1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26#include <linux/compat.h>
27#include <linux/export.h>
28#include <linux/utsname.h>
29#include <linux/sched.h>
30#include <asm/unaligned.h>
31
32#include <net/bluetooth/bluetooth.h>
33#include <net/bluetooth/hci_core.h>
34#include <net/bluetooth/hci_mon.h>
35#include <net/bluetooth/mgmt.h>
36
37#include "mgmt_util.h"
38
39static LIST_HEAD(mgmt_chan_list);
40static DEFINE_MUTEX(mgmt_chan_list_lock);
41
42static DEFINE_IDA(sock_cookie_ida);
43
44static atomic_t monitor_promisc = ATOMIC_INIT(0);
45
46
47
48
49#define hci_pi(sk) ((struct hci_pinfo *) sk)
50
51struct hci_pinfo {
52 struct bt_sock bt;
53 struct hci_dev *hdev;
54 struct hci_filter filter;
55 __u8 cmsg_mask;
56 unsigned short channel;
57 unsigned long flags;
58 __u32 cookie;
59 char comm[TASK_COMM_LEN];
60};
61
62static struct hci_dev *hci_hdev_from_sock(struct sock *sk)
63{
64 struct hci_dev *hdev = hci_pi(sk)->hdev;
65
66 if (!hdev)
67 return ERR_PTR(-EBADFD);
68 if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
69 return ERR_PTR(-EPIPE);
70 return hdev;
71}
72
73void hci_sock_set_flag(struct sock *sk, int nr)
74{
75 set_bit(nr, &hci_pi(sk)->flags);
76}
77
78void hci_sock_clear_flag(struct sock *sk, int nr)
79{
80 clear_bit(nr, &hci_pi(sk)->flags);
81}
82
83int hci_sock_test_flag(struct sock *sk, int nr)
84{
85 return test_bit(nr, &hci_pi(sk)->flags);
86}
87
88unsigned short hci_sock_get_channel(struct sock *sk)
89{
90 return hci_pi(sk)->channel;
91}
92
93u32 hci_sock_get_cookie(struct sock *sk)
94{
95 return hci_pi(sk)->cookie;
96}
97
98static bool hci_sock_gen_cookie(struct sock *sk)
99{
100 int id = hci_pi(sk)->cookie;
101
102 if (!id) {
103 id = ida_simple_get(&sock_cookie_ida, 1, 0, GFP_KERNEL);
104 if (id < 0)
105 id = 0xffffffff;
106
107 hci_pi(sk)->cookie = id;
108 get_task_comm(hci_pi(sk)->comm, current);
109 return true;
110 }
111
112 return false;
113}
114
115static void hci_sock_free_cookie(struct sock *sk)
116{
117 int id = hci_pi(sk)->cookie;
118
119 if (id) {
120 hci_pi(sk)->cookie = 0xffffffff;
121 ida_simple_remove(&sock_cookie_ida, id);
122 }
123}
124
125static inline int hci_test_bit(int nr, const void *addr)
126{
127 return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
128}
129
130
131#define HCI_SFLT_MAX_OGF 5
132
133struct hci_sec_filter {
134 __u32 type_mask;
135 __u32 event_mask[2];
136 __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
137};
138
139static const struct hci_sec_filter hci_sec_filter = {
140
141 0x10,
142
143 { 0x1000d9fe, 0x0000b00c },
144
145 {
146 { 0x0 },
147
148 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
149
150 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
151
152 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
153
154 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
155
156 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
157 }
158};
159
160static struct bt_sock_list hci_sk_list = {
161 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
162};
163
164static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
165{
166 struct hci_filter *flt;
167 int flt_type, flt_event;
168
169
170 flt = &hci_pi(sk)->filter;
171
172 flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS;
173
174 if (!test_bit(flt_type, &flt->type_mask))
175 return true;
176
177
178 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT)
179 return false;
180
181 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
182
183 if (!hci_test_bit(flt_event, &flt->event_mask))
184 return true;
185
186
187 if (!flt->opcode)
188 return false;
189
190 if (flt_event == HCI_EV_CMD_COMPLETE &&
191 flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
192 return true;
193
194 if (flt_event == HCI_EV_CMD_STATUS &&
195 flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
196 return true;
197
198 return false;
199}
200
201
202void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
203{
204 struct sock *sk;
205 struct sk_buff *skb_copy = NULL;
206
207 BT_DBG("hdev %p len %d", hdev, skb->len);
208
209 read_lock(&hci_sk_list.lock);
210
211 sk_for_each(sk, &hci_sk_list.head) {
212 struct sk_buff *nskb;
213
214 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
215 continue;
216
217
218 if (skb->sk == sk)
219 continue;
220
221 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
222 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
223 hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
224 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
225 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
226 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT)
227 continue;
228 if (is_filtered_packet(sk, skb))
229 continue;
230 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
231 if (!bt_cb(skb)->incoming)
232 continue;
233 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
234 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
235 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
236 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT)
237 continue;
238 } else {
239
240 continue;
241 }
242
243 if (!skb_copy) {
244
245 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
246 if (!skb_copy)
247 continue;
248
249
250 memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1);
251 }
252
253 nskb = skb_clone(skb_copy, GFP_ATOMIC);
254 if (!nskb)
255 continue;
256
257 if (sock_queue_rcv_skb(sk, nskb))
258 kfree_skb(nskb);
259 }
260
261 read_unlock(&hci_sk_list.lock);
262
263 kfree_skb(skb_copy);
264}
265
266
267static void __hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
268 int flag, struct sock *skip_sk)
269{
270 struct sock *sk;
271
272 BT_DBG("channel %u len %d", channel, skb->len);
273
274 sk_for_each(sk, &hci_sk_list.head) {
275 struct sk_buff *nskb;
276
277
278 if (!hci_sock_test_flag(sk, flag))
279 continue;
280
281
282 if (sk == skip_sk)
283 continue;
284
285 if (sk->sk_state != BT_BOUND)
286 continue;
287
288 if (hci_pi(sk)->channel != channel)
289 continue;
290
291 nskb = skb_clone(skb, GFP_ATOMIC);
292 if (!nskb)
293 continue;
294
295 if (sock_queue_rcv_skb(sk, nskb))
296 kfree_skb(nskb);
297 }
298
299}
300
301void hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
302 int flag, struct sock *skip_sk)
303{
304 read_lock(&hci_sk_list.lock);
305 __hci_send_to_channel(channel, skb, flag, skip_sk);
306 read_unlock(&hci_sk_list.lock);
307}
308
309
310void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
311{
312 struct sk_buff *skb_copy = NULL;
313 struct hci_mon_hdr *hdr;
314 __le16 opcode;
315
316 if (!atomic_read(&monitor_promisc))
317 return;
318
319 BT_DBG("hdev %p len %d", hdev, skb->len);
320
321 switch (hci_skb_pkt_type(skb)) {
322 case HCI_COMMAND_PKT:
323 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
324 break;
325 case HCI_EVENT_PKT:
326 opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
327 break;
328 case HCI_ACLDATA_PKT:
329 if (bt_cb(skb)->incoming)
330 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
331 else
332 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
333 break;
334 case HCI_SCODATA_PKT:
335 if (bt_cb(skb)->incoming)
336 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
337 else
338 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
339 break;
340 case HCI_ISODATA_PKT:
341 if (bt_cb(skb)->incoming)
342 opcode = cpu_to_le16(HCI_MON_ISO_RX_PKT);
343 else
344 opcode = cpu_to_le16(HCI_MON_ISO_TX_PKT);
345 break;
346 case HCI_DIAG_PKT:
347 opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG);
348 break;
349 default:
350 return;
351 }
352
353
354 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true);
355 if (!skb_copy)
356 return;
357
358
359 hdr = skb_push(skb_copy, HCI_MON_HDR_SIZE);
360 hdr->opcode = opcode;
361 hdr->index = cpu_to_le16(hdev->id);
362 hdr->len = cpu_to_le16(skb->len);
363
364 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy,
365 HCI_SOCK_TRUSTED, NULL);
366 kfree_skb(skb_copy);
367}
368
369void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event,
370 void *data, u16 data_len, ktime_t tstamp,
371 int flag, struct sock *skip_sk)
372{
373 struct sock *sk;
374 __le16 index;
375
376 if (hdev)
377 index = cpu_to_le16(hdev->id);
378 else
379 index = cpu_to_le16(MGMT_INDEX_NONE);
380
381 read_lock(&hci_sk_list.lock);
382
383 sk_for_each(sk, &hci_sk_list.head) {
384 struct hci_mon_hdr *hdr;
385 struct sk_buff *skb;
386
387 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
388 continue;
389
390
391 if (!hci_sock_test_flag(sk, flag))
392 continue;
393
394
395 if (sk == skip_sk)
396 continue;
397
398 skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC);
399 if (!skb)
400 continue;
401
402 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
403 put_unaligned_le16(event, skb_put(skb, 2));
404
405 if (data)
406 skb_put_data(skb, data, data_len);
407
408 skb->tstamp = tstamp;
409
410 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
411 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT);
412 hdr->index = index;
413 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
414
415 __hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
416 HCI_SOCK_TRUSTED, NULL);
417 kfree_skb(skb);
418 }
419
420 read_unlock(&hci_sk_list.lock);
421}
422
423static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
424{
425 struct hci_mon_hdr *hdr;
426 struct hci_mon_new_index *ni;
427 struct hci_mon_index_info *ii;
428 struct sk_buff *skb;
429 __le16 opcode;
430
431 switch (event) {
432 case HCI_DEV_REG:
433 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
434 if (!skb)
435 return NULL;
436
437 ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
438 ni->type = hdev->dev_type;
439 ni->bus = hdev->bus;
440 bacpy(&ni->bdaddr, &hdev->bdaddr);
441 memcpy(ni->name, hdev->name, 8);
442
443 opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
444 break;
445
446 case HCI_DEV_UNREG:
447 skb = bt_skb_alloc(0, GFP_ATOMIC);
448 if (!skb)
449 return NULL;
450
451 opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
452 break;
453
454 case HCI_DEV_SETUP:
455 if (hdev->manufacturer == 0xffff)
456 return NULL;
457 fallthrough;
458
459 case HCI_DEV_UP:
460 skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC);
461 if (!skb)
462 return NULL;
463
464 ii = skb_put(skb, HCI_MON_INDEX_INFO_SIZE);
465 bacpy(&ii->bdaddr, &hdev->bdaddr);
466 ii->manufacturer = cpu_to_le16(hdev->manufacturer);
467
468 opcode = cpu_to_le16(HCI_MON_INDEX_INFO);
469 break;
470
471 case HCI_DEV_OPEN:
472 skb = bt_skb_alloc(0, GFP_ATOMIC);
473 if (!skb)
474 return NULL;
475
476 opcode = cpu_to_le16(HCI_MON_OPEN_INDEX);
477 break;
478
479 case HCI_DEV_CLOSE:
480 skb = bt_skb_alloc(0, GFP_ATOMIC);
481 if (!skb)
482 return NULL;
483
484 opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX);
485 break;
486
487 default:
488 return NULL;
489 }
490
491 __net_timestamp(skb);
492
493 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
494 hdr->opcode = opcode;
495 hdr->index = cpu_to_le16(hdev->id);
496 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
497
498 return skb;
499}
500
501static struct sk_buff *create_monitor_ctrl_open(struct sock *sk)
502{
503 struct hci_mon_hdr *hdr;
504 struct sk_buff *skb;
505 u16 format;
506 u8 ver[3];
507 u32 flags;
508
509
510 if (!hci_pi(sk)->cookie)
511 return NULL;
512
513 switch (hci_pi(sk)->channel) {
514 case HCI_CHANNEL_RAW:
515 format = 0x0000;
516 ver[0] = BT_SUBSYS_VERSION;
517 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
518 break;
519 case HCI_CHANNEL_USER:
520 format = 0x0001;
521 ver[0] = BT_SUBSYS_VERSION;
522 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
523 break;
524 case HCI_CHANNEL_CONTROL:
525 format = 0x0002;
526 mgmt_fill_version_info(ver);
527 break;
528 default:
529
530 return NULL;
531 }
532
533 skb = bt_skb_alloc(14 + TASK_COMM_LEN , GFP_ATOMIC);
534 if (!skb)
535 return NULL;
536
537 flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0;
538
539 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
540 put_unaligned_le16(format, skb_put(skb, 2));
541 skb_put_data(skb, ver, sizeof(ver));
542 put_unaligned_le32(flags, skb_put(skb, 4));
543 skb_put_u8(skb, TASK_COMM_LEN);
544 skb_put_data(skb, hci_pi(sk)->comm, TASK_COMM_LEN);
545
546 __net_timestamp(skb);
547
548 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
549 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN);
550 if (hci_pi(sk)->hdev)
551 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
552 else
553 hdr->index = cpu_to_le16(HCI_DEV_NONE);
554 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
555
556 return skb;
557}
558
559static struct sk_buff *create_monitor_ctrl_close(struct sock *sk)
560{
561 struct hci_mon_hdr *hdr;
562 struct sk_buff *skb;
563
564
565 if (!hci_pi(sk)->cookie)
566 return NULL;
567
568 switch (hci_pi(sk)->channel) {
569 case HCI_CHANNEL_RAW:
570 case HCI_CHANNEL_USER:
571 case HCI_CHANNEL_CONTROL:
572 break;
573 default:
574
575 return NULL;
576 }
577
578 skb = bt_skb_alloc(4, GFP_ATOMIC);
579 if (!skb)
580 return NULL;
581
582 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
583
584 __net_timestamp(skb);
585
586 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
587 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE);
588 if (hci_pi(sk)->hdev)
589 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
590 else
591 hdr->index = cpu_to_le16(HCI_DEV_NONE);
592 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
593
594 return skb;
595}
596
597static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index,
598 u16 opcode, u16 len,
599 const void *buf)
600{
601 struct hci_mon_hdr *hdr;
602 struct sk_buff *skb;
603
604 skb = bt_skb_alloc(6 + len, GFP_ATOMIC);
605 if (!skb)
606 return NULL;
607
608 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
609 put_unaligned_le16(opcode, skb_put(skb, 2));
610
611 if (buf)
612 skb_put_data(skb, buf, len);
613
614 __net_timestamp(skb);
615
616 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
617 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND);
618 hdr->index = cpu_to_le16(index);
619 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
620
621 return skb;
622}
623
624static void __printf(2, 3)
625send_monitor_note(struct sock *sk, const char *fmt, ...)
626{
627 size_t len;
628 struct hci_mon_hdr *hdr;
629 struct sk_buff *skb;
630 va_list args;
631
632 va_start(args, fmt);
633 len = vsnprintf(NULL, 0, fmt, args);
634 va_end(args);
635
636 skb = bt_skb_alloc(len + 1, GFP_ATOMIC);
637 if (!skb)
638 return;
639
640 va_start(args, fmt);
641 vsprintf(skb_put(skb, len), fmt, args);
642 *(u8 *)skb_put(skb, 1) = 0;
643 va_end(args);
644
645 __net_timestamp(skb);
646
647 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
648 hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE);
649 hdr->index = cpu_to_le16(HCI_DEV_NONE);
650 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
651
652 if (sock_queue_rcv_skb(sk, skb))
653 kfree_skb(skb);
654}
655
656static void send_monitor_replay(struct sock *sk)
657{
658 struct hci_dev *hdev;
659
660 read_lock(&hci_dev_list_lock);
661
662 list_for_each_entry(hdev, &hci_dev_list, list) {
663 struct sk_buff *skb;
664
665 skb = create_monitor_event(hdev, HCI_DEV_REG);
666 if (!skb)
667 continue;
668
669 if (sock_queue_rcv_skb(sk, skb))
670 kfree_skb(skb);
671
672 if (!test_bit(HCI_RUNNING, &hdev->flags))
673 continue;
674
675 skb = create_monitor_event(hdev, HCI_DEV_OPEN);
676 if (!skb)
677 continue;
678
679 if (sock_queue_rcv_skb(sk, skb))
680 kfree_skb(skb);
681
682 if (test_bit(HCI_UP, &hdev->flags))
683 skb = create_monitor_event(hdev, HCI_DEV_UP);
684 else if (hci_dev_test_flag(hdev, HCI_SETUP))
685 skb = create_monitor_event(hdev, HCI_DEV_SETUP);
686 else
687 skb = NULL;
688
689 if (skb) {
690 if (sock_queue_rcv_skb(sk, skb))
691 kfree_skb(skb);
692 }
693 }
694
695 read_unlock(&hci_dev_list_lock);
696}
697
698static void send_monitor_control_replay(struct sock *mon_sk)
699{
700 struct sock *sk;
701
702 read_lock(&hci_sk_list.lock);
703
704 sk_for_each(sk, &hci_sk_list.head) {
705 struct sk_buff *skb;
706
707 skb = create_monitor_ctrl_open(sk);
708 if (!skb)
709 continue;
710
711 if (sock_queue_rcv_skb(mon_sk, skb))
712 kfree_skb(skb);
713 }
714
715 read_unlock(&hci_sk_list.lock);
716}
717
718
719static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
720{
721 struct hci_event_hdr *hdr;
722 struct hci_ev_stack_internal *ev;
723 struct sk_buff *skb;
724
725 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
726 if (!skb)
727 return;
728
729 hdr = skb_put(skb, HCI_EVENT_HDR_SIZE);
730 hdr->evt = HCI_EV_STACK_INTERNAL;
731 hdr->plen = sizeof(*ev) + dlen;
732
733 ev = skb_put(skb, sizeof(*ev) + dlen);
734 ev->type = type;
735 memcpy(ev->data, data, dlen);
736
737 bt_cb(skb)->incoming = 1;
738 __net_timestamp(skb);
739
740 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
741 hci_send_to_sock(hdev, skb);
742 kfree_skb(skb);
743}
744
745void hci_sock_dev_event(struct hci_dev *hdev, int event)
746{
747 BT_DBG("hdev %s event %d", hdev->name, event);
748
749 if (atomic_read(&monitor_promisc)) {
750 struct sk_buff *skb;
751
752
753 skb = create_monitor_event(hdev, event);
754 if (skb) {
755 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
756 HCI_SOCK_TRUSTED, NULL);
757 kfree_skb(skb);
758 }
759 }
760
761 if (event <= HCI_DEV_DOWN) {
762 struct hci_ev_si_device ev;
763
764
765 ev.event = event;
766 ev.dev_id = hdev->id;
767 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
768 }
769
770 if (event == HCI_DEV_UNREG) {
771 struct sock *sk;
772
773
774 read_lock(&hci_sk_list.lock);
775 sk_for_each(sk, &hci_sk_list.head) {
776 if (hci_pi(sk)->hdev == hdev) {
777 sk->sk_err = EPIPE;
778 sk->sk_state_change(sk);
779 }
780 }
781 read_unlock(&hci_sk_list.lock);
782 }
783}
784
785static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel)
786{
787 struct hci_mgmt_chan *c;
788
789 list_for_each_entry(c, &mgmt_chan_list, list) {
790 if (c->channel == channel)
791 return c;
792 }
793
794 return NULL;
795}
796
797static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel)
798{
799 struct hci_mgmt_chan *c;
800
801 mutex_lock(&mgmt_chan_list_lock);
802 c = __hci_mgmt_chan_find(channel);
803 mutex_unlock(&mgmt_chan_list_lock);
804
805 return c;
806}
807
808int hci_mgmt_chan_register(struct hci_mgmt_chan *c)
809{
810 if (c->channel < HCI_CHANNEL_CONTROL)
811 return -EINVAL;
812
813 mutex_lock(&mgmt_chan_list_lock);
814 if (__hci_mgmt_chan_find(c->channel)) {
815 mutex_unlock(&mgmt_chan_list_lock);
816 return -EALREADY;
817 }
818
819 list_add_tail(&c->list, &mgmt_chan_list);
820
821 mutex_unlock(&mgmt_chan_list_lock);
822
823 return 0;
824}
825EXPORT_SYMBOL(hci_mgmt_chan_register);
826
827void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c)
828{
829 mutex_lock(&mgmt_chan_list_lock);
830 list_del(&c->list);
831 mutex_unlock(&mgmt_chan_list_lock);
832}
833EXPORT_SYMBOL(hci_mgmt_chan_unregister);
834
835static int hci_sock_release(struct socket *sock)
836{
837 struct sock *sk = sock->sk;
838 struct hci_dev *hdev;
839 struct sk_buff *skb;
840
841 BT_DBG("sock %p sk %p", sock, sk);
842
843 if (!sk)
844 return 0;
845
846 lock_sock(sk);
847
848 switch (hci_pi(sk)->channel) {
849 case HCI_CHANNEL_MONITOR:
850 atomic_dec(&monitor_promisc);
851 break;
852 case HCI_CHANNEL_RAW:
853 case HCI_CHANNEL_USER:
854 case HCI_CHANNEL_CONTROL:
855
856 skb = create_monitor_ctrl_close(sk);
857 if (skb) {
858 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
859 HCI_SOCK_TRUSTED, NULL);
860 kfree_skb(skb);
861 }
862
863 hci_sock_free_cookie(sk);
864 break;
865 }
866
867 bt_sock_unlink(&hci_sk_list, sk);
868
869 hdev = hci_pi(sk)->hdev;
870 if (hdev) {
871 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
872
873
874
875
876
877
878
879
880
881 hci_dev_do_close(hdev);
882 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
883 mgmt_index_added(hdev);
884 }
885
886 atomic_dec(&hdev->promisc);
887 hci_dev_put(hdev);
888 }
889
890 sock_orphan(sk);
891
892 skb_queue_purge(&sk->sk_receive_queue);
893 skb_queue_purge(&sk->sk_write_queue);
894
895 release_sock(sk);
896 sock_put(sk);
897 return 0;
898}
899
900static int hci_sock_reject_list_add(struct hci_dev *hdev, void __user *arg)
901{
902 bdaddr_t bdaddr;
903 int err;
904
905 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
906 return -EFAULT;
907
908 hci_dev_lock(hdev);
909
910 err = hci_bdaddr_list_add(&hdev->reject_list, &bdaddr, BDADDR_BREDR);
911
912 hci_dev_unlock(hdev);
913
914 return err;
915}
916
917static int hci_sock_reject_list_del(struct hci_dev *hdev, void __user *arg)
918{
919 bdaddr_t bdaddr;
920 int err;
921
922 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
923 return -EFAULT;
924
925 hci_dev_lock(hdev);
926
927 err = hci_bdaddr_list_del(&hdev->reject_list, &bdaddr, BDADDR_BREDR);
928
929 hci_dev_unlock(hdev);
930
931 return err;
932}
933
934
935static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
936 unsigned long arg)
937{
938 struct hci_dev *hdev = hci_hdev_from_sock(sk);
939
940 if (IS_ERR(hdev))
941 return PTR_ERR(hdev);
942
943 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
944 return -EBUSY;
945
946 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
947 return -EOPNOTSUPP;
948
949 if (hdev->dev_type != HCI_PRIMARY)
950 return -EOPNOTSUPP;
951
952 switch (cmd) {
953 case HCISETRAW:
954 if (!capable(CAP_NET_ADMIN))
955 return -EPERM;
956 return -EOPNOTSUPP;
957
958 case HCIGETCONNINFO:
959 return hci_get_conn_info(hdev, (void __user *)arg);
960
961 case HCIGETAUTHINFO:
962 return hci_get_auth_info(hdev, (void __user *)arg);
963
964 case HCIBLOCKADDR:
965 if (!capable(CAP_NET_ADMIN))
966 return -EPERM;
967 return hci_sock_reject_list_add(hdev, (void __user *)arg);
968
969 case HCIUNBLOCKADDR:
970 if (!capable(CAP_NET_ADMIN))
971 return -EPERM;
972 return hci_sock_reject_list_del(hdev, (void __user *)arg);
973 }
974
975 return -ENOIOCTLCMD;
976}
977
978static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
979 unsigned long arg)
980{
981 void __user *argp = (void __user *)arg;
982 struct sock *sk = sock->sk;
983 int err;
984
985 BT_DBG("cmd %x arg %lx", cmd, arg);
986
987 lock_sock(sk);
988
989 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
990 err = -EBADFD;
991 goto done;
992 }
993
994
995
996
997
998
999
1000 if (hci_sock_gen_cookie(sk)) {
1001 struct sk_buff *skb;
1002
1003 if (capable(CAP_NET_ADMIN))
1004 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1005
1006
1007 skb = create_monitor_ctrl_open(sk);
1008 if (skb) {
1009 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1010 HCI_SOCK_TRUSTED, NULL);
1011 kfree_skb(skb);
1012 }
1013 }
1014
1015 release_sock(sk);
1016
1017 switch (cmd) {
1018 case HCIGETDEVLIST:
1019 return hci_get_dev_list(argp);
1020
1021 case HCIGETDEVINFO:
1022 return hci_get_dev_info(argp);
1023
1024 case HCIGETCONNLIST:
1025 return hci_get_conn_list(argp);
1026
1027 case HCIDEVUP:
1028 if (!capable(CAP_NET_ADMIN))
1029 return -EPERM;
1030 return hci_dev_open(arg);
1031
1032 case HCIDEVDOWN:
1033 if (!capable(CAP_NET_ADMIN))
1034 return -EPERM;
1035 return hci_dev_close(arg);
1036
1037 case HCIDEVRESET:
1038 if (!capable(CAP_NET_ADMIN))
1039 return -EPERM;
1040 return hci_dev_reset(arg);
1041
1042 case HCIDEVRESTAT:
1043 if (!capable(CAP_NET_ADMIN))
1044 return -EPERM;
1045 return hci_dev_reset_stat(arg);
1046
1047 case HCISETSCAN:
1048 case HCISETAUTH:
1049 case HCISETENCRYPT:
1050 case HCISETPTYPE:
1051 case HCISETLINKPOL:
1052 case HCISETLINKMODE:
1053 case HCISETACLMTU:
1054 case HCISETSCOMTU:
1055 if (!capable(CAP_NET_ADMIN))
1056 return -EPERM;
1057 return hci_dev_cmd(cmd, argp);
1058
1059 case HCIINQUIRY:
1060 return hci_inquiry(argp);
1061 }
1062
1063 lock_sock(sk);
1064
1065 err = hci_sock_bound_ioctl(sk, cmd, arg);
1066
1067done:
1068 release_sock(sk);
1069 return err;
1070}
1071
1072#ifdef CONFIG_COMPAT
1073static int hci_sock_compat_ioctl(struct socket *sock, unsigned int cmd,
1074 unsigned long arg)
1075{
1076 switch (cmd) {
1077 case HCIDEVUP:
1078 case HCIDEVDOWN:
1079 case HCIDEVRESET:
1080 case HCIDEVRESTAT:
1081 return hci_sock_ioctl(sock, cmd, arg);
1082 }
1083
1084 return hci_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
1085}
1086#endif
1087
1088static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
1089 int addr_len)
1090{
1091 struct sockaddr_hci haddr;
1092 struct sock *sk = sock->sk;
1093 struct hci_dev *hdev = NULL;
1094 struct sk_buff *skb;
1095 int len, err = 0;
1096
1097 BT_DBG("sock %p sk %p", sock, sk);
1098
1099 if (!addr)
1100 return -EINVAL;
1101
1102 memset(&haddr, 0, sizeof(haddr));
1103 len = min_t(unsigned int, sizeof(haddr), addr_len);
1104 memcpy(&haddr, addr, len);
1105
1106 if (haddr.hci_family != AF_BLUETOOTH)
1107 return -EINVAL;
1108
1109 lock_sock(sk);
1110
1111
1112
1113
1114
1115 hdev = hci_pi(sk)->hdev;
1116 if (hdev && hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
1117 hci_pi(sk)->hdev = NULL;
1118 sk->sk_state = BT_OPEN;
1119 hci_dev_put(hdev);
1120 }
1121 hdev = NULL;
1122
1123 if (sk->sk_state == BT_BOUND) {
1124 err = -EALREADY;
1125 goto done;
1126 }
1127
1128 switch (haddr.hci_channel) {
1129 case HCI_CHANNEL_RAW:
1130 if (hci_pi(sk)->hdev) {
1131 err = -EALREADY;
1132 goto done;
1133 }
1134
1135 if (haddr.hci_dev != HCI_DEV_NONE) {
1136 hdev = hci_dev_get(haddr.hci_dev);
1137 if (!hdev) {
1138 err = -ENODEV;
1139 goto done;
1140 }
1141
1142 atomic_inc(&hdev->promisc);
1143 }
1144
1145 hci_pi(sk)->channel = haddr.hci_channel;
1146
1147 if (!hci_sock_gen_cookie(sk)) {
1148
1149
1150
1151
1152
1153
1154 skb = create_monitor_ctrl_close(sk);
1155 if (skb) {
1156 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1157 HCI_SOCK_TRUSTED, NULL);
1158 kfree_skb(skb);
1159 }
1160 }
1161
1162 if (capable(CAP_NET_ADMIN))
1163 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1164
1165 hci_pi(sk)->hdev = hdev;
1166
1167
1168 skb = create_monitor_ctrl_open(sk);
1169 if (skb) {
1170 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1171 HCI_SOCK_TRUSTED, NULL);
1172 kfree_skb(skb);
1173 }
1174 break;
1175
1176 case HCI_CHANNEL_USER:
1177 if (hci_pi(sk)->hdev) {
1178 err = -EALREADY;
1179 goto done;
1180 }
1181
1182 if (haddr.hci_dev == HCI_DEV_NONE) {
1183 err = -EINVAL;
1184 goto done;
1185 }
1186
1187 if (!capable(CAP_NET_ADMIN)) {
1188 err = -EPERM;
1189 goto done;
1190 }
1191
1192 hdev = hci_dev_get(haddr.hci_dev);
1193 if (!hdev) {
1194 err = -ENODEV;
1195 goto done;
1196 }
1197
1198 if (test_bit(HCI_INIT, &hdev->flags) ||
1199 hci_dev_test_flag(hdev, HCI_SETUP) ||
1200 hci_dev_test_flag(hdev, HCI_CONFIG) ||
1201 (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) &&
1202 test_bit(HCI_UP, &hdev->flags))) {
1203 err = -EBUSY;
1204 hci_dev_put(hdev);
1205 goto done;
1206 }
1207
1208 if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) {
1209 err = -EUSERS;
1210 hci_dev_put(hdev);
1211 goto done;
1212 }
1213
1214 mgmt_index_removed(hdev);
1215
1216 err = hci_dev_open(hdev->id);
1217 if (err) {
1218 if (err == -EALREADY) {
1219
1220
1221
1222
1223
1224
1225
1226 err = 0;
1227 } else {
1228 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
1229 mgmt_index_added(hdev);
1230 hci_dev_put(hdev);
1231 goto done;
1232 }
1233 }
1234
1235 hci_pi(sk)->channel = haddr.hci_channel;
1236
1237 if (!hci_sock_gen_cookie(sk)) {
1238
1239
1240
1241
1242
1243 skb = create_monitor_ctrl_close(sk);
1244 if (skb) {
1245 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1246 HCI_SOCK_TRUSTED, NULL);
1247 kfree_skb(skb);
1248 }
1249 }
1250
1251
1252
1253
1254 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1255
1256 hci_pi(sk)->hdev = hdev;
1257
1258
1259 skb = create_monitor_ctrl_open(sk);
1260 if (skb) {
1261 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1262 HCI_SOCK_TRUSTED, NULL);
1263 kfree_skb(skb);
1264 }
1265
1266 atomic_inc(&hdev->promisc);
1267 break;
1268
1269 case HCI_CHANNEL_MONITOR:
1270 if (haddr.hci_dev != HCI_DEV_NONE) {
1271 err = -EINVAL;
1272 goto done;
1273 }
1274
1275 if (!capable(CAP_NET_RAW)) {
1276 err = -EPERM;
1277 goto done;
1278 }
1279
1280 hci_pi(sk)->channel = haddr.hci_channel;
1281
1282
1283
1284
1285 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1286
1287 send_monitor_note(sk, "Linux version %s (%s)",
1288 init_utsname()->release,
1289 init_utsname()->machine);
1290 send_monitor_note(sk, "Bluetooth subsystem version %u.%u",
1291 BT_SUBSYS_VERSION, BT_SUBSYS_REVISION);
1292 send_monitor_replay(sk);
1293 send_monitor_control_replay(sk);
1294
1295 atomic_inc(&monitor_promisc);
1296 break;
1297
1298 case HCI_CHANNEL_LOGGING:
1299 if (haddr.hci_dev != HCI_DEV_NONE) {
1300 err = -EINVAL;
1301 goto done;
1302 }
1303
1304 if (!capable(CAP_NET_ADMIN)) {
1305 err = -EPERM;
1306 goto done;
1307 }
1308
1309 hci_pi(sk)->channel = haddr.hci_channel;
1310 break;
1311
1312 default:
1313 if (!hci_mgmt_chan_find(haddr.hci_channel)) {
1314 err = -EINVAL;
1315 goto done;
1316 }
1317
1318 if (haddr.hci_dev != HCI_DEV_NONE) {
1319 err = -EINVAL;
1320 goto done;
1321 }
1322
1323
1324
1325
1326
1327
1328 if (capable(CAP_NET_ADMIN))
1329 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1330
1331 hci_pi(sk)->channel = haddr.hci_channel;
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343 if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) {
1344 if (!hci_sock_gen_cookie(sk)) {
1345
1346
1347
1348
1349
1350
1351 skb = create_monitor_ctrl_close(sk);
1352 if (skb) {
1353 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1354 HCI_SOCK_TRUSTED, NULL);
1355 kfree_skb(skb);
1356 }
1357 }
1358
1359
1360 skb = create_monitor_ctrl_open(sk);
1361 if (skb) {
1362 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1363 HCI_SOCK_TRUSTED, NULL);
1364 kfree_skb(skb);
1365 }
1366
1367 hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS);
1368 hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
1369 hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS);
1370 hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS);
1371 hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1372 hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1373 }
1374 break;
1375 }
1376
1377 sk->sk_state = BT_BOUND;
1378
1379done:
1380 release_sock(sk);
1381 return err;
1382}
1383
1384static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
1385 int peer)
1386{
1387 struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr;
1388 struct sock *sk = sock->sk;
1389 struct hci_dev *hdev;
1390 int err = 0;
1391
1392 BT_DBG("sock %p sk %p", sock, sk);
1393
1394 if (peer)
1395 return -EOPNOTSUPP;
1396
1397 lock_sock(sk);
1398
1399 hdev = hci_hdev_from_sock(sk);
1400 if (IS_ERR(hdev)) {
1401 err = PTR_ERR(hdev);
1402 goto done;
1403 }
1404
1405 haddr->hci_family = AF_BLUETOOTH;
1406 haddr->hci_dev = hdev->id;
1407 haddr->hci_channel= hci_pi(sk)->channel;
1408 err = sizeof(*haddr);
1409
1410done:
1411 release_sock(sk);
1412 return err;
1413}
1414
1415static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
1416 struct sk_buff *skb)
1417{
1418 __u8 mask = hci_pi(sk)->cmsg_mask;
1419
1420 if (mask & HCI_CMSG_DIR) {
1421 int incoming = bt_cb(skb)->incoming;
1422 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
1423 &incoming);
1424 }
1425
1426 if (mask & HCI_CMSG_TSTAMP) {
1427#ifdef CONFIG_COMPAT
1428 struct old_timeval32 ctv;
1429#endif
1430 struct __kernel_old_timeval tv;
1431 void *data;
1432 int len;
1433
1434 skb_get_timestamp(skb, &tv);
1435
1436 data = &tv;
1437 len = sizeof(tv);
1438#ifdef CONFIG_COMPAT
1439 if (!COMPAT_USE_64BIT_TIME &&
1440 (msg->msg_flags & MSG_CMSG_COMPAT)) {
1441 ctv.tv_sec = tv.tv_sec;
1442 ctv.tv_usec = tv.tv_usec;
1443 data = &ctv;
1444 len = sizeof(ctv);
1445 }
1446#endif
1447
1448 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
1449 }
1450}
1451
1452static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1453 size_t len, int flags)
1454{
1455 int noblock = flags & MSG_DONTWAIT;
1456 struct sock *sk = sock->sk;
1457 struct sk_buff *skb;
1458 int copied, err;
1459 unsigned int skblen;
1460
1461 BT_DBG("sock %p, sk %p", sock, sk);
1462
1463 if (flags & MSG_OOB)
1464 return -EOPNOTSUPP;
1465
1466 if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING)
1467 return -EOPNOTSUPP;
1468
1469 if (sk->sk_state == BT_CLOSED)
1470 return 0;
1471
1472 skb = skb_recv_datagram(sk, flags, noblock, &err);
1473 if (!skb)
1474 return err;
1475
1476 skblen = skb->len;
1477 copied = skb->len;
1478 if (len < copied) {
1479 msg->msg_flags |= MSG_TRUNC;
1480 copied = len;
1481 }
1482
1483 skb_reset_transport_header(skb);
1484 err = skb_copy_datagram_msg(skb, 0, msg, copied);
1485
1486 switch (hci_pi(sk)->channel) {
1487 case HCI_CHANNEL_RAW:
1488 hci_sock_cmsg(sk, msg, skb);
1489 break;
1490 case HCI_CHANNEL_USER:
1491 case HCI_CHANNEL_MONITOR:
1492 sock_recv_timestamp(msg, sk, skb);
1493 break;
1494 default:
1495 if (hci_mgmt_chan_find(hci_pi(sk)->channel))
1496 sock_recv_timestamp(msg, sk, skb);
1497 break;
1498 }
1499
1500 skb_free_datagram(sk, skb);
1501
1502 if (flags & MSG_TRUNC)
1503 copied = skblen;
1504
1505 return err ? : copied;
1506}
1507
1508static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk,
1509 struct msghdr *msg, size_t msglen)
1510{
1511 void *buf;
1512 u8 *cp;
1513 struct mgmt_hdr *hdr;
1514 u16 opcode, index, len;
1515 struct hci_dev *hdev = NULL;
1516 const struct hci_mgmt_handler *handler;
1517 bool var_len, no_hdev;
1518 int err;
1519
1520 BT_DBG("got %zu bytes", msglen);
1521
1522 if (msglen < sizeof(*hdr))
1523 return -EINVAL;
1524
1525 buf = kmalloc(msglen, GFP_KERNEL);
1526 if (!buf)
1527 return -ENOMEM;
1528
1529 if (memcpy_from_msg(buf, msg, msglen)) {
1530 err = -EFAULT;
1531 goto done;
1532 }
1533
1534 hdr = buf;
1535 opcode = __le16_to_cpu(hdr->opcode);
1536 index = __le16_to_cpu(hdr->index);
1537 len = __le16_to_cpu(hdr->len);
1538
1539 if (len != msglen - sizeof(*hdr)) {
1540 err = -EINVAL;
1541 goto done;
1542 }
1543
1544 if (chan->channel == HCI_CHANNEL_CONTROL) {
1545 struct sk_buff *skb;
1546
1547
1548 skb = create_monitor_ctrl_command(sk, index, opcode, len,
1549 buf + sizeof(*hdr));
1550 if (skb) {
1551 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1552 HCI_SOCK_TRUSTED, NULL);
1553 kfree_skb(skb);
1554 }
1555 }
1556
1557 if (opcode >= chan->handler_count ||
1558 chan->handlers[opcode].func == NULL) {
1559 BT_DBG("Unknown op %u", opcode);
1560 err = mgmt_cmd_status(sk, index, opcode,
1561 MGMT_STATUS_UNKNOWN_COMMAND);
1562 goto done;
1563 }
1564
1565 handler = &chan->handlers[opcode];
1566
1567 if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) &&
1568 !(handler->flags & HCI_MGMT_UNTRUSTED)) {
1569 err = mgmt_cmd_status(sk, index, opcode,
1570 MGMT_STATUS_PERMISSION_DENIED);
1571 goto done;
1572 }
1573
1574 if (index != MGMT_INDEX_NONE) {
1575 hdev = hci_dev_get(index);
1576 if (!hdev) {
1577 err = mgmt_cmd_status(sk, index, opcode,
1578 MGMT_STATUS_INVALID_INDEX);
1579 goto done;
1580 }
1581
1582 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1583 hci_dev_test_flag(hdev, HCI_CONFIG) ||
1584 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1585 err = mgmt_cmd_status(sk, index, opcode,
1586 MGMT_STATUS_INVALID_INDEX);
1587 goto done;
1588 }
1589
1590 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1591 !(handler->flags & HCI_MGMT_UNCONFIGURED)) {
1592 err = mgmt_cmd_status(sk, index, opcode,
1593 MGMT_STATUS_INVALID_INDEX);
1594 goto done;
1595 }
1596 }
1597
1598 if (!(handler->flags & HCI_MGMT_HDEV_OPTIONAL)) {
1599 no_hdev = (handler->flags & HCI_MGMT_NO_HDEV);
1600 if (no_hdev != !hdev) {
1601 err = mgmt_cmd_status(sk, index, opcode,
1602 MGMT_STATUS_INVALID_INDEX);
1603 goto done;
1604 }
1605 }
1606
1607 var_len = (handler->flags & HCI_MGMT_VAR_LEN);
1608 if ((var_len && len < handler->data_len) ||
1609 (!var_len && len != handler->data_len)) {
1610 err = mgmt_cmd_status(sk, index, opcode,
1611 MGMT_STATUS_INVALID_PARAMS);
1612 goto done;
1613 }
1614
1615 if (hdev && chan->hdev_init)
1616 chan->hdev_init(sk, hdev);
1617
1618 cp = buf + sizeof(*hdr);
1619
1620 err = handler->func(sk, hdev, cp, len);
1621 if (err < 0)
1622 goto done;
1623
1624 err = msglen;
1625
1626done:
1627 if (hdev)
1628 hci_dev_put(hdev);
1629
1630 kfree(buf);
1631 return err;
1632}
1633
1634static int hci_logging_frame(struct sock *sk, struct msghdr *msg, int len)
1635{
1636 struct hci_mon_hdr *hdr;
1637 struct sk_buff *skb;
1638 struct hci_dev *hdev;
1639 u16 index;
1640 int err;
1641
1642
1643
1644
1645
1646 if (len < sizeof(*hdr) + 3)
1647 return -EINVAL;
1648
1649 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1650 if (!skb)
1651 return err;
1652
1653 if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1654 err = -EFAULT;
1655 goto drop;
1656 }
1657
1658 hdr = (void *)skb->data;
1659
1660 if (__le16_to_cpu(hdr->len) != len - sizeof(*hdr)) {
1661 err = -EINVAL;
1662 goto drop;
1663 }
1664
1665 if (__le16_to_cpu(hdr->opcode) == 0x0000) {
1666 __u8 priority = skb->data[sizeof(*hdr)];
1667 __u8 ident_len = skb->data[sizeof(*hdr) + 1];
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682 if (priority > 7 || skb->data[len - 1] != 0x00 ||
1683 ident_len > len - sizeof(*hdr) - 3 ||
1684 skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) {
1685 err = -EINVAL;
1686 goto drop;
1687 }
1688 } else {
1689 err = -EINVAL;
1690 goto drop;
1691 }
1692
1693 index = __le16_to_cpu(hdr->index);
1694
1695 if (index != MGMT_INDEX_NONE) {
1696 hdev = hci_dev_get(index);
1697 if (!hdev) {
1698 err = -ENODEV;
1699 goto drop;
1700 }
1701 } else {
1702 hdev = NULL;
1703 }
1704
1705 hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING);
1706
1707 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL);
1708 err = len;
1709
1710 if (hdev)
1711 hci_dev_put(hdev);
1712
1713drop:
1714 kfree_skb(skb);
1715 return err;
1716}
1717
1718static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1719 size_t len)
1720{
1721 struct sock *sk = sock->sk;
1722 struct hci_mgmt_chan *chan;
1723 struct hci_dev *hdev;
1724 struct sk_buff *skb;
1725 int err;
1726
1727 BT_DBG("sock %p sk %p", sock, sk);
1728
1729 if (msg->msg_flags & MSG_OOB)
1730 return -EOPNOTSUPP;
1731
1732 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE|
1733 MSG_CMSG_COMPAT))
1734 return -EINVAL;
1735
1736 if (len < 4 || len > HCI_MAX_FRAME_SIZE)
1737 return -EINVAL;
1738
1739 lock_sock(sk);
1740
1741 switch (hci_pi(sk)->channel) {
1742 case HCI_CHANNEL_RAW:
1743 case HCI_CHANNEL_USER:
1744 break;
1745 case HCI_CHANNEL_MONITOR:
1746 err = -EOPNOTSUPP;
1747 goto done;
1748 case HCI_CHANNEL_LOGGING:
1749 err = hci_logging_frame(sk, msg, len);
1750 goto done;
1751 default:
1752 mutex_lock(&mgmt_chan_list_lock);
1753 chan = __hci_mgmt_chan_find(hci_pi(sk)->channel);
1754 if (chan)
1755 err = hci_mgmt_cmd(chan, sk, msg, len);
1756 else
1757 err = -EINVAL;
1758
1759 mutex_unlock(&mgmt_chan_list_lock);
1760 goto done;
1761 }
1762
1763 hdev = hci_hdev_from_sock(sk);
1764 if (IS_ERR(hdev)) {
1765 err = PTR_ERR(hdev);
1766 goto done;
1767 }
1768
1769 if (!test_bit(HCI_UP, &hdev->flags)) {
1770 err = -ENETDOWN;
1771 goto done;
1772 }
1773
1774 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1775 if (!skb)
1776 goto done;
1777
1778 if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1779 err = -EFAULT;
1780 goto drop;
1781 }
1782
1783 hci_skb_pkt_type(skb) = skb->data[0];
1784 skb_pull(skb, 1);
1785
1786 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
1787
1788
1789
1790
1791
1792 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
1793 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1794 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
1795 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) {
1796 err = -EINVAL;
1797 goto drop;
1798 }
1799
1800 skb_queue_tail(&hdev->raw_q, skb);
1801 queue_work(hdev->workqueue, &hdev->tx_work);
1802 } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) {
1803 u16 opcode = get_unaligned_le16(skb->data);
1804 u16 ogf = hci_opcode_ogf(opcode);
1805 u16 ocf = hci_opcode_ocf(opcode);
1806
1807 if (((ogf > HCI_SFLT_MAX_OGF) ||
1808 !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
1809 &hci_sec_filter.ocf_mask[ogf])) &&
1810 !capable(CAP_NET_RAW)) {
1811 err = -EPERM;
1812 goto drop;
1813 }
1814
1815
1816
1817
1818 hci_skb_opcode(skb) = opcode;
1819
1820 if (ogf == 0x3f) {
1821 skb_queue_tail(&hdev->raw_q, skb);
1822 queue_work(hdev->workqueue, &hdev->tx_work);
1823 } else {
1824
1825
1826
1827 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
1828
1829 skb_queue_tail(&hdev->cmd_q, skb);
1830 queue_work(hdev->workqueue, &hdev->cmd_work);
1831 }
1832 } else {
1833 if (!capable(CAP_NET_RAW)) {
1834 err = -EPERM;
1835 goto drop;
1836 }
1837
1838 if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1839 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
1840 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) {
1841 err = -EINVAL;
1842 goto drop;
1843 }
1844
1845 skb_queue_tail(&hdev->raw_q, skb);
1846 queue_work(hdev->workqueue, &hdev->tx_work);
1847 }
1848
1849 err = len;
1850
1851done:
1852 release_sock(sk);
1853 return err;
1854
1855drop:
1856 kfree_skb(skb);
1857 goto done;
1858}
1859
1860static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
1861 sockptr_t optval, unsigned int len)
1862{
1863 struct hci_ufilter uf = { .opcode = 0 };
1864 struct sock *sk = sock->sk;
1865 int err = 0, opt = 0;
1866
1867 BT_DBG("sk %p, opt %d", sk, optname);
1868
1869 if (level != SOL_HCI)
1870 return -ENOPROTOOPT;
1871
1872 lock_sock(sk);
1873
1874 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1875 err = -EBADFD;
1876 goto done;
1877 }
1878
1879 switch (optname) {
1880 case HCI_DATA_DIR:
1881 if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
1882 err = -EFAULT;
1883 break;
1884 }
1885
1886 if (opt)
1887 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1888 else
1889 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1890 break;
1891
1892 case HCI_TIME_STAMP:
1893 if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
1894 err = -EFAULT;
1895 break;
1896 }
1897
1898 if (opt)
1899 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1900 else
1901 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1902 break;
1903
1904 case HCI_FILTER:
1905 {
1906 struct hci_filter *f = &hci_pi(sk)->filter;
1907
1908 uf.type_mask = f->type_mask;
1909 uf.opcode = f->opcode;
1910 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1911 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1912 }
1913
1914 len = min_t(unsigned int, len, sizeof(uf));
1915 if (copy_from_sockptr(&uf, optval, len)) {
1916 err = -EFAULT;
1917 break;
1918 }
1919
1920 if (!capable(CAP_NET_RAW)) {
1921 uf.type_mask &= hci_sec_filter.type_mask;
1922 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1923 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1924 }
1925
1926 {
1927 struct hci_filter *f = &hci_pi(sk)->filter;
1928
1929 f->type_mask = uf.type_mask;
1930 f->opcode = uf.opcode;
1931 *((u32 *) f->event_mask + 0) = uf.event_mask[0];
1932 *((u32 *) f->event_mask + 1) = uf.event_mask[1];
1933 }
1934 break;
1935
1936 default:
1937 err = -ENOPROTOOPT;
1938 break;
1939 }
1940
1941done:
1942 release_sock(sk);
1943 return err;
1944}
1945
1946static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1947 char __user *optval, int __user *optlen)
1948{
1949 struct hci_ufilter uf;
1950 struct sock *sk = sock->sk;
1951 int len, opt, err = 0;
1952
1953 BT_DBG("sk %p, opt %d", sk, optname);
1954
1955 if (level != SOL_HCI)
1956 return -ENOPROTOOPT;
1957
1958 if (get_user(len, optlen))
1959 return -EFAULT;
1960
1961 lock_sock(sk);
1962
1963 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1964 err = -EBADFD;
1965 goto done;
1966 }
1967
1968 switch (optname) {
1969 case HCI_DATA_DIR:
1970 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1971 opt = 1;
1972 else
1973 opt = 0;
1974
1975 if (put_user(opt, optval))
1976 err = -EFAULT;
1977 break;
1978
1979 case HCI_TIME_STAMP:
1980 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1981 opt = 1;
1982 else
1983 opt = 0;
1984
1985 if (put_user(opt, optval))
1986 err = -EFAULT;
1987 break;
1988
1989 case HCI_FILTER:
1990 {
1991 struct hci_filter *f = &hci_pi(sk)->filter;
1992
1993 memset(&uf, 0, sizeof(uf));
1994 uf.type_mask = f->type_mask;
1995 uf.opcode = f->opcode;
1996 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1997 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1998 }
1999
2000 len = min_t(unsigned int, len, sizeof(uf));
2001 if (copy_to_user(optval, &uf, len))
2002 err = -EFAULT;
2003 break;
2004
2005 default:
2006 err = -ENOPROTOOPT;
2007 break;
2008 }
2009
2010done:
2011 release_sock(sk);
2012 return err;
2013}
2014
2015static const struct proto_ops hci_sock_ops = {
2016 .family = PF_BLUETOOTH,
2017 .owner = THIS_MODULE,
2018 .release = hci_sock_release,
2019 .bind = hci_sock_bind,
2020 .getname = hci_sock_getname,
2021 .sendmsg = hci_sock_sendmsg,
2022 .recvmsg = hci_sock_recvmsg,
2023 .ioctl = hci_sock_ioctl,
2024#ifdef CONFIG_COMPAT
2025 .compat_ioctl = hci_sock_compat_ioctl,
2026#endif
2027 .poll = datagram_poll,
2028 .listen = sock_no_listen,
2029 .shutdown = sock_no_shutdown,
2030 .setsockopt = hci_sock_setsockopt,
2031 .getsockopt = hci_sock_getsockopt,
2032 .connect = sock_no_connect,
2033 .socketpair = sock_no_socketpair,
2034 .accept = sock_no_accept,
2035 .mmap = sock_no_mmap
2036};
2037
2038static struct proto hci_sk_proto = {
2039 .name = "HCI",
2040 .owner = THIS_MODULE,
2041 .obj_size = sizeof(struct hci_pinfo)
2042};
2043
2044static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
2045 int kern)
2046{
2047 struct sock *sk;
2048
2049 BT_DBG("sock %p", sock);
2050
2051 if (sock->type != SOCK_RAW)
2052 return -ESOCKTNOSUPPORT;
2053
2054 sock->ops = &hci_sock_ops;
2055
2056 sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern);
2057 if (!sk)
2058 return -ENOMEM;
2059
2060 sock_init_data(sock, sk);
2061
2062 sock_reset_flag(sk, SOCK_ZAPPED);
2063
2064 sk->sk_protocol = protocol;
2065
2066 sock->state = SS_UNCONNECTED;
2067 sk->sk_state = BT_OPEN;
2068
2069 bt_sock_link(&hci_sk_list, sk);
2070 return 0;
2071}
2072
2073static const struct net_proto_family hci_sock_family_ops = {
2074 .family = PF_BLUETOOTH,
2075 .owner = THIS_MODULE,
2076 .create = hci_sock_create,
2077};
2078
2079int __init hci_sock_init(void)
2080{
2081 int err;
2082
2083 BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr));
2084
2085 err = proto_register(&hci_sk_proto, 0);
2086 if (err < 0)
2087 return err;
2088
2089 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
2090 if (err < 0) {
2091 BT_ERR("HCI socket registration failed");
2092 goto error;
2093 }
2094
2095 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
2096 if (err < 0) {
2097 BT_ERR("Failed to create HCI proc file");
2098 bt_sock_unregister(BTPROTO_HCI);
2099 goto error;
2100 }
2101
2102 BT_INFO("HCI socket layer initialized");
2103
2104 return 0;
2105
2106error:
2107 proto_unregister(&hci_sk_proto);
2108 return err;
2109}
2110
2111void hci_sock_cleanup(void)
2112{
2113 bt_procfs_cleanup(&init_net, "hci");
2114 bt_sock_unregister(BTPROTO_HCI);
2115 proto_unregister(&hci_sk_proto);
2116}
2117