uf.type_mask = f->type_mask;
1148                         uf.opcode    = f->opcode;
1149                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1150                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1151                 }
1152
1153                 len = min_t(unsigned int, len, sizeof(uf));
1154                 if (copy_to_user(optval, &uf, len))
1155                         err = -EFAULT;
1156                 break;
1157
1158         default:
1159                 err = -ENOPROTOOPT;
1160                 break;
1161         }
1162
1163 done:
1164         release_sock(sk);
1165         return err;
1166 }
1167
1168 static const struct proto_ops hci_sock_ops = {
1169         .family         = PF_BLUETOOTH,
1170         .owner          = THIS_MODULE,
1171         .release        = hci_sock_release,
1172         .bind           = hci_sock_bind,
1173         .getname        = hci_sock_getname,
1174         .sendmsg        = hci_sock_sendmsg,
1175         .recvmsg        = hci_sock_recvmsg,
1176         .ioctl          = hci_sock_ioctl,
1177         .poll           = datagram_poll,
1178         .listen         = sock_no_listen,
1179         .shutdown       = sock_no_shutdown,
1180         .setsockopt     = hci_sock_setsockopt,
1181         .getsockopt     = hci_sock_getsockopt,
1182         .connect        = sock_no_connect,
1183         .socketpair     = sock_no_socketpair,
1184         .accept         = sock_no_accept,
1185         .mmap           = sock_no_mmap
1186 };
1187
1188 static struct proto hci_sk_proto = {
1189         .name           = "HCI",
1190         .owner          = THIS_MODULE,
1191         .obj_size       = sizeof(struct hci_pinfo)
1192 };
1193
1194 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1195                            int kern)
1196 {
1197         struct sock *sk;
1198
1199         BT_DBG("sock %p", sock);
1200
1201         if (sock->type != SOCK_RAW)
1202                 return -ESOCKTNOSUPPORT;
1203
1204         sock->ops = &hci_sock_ops;
1205
1206         sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto);
1207         if (!sk)
1208                 return -ENOMEM;
1209
1210         sock_init_data(sock, sk);
1211
1212         sock_reset_flag(sk, SOCK_ZAPPED);
1213
1214         sk->sk_protocol = protocol;
1215
1216         sock->state = SS_UNCONNECTED;
1217         sk->sk_state = BT_OPEN;
1218
1219         bt_sock_link(&hci_sk_list, sk);
1220         return 0;
1221 }
1222
1223 static const struct net_proto_family hci_sock_family_ops = {
1224         .family = PF_BLUETOOTH,
1225         .owner  = THIS_MODULE,
1226         .create = hci_sock_create,
1227 };
1228
1229 int __init hci_sock_init(void)
1230 {
1231         int err;
1232
1233         err = proto_register(&hci_sk_proto, 0);
1234         if (err < 0)
1235                 return err;
1236
1237         err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1238         if (err < 0) {
1239                 BT_ERR("HCI socket registration failed");
1240                 goto error;
1241         }
1242
1243         err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
1244         if (err < 0) {
1245                 BT_ERR("Failed to create HCI proc file");
1246                 bt_sock_unregister(BTPROTO_HCI);
1247                 goto error;
1248         }
1249
1250         BT_INFO("HCI socket layer initialized");
1251
1252         return 0;
1253
1254 error:
1255         proto_unregister(&hci_sk_proto);
1256         return err;
1257 }
1258
1259 void hci_sock_cleanup(void)
1260 {
1261         bt_procfs_cleanup(&init_net, "hci");
1262         bt_sock_unregister(BTPROTO_HCI);
1263         proto_unregister(&hci_sk_proto);
1264 }