2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI sockets. */
27 #include <linux/export.h>
28 #include <linux/utsname.h>
29 #include <asm/unaligned.h>
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/hci_mon.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "mgmt_util.h"
38 static LIST_HEAD(mgmt_chan_list);
39 static DEFINE_MUTEX(mgmt_chan_list_lock);
41 static atomic_t monitor_promisc = ATOMIC_INIT(0);
43 /* ----- HCI socket interface ----- */
46 #define hci_pi(sk) ((struct hci_pinfo *) sk)
51 struct hci_filter filter;
53 unsigned short channel;
57 void hci_sock_set_flag(struct sock *sk, int nr)
59 set_bit(nr, &hci_pi(sk)->flags);
62 void hci_sock_clear_flag(struct sock *sk, int nr)
64 clear_bit(nr, &hci_pi(sk)->flags);
67 int hci_sock_test_flag(struct sock *sk, int nr)
69 return test_bit(nr, &hci_pi(sk)->flags);
72 unsigned short hci_sock_get_channel(struct sock *sk)
74 return hci_pi(sk)->channel;
77 static inline int hci_test_bit(int nr, const void *addr)
79 return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
83 #define HCI_SFLT_MAX_OGF 5
85 struct hci_sec_filter {
88 __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
91 static const struct hci_sec_filter hci_sec_filter = {
95 { 0x1000d9fe, 0x0000b00c },
100 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
101 /* OGF_LINK_POLICY */
102 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
104 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
106 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
107 /* OGF_STATUS_PARAM */
108 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
112 static struct bt_sock_list hci_sk_list = {
113 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
116 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
118 struct hci_filter *flt;
119 int flt_type, flt_event;
122 flt = &hci_pi(sk)->filter;
124 flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS;
126 if (!test_bit(flt_type, &flt->type_mask))
129 /* Extra filter for event packets only */
130 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT)
133 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
135 if (!hci_test_bit(flt_event, &flt->event_mask))
138 /* Check filter only when opcode is set */
142 if (flt_event == HCI_EV_CMD_COMPLETE &&
143 flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
146 if (flt_event == HCI_EV_CMD_STATUS &&
147 flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
153 /* Send frame to RAW socket */
154 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
157 struct sk_buff *skb_copy = NULL;
159 BT_DBG("hdev %p len %d", hdev, skb->len);
161 read_lock(&hci_sk_list.lock);
163 sk_for_each(sk, &hci_sk_list.head) {
164 struct sk_buff *nskb;
166 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
169 /* Don't send frame to the socket it came from */
173 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
174 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
175 hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
176 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
177 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT)
179 if (is_filtered_packet(sk, skb))
181 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
182 if (!bt_cb(skb)->incoming)
184 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
185 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
186 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT)
189 /* Don't send frame to other channel types */
194 /* Create a private copy with headroom */
195 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
199 /* Put type byte before the data */
200 memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1);
203 nskb = skb_clone(skb_copy, GFP_ATOMIC);
207 if (sock_queue_rcv_skb(sk, nskb))
211 read_unlock(&hci_sk_list.lock);
216 /* Send frame to sockets with specific channel */
217 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
218 int flag, struct sock *skip_sk)
222 BT_DBG("channel %u len %d", channel, skb->len);
224 read_lock(&hci_sk_list.lock);
226 sk_for_each(sk, &hci_sk_list.head) {
227 struct sk_buff *nskb;
229 /* Ignore socket without the flag set */
230 if (!hci_sock_test_flag(sk, flag))
233 /* Skip the original socket */
237 if (sk->sk_state != BT_BOUND)
240 if (hci_pi(sk)->channel != channel)
243 nskb = skb_clone(skb, GFP_ATOMIC);
247 if (sock_queue_rcv_skb(sk, nskb))
251 read_unlock(&hci_sk_list.lock);
254 /* Send frame to monitor socket */
255 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
257 struct sk_buff *skb_copy = NULL;
258 struct hci_mon_hdr *hdr;
261 if (!atomic_read(&monitor_promisc))
264 BT_DBG("hdev %p len %d", hdev, skb->len);
266 switch (hci_skb_pkt_type(skb)) {
267 case HCI_COMMAND_PKT:
268 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
271 opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
273 case HCI_ACLDATA_PKT:
274 if (bt_cb(skb)->incoming)
275 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
277 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
279 case HCI_SCODATA_PKT:
280 if (bt_cb(skb)->incoming)
281 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
283 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
286 opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG);
292 /* Create a private copy with headroom */
293 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true);
297 /* Put header before the data */
298 hdr = (void *)skb_push(skb_copy, HCI_MON_HDR_SIZE);
299 hdr->opcode = opcode;
300 hdr->index = cpu_to_le16(hdev->id);
301 hdr->len = cpu_to_le16(skb->len);
303 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy,
304 HCI_SOCK_TRUSTED, NULL);
308 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
310 struct hci_mon_hdr *hdr;
311 struct hci_mon_new_index *ni;
312 struct hci_mon_index_info *ii;
318 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
322 ni = (void *)skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
323 ni->type = hdev->dev_type;
325 bacpy(&ni->bdaddr, &hdev->bdaddr);
326 memcpy(ni->name, hdev->name, 8);
328 opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
332 skb = bt_skb_alloc(0, GFP_ATOMIC);
336 opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
340 if (hdev->manufacturer == 0xffff)
346 skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC);
350 ii = (void *)skb_put(skb, HCI_MON_INDEX_INFO_SIZE);
351 bacpy(&ii->bdaddr, &hdev->bdaddr);
352 ii->manufacturer = cpu_to_le16(hdev->manufacturer);
354 opcode = cpu_to_le16(HCI_MON_INDEX_INFO);
358 skb = bt_skb_alloc(0, GFP_ATOMIC);
362 opcode = cpu_to_le16(HCI_MON_OPEN_INDEX);
366 skb = bt_skb_alloc(0, GFP_ATOMIC);
370 opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX);
377 __net_timestamp(skb);
379 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
380 hdr->opcode = opcode;
381 hdr->index = cpu_to_le16(hdev->id);
382 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
387 static void __printf(2, 3)
388 send_monitor_note(struct sock *sk, const char *fmt, ...)
391 struct hci_mon_hdr *hdr;
396 len = vsnprintf(NULL, 0, fmt, args);
399 skb = bt_skb_alloc(len + 1, GFP_ATOMIC);
404 vsprintf(skb_put(skb, len), fmt, args);
405 *skb_put(skb, 1) = 0;
408 __net_timestamp(skb);
410 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
411 hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE);
412 hdr->index = cpu_to_le16(HCI_DEV_NONE);
413 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
415 if (sock_queue_rcv_skb(sk, skb))
419 static void send_monitor_replay(struct sock *sk)
421 struct hci_dev *hdev;
423 read_lock(&hci_dev_list_lock);
425 list_for_each_entry(hdev, &hci_dev_list, list) {
428 skb = create_monitor_event(hdev, HCI_DEV_REG);
432 if (sock_queue_rcv_skb(sk, skb))
435 if (!test_bit(HCI_RUNNING, &hdev->flags))
438 skb = create_monitor_event(hdev, HCI_DEV_OPEN);
442 if (sock_queue_rcv_skb(sk, skb))
445 if (test_bit(HCI_UP, &hdev->flags))
446 skb = create_monitor_event(hdev, HCI_DEV_UP);
447 else if (hci_dev_test_flag(hdev, HCI_SETUP))
448 skb = create_monitor_event(hdev, HCI_DEV_SETUP);
453 if (sock_queue_rcv_skb(sk, skb))
458 read_unlock(&hci_dev_list_lock);
461 /* Generate internal stack event */
462 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
464 struct hci_event_hdr *hdr;
465 struct hci_ev_stack_internal *ev;
468 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
472 hdr = (void *)skb_put(skb, HCI_EVENT_HDR_SIZE);
473 hdr->evt = HCI_EV_STACK_INTERNAL;
474 hdr->plen = sizeof(*ev) + dlen;
476 ev = (void *)skb_put(skb, sizeof(*ev) + dlen);
478 memcpy(ev->data, data, dlen);
480 bt_cb(skb)->incoming = 1;
481 __net_timestamp(skb);
483 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
484 hci_send_to_sock(hdev, skb);
488 void hci_sock_dev_event(struct hci_dev *hdev, int event)
490 BT_DBG("hdev %s event %d", hdev->name, event);
492 if (atomic_read(&monitor_promisc)) {
495 /* Send event to monitor */
496 skb = create_monitor_event(hdev, event);
498 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
499 HCI_SOCK_TRUSTED, NULL);
504 if (event <= HCI_DEV_DOWN) {
505 struct hci_ev_si_device ev;
507 /* Send event to sockets */
509 ev.dev_id = hdev->id;
510 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
513 if (event == HCI_DEV_UNREG) {
516 /* Detach sockets from device */
517 read_lock(&hci_sk_list.lock);
518 sk_for_each(sk, &hci_sk_list.head) {
519 bh_lock_sock_nested(sk);
520 if (hci_pi(sk)->hdev == hdev) {
521 hci_pi(sk)->hdev = NULL;
523 sk->sk_state = BT_OPEN;
524 sk->sk_state_change(sk);
530 read_unlock(&hci_sk_list.lock);
534 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel)
536 struct hci_mgmt_chan *c;
538 list_for_each_entry(c, &mgmt_chan_list, list) {
539 if (c->channel == channel)
546 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel)
548 struct hci_mgmt_chan *c;
550 mutex_lock(&mgmt_chan_list_lock);
551 c = __hci_mgmt_chan_find(channel);
552 mutex_unlock(&mgmt_chan_list_lock);
557 int hci_mgmt_chan_register(struct hci_mgmt_chan *c)
559 if (c->channel < HCI_CHANNEL_CONTROL)
562 mutex_lock(&mgmt_chan_list_lock);
563 if (__hci_mgmt_chan_find(c->channel)) {
564 mutex_unlock(&mgmt_chan_list_lock);
568 list_add_tail(&c->list, &mgmt_chan_list);
570 mutex_unlock(&mgmt_chan_list_lock);
574 EXPORT_SYMBOL(hci_mgmt_chan_register);
576 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c)
578 mutex_lock(&mgmt_chan_list_lock);
580 mutex_unlock(&mgmt_chan_list_lock);
582 EXPORT_SYMBOL(hci_mgmt_chan_unregister);
584 static int hci_sock_release(struct socket *sock)
586 struct sock *sk = sock->sk;
587 struct hci_dev *hdev;
589 BT_DBG("sock %p sk %p", sock, sk);
594 hdev = hci_pi(sk)->hdev;
596 if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
597 atomic_dec(&monitor_promisc);
599 bt_sock_unlink(&hci_sk_list, sk);
602 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
603 /* When releasing an user channel exclusive access,
604 * call hci_dev_do_close directly instead of calling
605 * hci_dev_close to ensure the exclusive access will
606 * be released and the controller brought back down.
608 * The checking of HCI_AUTO_OFF is not needed in this
609 * case since it will have been cleared already when
610 * opening the user channel.
612 hci_dev_do_close(hdev);
613 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
614 mgmt_index_added(hdev);
617 atomic_dec(&hdev->promisc);
623 skb_queue_purge(&sk->sk_receive_queue);
624 skb_queue_purge(&sk->sk_write_queue);
630 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
635 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
640 err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
642 hci_dev_unlock(hdev);
647 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
652 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
657 err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
659 hci_dev_unlock(hdev);
664 /* Ioctls that require bound socket */
665 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
668 struct hci_dev *hdev = hci_pi(sk)->hdev;
673 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
676 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
679 if (hdev->dev_type != HCI_PRIMARY)
684 if (!capable(CAP_NET_ADMIN))
689 return hci_get_conn_info(hdev, (void __user *)arg);
692 return hci_get_auth_info(hdev, (void __user *)arg);
695 if (!capable(CAP_NET_ADMIN))
697 return hci_sock_blacklist_add(hdev, (void __user *)arg);
700 if (!capable(CAP_NET_ADMIN))
702 return hci_sock_blacklist_del(hdev, (void __user *)arg);
708 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
711 void __user *argp = (void __user *)arg;
712 struct sock *sk = sock->sk;
715 BT_DBG("cmd %x arg %lx", cmd, arg);
719 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
728 return hci_get_dev_list(argp);
731 return hci_get_dev_info(argp);
734 return hci_get_conn_list(argp);
737 if (!capable(CAP_NET_ADMIN))
739 return hci_dev_open(arg);
742 if (!capable(CAP_NET_ADMIN))
744 return hci_dev_close(arg);
747 if (!capable(CAP_NET_ADMIN))
749 return hci_dev_reset(arg);
752 if (!capable(CAP_NET_ADMIN))
754 return hci_dev_reset_stat(arg);
764 if (!capable(CAP_NET_ADMIN))
766 return hci_dev_cmd(cmd, argp);
769 return hci_inquiry(argp);
774 err = hci_sock_bound_ioctl(sk, cmd, arg);
781 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
784 struct sockaddr_hci haddr;
785 struct sock *sk = sock->sk;
786 struct hci_dev *hdev = NULL;
789 BT_DBG("sock %p sk %p", sock, sk);
794 memset(&haddr, 0, sizeof(haddr));
795 len = min_t(unsigned int, sizeof(haddr), addr_len);
796 memcpy(&haddr, addr, len);
798 if (haddr.hci_family != AF_BLUETOOTH)
803 if (sk->sk_state == BT_BOUND) {
808 switch (haddr.hci_channel) {
809 case HCI_CHANNEL_RAW:
810 if (hci_pi(sk)->hdev) {
815 if (haddr.hci_dev != HCI_DEV_NONE) {
816 hdev = hci_dev_get(haddr.hci_dev);
822 atomic_inc(&hdev->promisc);
825 hci_pi(sk)->hdev = hdev;
828 case HCI_CHANNEL_USER:
829 if (hci_pi(sk)->hdev) {
834 if (haddr.hci_dev == HCI_DEV_NONE) {
839 if (!capable(CAP_NET_ADMIN)) {
844 hdev = hci_dev_get(haddr.hci_dev);
850 if (test_bit(HCI_INIT, &hdev->flags) ||
851 hci_dev_test_flag(hdev, HCI_SETUP) ||
852 hci_dev_test_flag(hdev, HCI_CONFIG) ||
853 (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) &&
854 test_bit(HCI_UP, &hdev->flags))) {
860 if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) {
866 mgmt_index_removed(hdev);
868 err = hci_dev_open(hdev->id);
870 if (err == -EALREADY) {
871 /* In case the transport is already up and
872 * running, clear the error here.
874 * This can happen when opening an user
875 * channel and HCI_AUTO_OFF grace period
880 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
881 mgmt_index_added(hdev);
887 atomic_inc(&hdev->promisc);
889 hci_pi(sk)->hdev = hdev;
892 case HCI_CHANNEL_MONITOR:
893 if (haddr.hci_dev != HCI_DEV_NONE) {
898 if (!capable(CAP_NET_RAW)) {
903 /* The monitor interface is restricted to CAP_NET_RAW
904 * capabilities and with that implicitly trusted.
906 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
908 send_monitor_note(sk, "Linux version %s (%s)",
909 init_utsname()->release,
910 init_utsname()->machine);
911 send_monitor_note(sk, "Bluetooth subsystem version %s",
913 send_monitor_replay(sk);
915 atomic_inc(&monitor_promisc);
918 case HCI_CHANNEL_LOGGING:
919 if (haddr.hci_dev != HCI_DEV_NONE) {
924 if (!capable(CAP_NET_ADMIN)) {
931 if (!hci_mgmt_chan_find(haddr.hci_channel)) {
936 if (haddr.hci_dev != HCI_DEV_NONE) {
941 /* Users with CAP_NET_ADMIN capabilities are allowed
942 * access to all management commands and events. For
943 * untrusted users the interface is restricted and
944 * also only untrusted events are sent.
946 if (capable(CAP_NET_ADMIN))
947 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
949 /* At the moment the index and unconfigured index events
950 * are enabled unconditionally. Setting them on each
951 * socket when binding keeps this functionality. They
952 * however might be cleared later and then sending of these
953 * events will be disabled, but that is then intentional.
955 * This also enables generic events that are safe to be
956 * received by untrusted users. Example for such events
957 * are changes to settings, class of device, name etc.
959 if (haddr.hci_channel == HCI_CHANNEL_CONTROL) {
960 hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS);
961 hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
962 hci_sock_set_flag(sk, HCI_MGMT_GENERIC_EVENTS);
968 hci_pi(sk)->channel = haddr.hci_channel;
969 sk->sk_state = BT_BOUND;
976 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
977 int *addr_len, int peer)
979 struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr;
980 struct sock *sk = sock->sk;
981 struct hci_dev *hdev;
984 BT_DBG("sock %p sk %p", sock, sk);
991 hdev = hci_pi(sk)->hdev;
997 *addr_len = sizeof(*haddr);
998 haddr->hci_family = AF_BLUETOOTH;
999 haddr->hci_dev = hdev->id;
1000 haddr->hci_channel= hci_pi(sk)->channel;
1007 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
1008 struct sk_buff *skb)
1010 __u32 mask = hci_pi(sk)->cmsg_mask;
1012 if (mask & HCI_CMSG_DIR) {
1013 int incoming = bt_cb(skb)->incoming;
1014 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
1018 if (mask & HCI_CMSG_TSTAMP) {
1019 #ifdef CONFIG_COMPAT
1020 struct compat_timeval ctv;
1026 skb_get_timestamp(skb, &tv);
1030 #ifdef CONFIG_COMPAT
1031 if (!COMPAT_USE_64BIT_TIME &&
1032 (msg->msg_flags & MSG_CMSG_COMPAT)) {
1033 ctv.tv_sec = tv.tv_sec;
1034 ctv.tv_usec = tv.tv_usec;
1040 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
1044 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1045 size_t len, int flags)
1047 int noblock = flags & MSG_DONTWAIT;
1048 struct sock *sk = sock->sk;
1049 struct sk_buff *skb;
1051 unsigned int skblen;
1053 BT_DBG("sock %p, sk %p", sock, sk);
1055 if (flags & MSG_OOB)
1058 if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING)
1061 if (sk->sk_state == BT_CLOSED)
1064 skb = skb_recv_datagram(sk, flags, noblock, &err);
1071 msg->msg_flags |= MSG_TRUNC;
1075 skb_reset_transport_header(skb);
1076 err = skb_copy_datagram_msg(skb, 0, msg, copied);
1078 switch (hci_pi(sk)->channel) {
1079 case HCI_CHANNEL_RAW:
1080 hci_sock_cmsg(sk, msg, skb);
1082 case HCI_CHANNEL_USER:
1083 case HCI_CHANNEL_MONITOR:
1084 sock_recv_timestamp(msg, sk, skb);
1087 if (hci_mgmt_chan_find(hci_pi(sk)->channel))
1088 sock_recv_timestamp(msg, sk, skb);
1092 skb_free_datagram(sk, skb);
1094 if (msg->msg_flags & MSG_TRUNC)
1097 return err ? : copied;
1100 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk,
1101 struct msghdr *msg, size_t msglen)
1105 struct mgmt_hdr *hdr;
1106 u16 opcode, index, len;
1107 struct hci_dev *hdev = NULL;
1108 const struct hci_mgmt_handler *handler;
1109 bool var_len, no_hdev;
1112 BT_DBG("got %zu bytes", msglen);
1114 if (msglen < sizeof(*hdr))
1117 buf = kmalloc(msglen, GFP_KERNEL);
1121 if (memcpy_from_msg(buf, msg, msglen)) {
1127 opcode = __le16_to_cpu(hdr->opcode);
1128 index = __le16_to_cpu(hdr->index);
1129 len = __le16_to_cpu(hdr->len);
1131 if (len != msglen - sizeof(*hdr)) {
1136 if (opcode >= chan->handler_count ||
1137 chan->handlers[opcode].func == NULL) {
1138 BT_DBG("Unknown op %u", opcode);
1139 err = mgmt_cmd_status(sk, index, opcode,
1140 MGMT_STATUS_UNKNOWN_COMMAND);
1144 handler = &chan->handlers[opcode];
1146 if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) &&
1147 !(handler->flags & HCI_MGMT_UNTRUSTED)) {
1148 err = mgmt_cmd_status(sk, index, opcode,
1149 MGMT_STATUS_PERMISSION_DENIED);
1153 if (index != MGMT_INDEX_NONE) {
1154 hdev = hci_dev_get(index);
1156 err = mgmt_cmd_status(sk, index, opcode,
1157 MGMT_STATUS_INVALID_INDEX);
1161 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1162 hci_dev_test_flag(hdev, HCI_CONFIG) ||
1163 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1164 err = mgmt_cmd_status(sk, index, opcode,
1165 MGMT_STATUS_INVALID_INDEX);
1169 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1170 !(handler->flags & HCI_MGMT_UNCONFIGURED)) {
1171 err = mgmt_cmd_status(sk, index, opcode,
1172 MGMT_STATUS_INVALID_INDEX);
1177 no_hdev = (handler->flags & HCI_MGMT_NO_HDEV);
1178 if (no_hdev != !hdev) {
1179 err = mgmt_cmd_status(sk, index, opcode,
1180 MGMT_STATUS_INVALID_INDEX);
1184 var_len = (handler->flags & HCI_MGMT_VAR_LEN);
1185 if ((var_len && len < handler->data_len) ||
1186 (!var_len && len != handler->data_len)) {
1187 err = mgmt_cmd_status(sk, index, opcode,
1188 MGMT_STATUS_INVALID_PARAMS);
1192 if (hdev && chan->hdev_init)
1193 chan->hdev_init(sk, hdev);
1195 cp = buf + sizeof(*hdr);
1197 err = handler->func(sk, hdev, cp, len);
1211 static int hci_logging_frame(struct sock *sk, struct msghdr *msg, int len)
1213 struct hci_mon_hdr *hdr;
1214 struct sk_buff *skb;
1215 struct hci_dev *hdev;
1219 /* The logging frame consists at minimum of the standard header,
1220 * the priority byte, the ident length byte and at least one string
1221 * terminator NUL byte. Anything shorter are invalid packets.
1223 if (len < sizeof(*hdr) + 3)
1226 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1230 if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1235 hdr = (void *)skb->data;
1237 if (__le16_to_cpu(hdr->len) != len - sizeof(*hdr)) {
1242 if (__le16_to_cpu(hdr->opcode) == 0x0000) {
1243 __u8 priority = skb->data[sizeof(*hdr)];
1244 __u8 ident_len = skb->data[sizeof(*hdr) + 1];
1246 /* Only the priorities 0-7 are valid and with that any other
1247 * value results in an invalid packet.
1249 * The priority byte is followed by an ident length byte and
1250 * the NUL terminated ident string. Check that the ident
1251 * length is not overflowing the packet and also that the
1252 * ident string itself is NUL terminated. In case the ident
1253 * length is zero, the length value actually doubles as NUL
1254 * terminator identifier.
1256 * The message follows the ident string (if present) and
1257 * must be NUL terminated. Otherwise it is not a valid packet.
1259 if (priority > 7 || skb->data[len - 1] != 0x00 ||
1260 ident_len > len - sizeof(*hdr) - 3 ||
1261 skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) {
1270 index = __le16_to_cpu(hdr->index);
1272 if (index != MGMT_INDEX_NONE) {
1273 hdev = hci_dev_get(index);
1282 hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING);
1284 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL);
1295 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1298 struct sock *sk = sock->sk;
1299 struct hci_mgmt_chan *chan;
1300 struct hci_dev *hdev;
1301 struct sk_buff *skb;
1304 BT_DBG("sock %p sk %p", sock, sk);
1306 if (msg->msg_flags & MSG_OOB)
1309 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
1312 if (len < 4 || len > HCI_MAX_FRAME_SIZE)
1317 switch (hci_pi(sk)->channel) {
1318 case HCI_CHANNEL_RAW:
1319 case HCI_CHANNEL_USER:
1321 case HCI_CHANNEL_MONITOR:
1324 case HCI_CHANNEL_LOGGING:
1325 err = hci_logging_frame(sk, msg, len);
1328 mutex_lock(&mgmt_chan_list_lock);
1329 chan = __hci_mgmt_chan_find(hci_pi(sk)->channel);
1331 err = hci_mgmt_cmd(chan, sk, msg, len);
1335 mutex_unlock(&mgmt_chan_list_lock);
1339 hdev = hci_pi(sk)->hdev;
1345 if (!test_bit(HCI_UP, &hdev->flags)) {
1350 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1354 if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1359 hci_skb_pkt_type(skb) = skb->data[0];
1362 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
1363 /* No permission check is needed for user channel
1364 * since that gets enforced when binding the socket.
1366 * However check that the packet type is valid.
1368 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
1369 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1370 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
1375 skb_queue_tail(&hdev->raw_q, skb);
1376 queue_work(hdev->workqueue, &hdev->tx_work);
1377 } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) {
1378 u16 opcode = get_unaligned_le16(skb->data);
1379 u16 ogf = hci_opcode_ogf(opcode);
1380 u16 ocf = hci_opcode_ocf(opcode);
1382 if (((ogf > HCI_SFLT_MAX_OGF) ||
1383 !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
1384 &hci_sec_filter.ocf_mask[ogf])) &&
1385 !capable(CAP_NET_RAW)) {
1390 /* Since the opcode has already been extracted here, store
1391 * a copy of the value for later use by the drivers.
1393 hci_skb_opcode(skb) = opcode;
1396 skb_queue_tail(&hdev->raw_q, skb);
1397 queue_work(hdev->workqueue, &hdev->tx_work);
1399 /* Stand-alone HCI commands must be flagged as
1400 * single-command requests.
1402 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
1404 skb_queue_tail(&hdev->cmd_q, skb);
1405 queue_work(hdev->workqueue, &hdev->cmd_work);
1408 if (!capable(CAP_NET_RAW)) {
1413 if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1414 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
1419 skb_queue_tail(&hdev->raw_q, skb);
1420 queue_work(hdev->workqueue, &hdev->tx_work);
1434 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
1435 char __user *optval, unsigned int len)
1437 struct hci_ufilter uf = { .opcode = 0 };
1438 struct sock *sk = sock->sk;
1439 int err = 0, opt = 0;
1441 BT_DBG("sk %p, opt %d", sk, optname);
1445 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1452 if (get_user(opt, (int __user *)optval)) {
1458 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1460 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1463 case HCI_TIME_STAMP:
1464 if (get_user(opt, (int __user *)optval)) {
1470 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1472 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1477 struct hci_filter *f = &hci_pi(sk)->filter;
1479 uf.type_mask = f->type_mask;
1480 uf.opcode = f->opcode;
1481 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1482 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1485 len = min_t(unsigned int, len, sizeof(uf));
1486 if (copy_from_user(&uf, optval, len)) {
1491 if (!capable(CAP_NET_RAW)) {
1492 uf.type_mask &= hci_sec_filter.type_mask;
1493 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1494 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1498 struct hci_filter *f = &hci_pi(sk)->filter;
1500 f->type_mask = uf.type_mask;
1501 f->opcode = uf.opcode;
1502 *((u32 *) f->event_mask + 0) = uf.event_mask[0];
1503 *((u32 *) f->event_mask + 1) = uf.event_mask[1];
1517 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1518 char __user *optval, int __user *optlen)
1520 struct hci_ufilter uf;
1521 struct sock *sk = sock->sk;
1522 int len, opt, err = 0;
1524 BT_DBG("sk %p, opt %d", sk, optname);
1526 if (get_user(len, optlen))
1531 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1538 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1543 if (put_user(opt, optval))
1547 case HCI_TIME_STAMP:
1548 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1553 if (put_user(opt, optval))
1559 struct hci_filter *f = &hci_pi(sk)->filter;
1561 memset(&uf, 0, sizeof(uf));
1562 uf.type_mask = f->type_mask;
1563 uf.opcode = f->opcode;
1564 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1565 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1568 len = min_t(unsigned int, len, sizeof(uf));
1569 if (copy_to_user(optval, &uf, len))
1583 static const struct proto_ops hci_sock_ops = {
1584 .family = PF_BLUETOOTH,
1585 .owner = THIS_MODULE,
1586 .release = hci_sock_release,
1587 .bind = hci_sock_bind,
1588 .getname = hci_sock_getname,
1589 .sendmsg = hci_sock_sendmsg,
1590 .recvmsg = hci_sock_recvmsg,
1591 .ioctl = hci_sock_ioctl,
1592 .poll = datagram_poll,
1593 .listen = sock_no_listen,
1594 .shutdown = sock_no_shutdown,
1595 .setsockopt = hci_sock_setsockopt,
1596 .getsockopt = hci_sock_getsockopt,
1597 .connect = sock_no_connect,
1598 .socketpair = sock_no_socketpair,
1599 .accept = sock_no_accept,
1600 .mmap = sock_no_mmap
1603 static struct proto hci_sk_proto = {
1605 .owner = THIS_MODULE,
1606 .obj_size = sizeof(struct hci_pinfo)
1609 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1614 BT_DBG("sock %p", sock);
1616 if (sock->type != SOCK_RAW)
1617 return -ESOCKTNOSUPPORT;
1619 sock->ops = &hci_sock_ops;
1621 sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern);
1625 sock_init_data(sock, sk);
1627 sock_reset_flag(sk, SOCK_ZAPPED);
1629 sk->sk_protocol = protocol;
1631 sock->state = SS_UNCONNECTED;
1632 sk->sk_state = BT_OPEN;
1634 bt_sock_link(&hci_sk_list, sk);
1638 static const struct net_proto_family hci_sock_family_ops = {
1639 .family = PF_BLUETOOTH,
1640 .owner = THIS_MODULE,
1641 .create = hci_sock_create,
1644 int __init hci_sock_init(void)
1648 BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr));
1650 err = proto_register(&hci_sk_proto, 0);
1654 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1656 BT_ERR("HCI socket registration failed");
1660 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
1662 BT_ERR("Failed to create HCI proc file");
1663 bt_sock_unregister(BTPROTO_HCI);
1667 BT_INFO("HCI socket layer initialized");
1672 proto_unregister(&hci_sk_proto);
1676 void hci_sock_cleanup(void)
1678 bt_procfs_cleanup(&init_net, "hci");
1679 bt_sock_unregister(BTPROTO_HCI);
1680 proto_unregister(&hci_sk_proto);
projects / cascardo / linux.git / blob