1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI sockets. */
26 #include <linux/compat.h>
27 #include <linux/export.h>
28 #include <linux/utsname.h>
29 #include <linux/sched.h>
30 #include <asm/unaligned.h>
31
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/hci_mon.h>
35 #include <net/bluetooth/mgmt.h>
36
37 #include "mgmt_util.h"
38
39 static LIST_HEAD(mgmt_chan_list);
40 static DEFINE_MUTEX(mgmt_chan_list_lock);
41
42 static DEFINE_IDA(sock_cookie_ida);
43
44 static atomic_t monitor_promisc = ATOMIC_INIT(0);
45
46 /* ----- HCI socket interface ----- */
47
48 /* Socket info */
49 #define hci_pi(sk) ((struct hci_pinfo *) sk)
50
51 struct hci_pinfo {
52 struct bt_sock bt;
53 struct hci_dev *hdev;
54 struct hci_filter filter;
55 __u8 cmsg_mask;
56 unsigned short channel;
57 unsigned long flags;
58 __u32 cookie;
59 char comm[TASK_COMM_LEN];
60 __u16 mtu;
61 };
62
hci_hdev_from_sock(struct sock * sk)63 static struct hci_dev *hci_hdev_from_sock(struct sock *sk)
64 {
65 struct hci_dev *hdev = hci_pi(sk)->hdev;
66
67 if (!hdev)
68 return ERR_PTR(-EBADFD);
69 if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
70 return ERR_PTR(-EPIPE);
71 return hdev;
72 }
73
hci_sock_set_flag(struct sock * sk,int nr)74 void hci_sock_set_flag(struct sock *sk, int nr)
75 {
76 set_bit(nr, &hci_pi(sk)->flags);
77 }
78
hci_sock_clear_flag(struct sock * sk,int nr)79 void hci_sock_clear_flag(struct sock *sk, int nr)
80 {
81 clear_bit(nr, &hci_pi(sk)->flags);
82 }
83
hci_sock_test_flag(struct sock * sk,int nr)84 int hci_sock_test_flag(struct sock *sk, int nr)
85 {
86 return test_bit(nr, &hci_pi(sk)->flags);
87 }
88
hci_sock_get_channel(struct sock * sk)89 unsigned short hci_sock_get_channel(struct sock *sk)
90 {
91 return hci_pi(sk)->channel;
92 }
93
hci_sock_get_cookie(struct sock * sk)94 u32 hci_sock_get_cookie(struct sock *sk)
95 {
96 return hci_pi(sk)->cookie;
97 }
98
hci_sock_gen_cookie(struct sock * sk)99 static bool hci_sock_gen_cookie(struct sock *sk)
100 {
101 int id = hci_pi(sk)->cookie;
102
103 if (!id) {
104 id = ida_simple_get(&sock_cookie_ida, 1, 0, GFP_KERNEL);
105 if (id < 0)
106 id = 0xffffffff;
107
108 hci_pi(sk)->cookie = id;
109 get_task_comm(hci_pi(sk)->comm, current);
110 return true;
111 }
112
113 return false;
114 }
115
hci_sock_free_cookie(struct sock * sk)116 static void hci_sock_free_cookie(struct sock *sk)
117 {
118 int id = hci_pi(sk)->cookie;
119
120 if (id) {
121 hci_pi(sk)->cookie = 0xffffffff;
122 ida_simple_remove(&sock_cookie_ida, id);
123 }
124 }
125
hci_test_bit(int nr,const void * addr)126 static inline int hci_test_bit(int nr, const void *addr)
127 {
128 return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
129 }
130
131 /* Security filter */
132 #define HCI_SFLT_MAX_OGF 5
133
134 struct hci_sec_filter {
135 __u32 type_mask;
136 __u32 event_mask[2];
137 __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
138 };
139
140 static const struct hci_sec_filter hci_sec_filter = {
141 /* Packet types */
142 0x10,
143 /* Events */
144 { 0x1000d9fe, 0x0000b00c },
145 /* Commands */
146 {
147 { 0x0 },
148 /* OGF_LINK_CTL */
149 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
150 /* OGF_LINK_POLICY */
151 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
152 /* OGF_HOST_CTL */
153 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
154 /* OGF_INFO_PARAM */
155 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
156 /* OGF_STATUS_PARAM */
157 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
158 }
159 };
160
161 static struct bt_sock_list hci_sk_list = {
162 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
163 };
164
is_filtered_packet(struct sock * sk,struct sk_buff * skb)165 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
166 {
167 struct hci_filter *flt;
168 int flt_type, flt_event;
169
170 /* Apply filter */
171 flt = &hci_pi(sk)->filter;
172
173 flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS;
174
175 if (!test_bit(flt_type, &flt->type_mask))
176 return true;
177
178 /* Extra filter for event packets only */
179 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT)
180 return false;
181
182 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
183
184 if (!hci_test_bit(flt_event, &flt->event_mask))
185 return true;
186
187 /* Check filter only when opcode is set */
188 if (!flt->opcode)
189 return false;
190
191 if (flt_event == HCI_EV_CMD_COMPLETE &&
192 flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
193 return true;
194
195 if (flt_event == HCI_EV_CMD_STATUS &&
196 flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
197 return true;
198
199 return false;
200 }
201
202 /* Send frame to RAW socket */
hci_send_to_sock(struct hci_dev * hdev,struct sk_buff * skb)203 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
204 {
205 struct sock *sk;
206 struct sk_buff *skb_copy = NULL;
207
208 BT_DBG("hdev %p len %d", hdev, skb->len);
209
210 read_lock(&hci_sk_list.lock);
211
212 sk_for_each(sk, &hci_sk_list.head) {
213 struct sk_buff *nskb;
214
215 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
216 continue;
217
218 /* Don't send frame to the socket it came from */
219 if (skb->sk == sk)
220 continue;
221
222 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
223 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
224 hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
225 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
226 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
227 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT)
228 continue;
229 if (is_filtered_packet(sk, skb))
230 continue;
231 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
232 if (!bt_cb(skb)->incoming)
233 continue;
234 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
235 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
236 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
237 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT)
238 continue;
239 } else {
240 /* Don't send frame to other channel types */
241 continue;
242 }
243
244 if (!skb_copy) {
245 /* Create a private copy with headroom */
246 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
247 if (!skb_copy)
248 continue;
249
250 /* Put type byte before the data */
251 memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1);
252 }
253
254 nskb = skb_clone(skb_copy, GFP_ATOMIC);
255 if (!nskb)
256 continue;
257
258 if (sock_queue_rcv_skb(sk, nskb))
259 kfree_skb(nskb);
260 }
261
262 read_unlock(&hci_sk_list.lock);
263
264 kfree_skb(skb_copy);
265 }
266
hci_sock_copy_creds(struct sock * sk,struct sk_buff * skb)267 static void hci_sock_copy_creds(struct sock *sk, struct sk_buff *skb)
268 {
269 struct scm_creds *creds;
270
271 if (!sk || WARN_ON(!skb))
272 return;
273
274 creds = &bt_cb(skb)->creds;
275
276 /* Check if peer credentials is set */
277 if (!sk->sk_peer_pid) {
278 /* Check if parent peer credentials is set */
279 if (bt_sk(sk)->parent && bt_sk(sk)->parent->sk_peer_pid)
280 sk = bt_sk(sk)->parent;
281 else
282 return;
283 }
284
285 /* Check if scm_creds already set */
286 if (creds->pid == pid_vnr(sk->sk_peer_pid))
287 return;
288
289 memset(creds, 0, sizeof(*creds));
290
291 creds->pid = pid_vnr(sk->sk_peer_pid);
292 if (sk->sk_peer_cred) {
293 creds->uid = sk->sk_peer_cred->uid;
294 creds->gid = sk->sk_peer_cred->gid;
295 }
296 }
297
hci_skb_clone(struct sk_buff * skb)298 static struct sk_buff *hci_skb_clone(struct sk_buff *skb)
299 {
300 struct sk_buff *nskb;
301
302 if (!skb)
303 return NULL;
304
305 nskb = skb_clone(skb, GFP_ATOMIC);
306 if (!nskb)
307 return NULL;
308
309 hci_sock_copy_creds(skb->sk, nskb);
310
311 return nskb;
312 }
313
314 /* Send frame to sockets with specific channel */
__hci_send_to_channel(unsigned short channel,struct sk_buff * skb,int flag,struct sock * skip_sk)315 static void __hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
316 int flag, struct sock *skip_sk)
317 {
318 struct sock *sk;
319
320 BT_DBG("channel %u len %d", channel, skb->len);
321
322 sk_for_each(sk, &hci_sk_list.head) {
323 struct sk_buff *nskb;
324
325 /* Ignore socket without the flag set */
326 if (!hci_sock_test_flag(sk, flag))
327 continue;
328
329 /* Skip the original socket */
330 if (sk == skip_sk)
331 continue;
332
333 if (sk->sk_state != BT_BOUND)
334 continue;
335
336 if (hci_pi(sk)->channel != channel)
337 continue;
338
339 nskb = hci_skb_clone(skb);
340 if (!nskb)
341 continue;
342
343 if (sock_queue_rcv_skb(sk, nskb))
344 kfree_skb(nskb);
345 }
346
347 }
348
hci_send_to_channel(unsigned short channel,struct sk_buff * skb,int flag,struct sock * skip_sk)349 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
350 int flag, struct sock *skip_sk)
351 {
352 read_lock(&hci_sk_list.lock);
353 __hci_send_to_channel(channel, skb, flag, skip_sk);
354 read_unlock(&hci_sk_list.lock);
355 }
356
357 /* Send frame to monitor socket */
hci_send_to_monitor(struct hci_dev * hdev,struct sk_buff * skb)358 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
359 {
360 struct sk_buff *skb_copy = NULL;
361 struct hci_mon_hdr *hdr;
362 __le16 opcode;
363
364 if (!atomic_read(&monitor_promisc))
365 return;
366
367 BT_DBG("hdev %p len %d", hdev, skb->len);
368
369 switch (hci_skb_pkt_type(skb)) {
370 case HCI_COMMAND_PKT:
371 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
372 break;
373 case HCI_EVENT_PKT:
374 opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
375 break;
376 case HCI_ACLDATA_PKT:
377 if (bt_cb(skb)->incoming)
378 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
379 else
380 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
381 break;
382 case HCI_SCODATA_PKT:
383 if (bt_cb(skb)->incoming)
384 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
385 else
386 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
387 break;
388 case HCI_ISODATA_PKT:
389 if (bt_cb(skb)->incoming)
390 opcode = cpu_to_le16(HCI_MON_ISO_RX_PKT);
391 else
392 opcode = cpu_to_le16(HCI_MON_ISO_TX_PKT);
393 break;
394 case HCI_DIAG_PKT:
395 opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG);
396 break;
397 default:
398 return;
399 }
400
401 /* Create a private copy with headroom */
402 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true);
403 if (!skb_copy)
404 return;
405
406 hci_sock_copy_creds(skb->sk, skb_copy);
407
408 /* Put header before the data */
409 hdr = skb_push(skb_copy, HCI_MON_HDR_SIZE);
410 hdr->opcode = opcode;
411 hdr->index = cpu_to_le16(hdev->id);
412 hdr->len = cpu_to_le16(skb->len);
413
414 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy,
415 HCI_SOCK_TRUSTED, NULL);
416 kfree_skb(skb_copy);
417 }
418
hci_send_monitor_ctrl_event(struct hci_dev * hdev,u16 event,void * data,u16 data_len,ktime_t tstamp,int flag,struct sock * skip_sk)419 void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event,
420 void *data, u16 data_len, ktime_t tstamp,
421 int flag, struct sock *skip_sk)
422 {
423 struct sock *sk;
424 __le16 index;
425
426 if (hdev)
427 index = cpu_to_le16(hdev->id);
428 else
429 index = cpu_to_le16(MGMT_INDEX_NONE);
430
431 read_lock(&hci_sk_list.lock);
432
433 sk_for_each(sk, &hci_sk_list.head) {
434 struct hci_mon_hdr *hdr;
435 struct sk_buff *skb;
436
437 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
438 continue;
439
440 /* Ignore socket without the flag set */
441 if (!hci_sock_test_flag(sk, flag))
442 continue;
443
444 /* Skip the original socket */
445 if (sk == skip_sk)
446 continue;
447
448 skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC);
449 if (!skb)
450 continue;
451
452 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
453 put_unaligned_le16(event, skb_put(skb, 2));
454
455 if (data)
456 skb_put_data(skb, data, data_len);
457
458 skb->tstamp = tstamp;
459
460 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
461 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT);
462 hdr->index = index;
463 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
464
465 __hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
466 HCI_SOCK_TRUSTED, NULL);
467 kfree_skb(skb);
468 }
469
470 read_unlock(&hci_sk_list.lock);
471 }
472
create_monitor_event(struct hci_dev * hdev,int event)473 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
474 {
475 struct hci_mon_hdr *hdr;
476 struct hci_mon_new_index *ni;
477 struct hci_mon_index_info *ii;
478 struct sk_buff *skb;
479 __le16 opcode;
480
481 switch (event) {
482 case HCI_DEV_REG:
483 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
484 if (!skb)
485 return NULL;
486
487 ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
488 ni->type = hdev->dev_type;
489 ni->bus = hdev->bus;
490 bacpy(&ni->bdaddr, &hdev->bdaddr);
491 memcpy_and_pad(ni->name, sizeof(ni->name), hdev->name,
492 strnlen(hdev->name, sizeof(ni->name)), '\0');
493
494 opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
495 break;
496
497 case HCI_DEV_UNREG:
498 skb = bt_skb_alloc(0, GFP_ATOMIC);
499 if (!skb)
500 return NULL;
501
502 opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
503 break;
504
505 case HCI_DEV_SETUP:
506 if (hdev->manufacturer == 0xffff)
507 return NULL;
508 fallthrough;
509
510 case HCI_DEV_UP:
511 skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC);
512 if (!skb)
513 return NULL;
514
515 ii = skb_put(skb, HCI_MON_INDEX_INFO_SIZE);
516 bacpy(&ii->bdaddr, &hdev->bdaddr);
517 ii->manufacturer = cpu_to_le16(hdev->manufacturer);
518
519 opcode = cpu_to_le16(HCI_MON_INDEX_INFO);
520 break;
521
522 case HCI_DEV_OPEN:
523 skb = bt_skb_alloc(0, GFP_ATOMIC);
524 if (!skb)
525 return NULL;
526
527 opcode = cpu_to_le16(HCI_MON_OPEN_INDEX);
528 break;
529
530 case HCI_DEV_CLOSE:
531 skb = bt_skb_alloc(0, GFP_ATOMIC);
532 if (!skb)
533 return NULL;
534
535 opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX);
536 break;
537
538 default:
539 return NULL;
540 }
541
542 __net_timestamp(skb);
543
544 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
545 hdr->opcode = opcode;
546 hdr->index = cpu_to_le16(hdev->id);
547 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
548
549 return skb;
550 }
551
create_monitor_ctrl_open(struct sock * sk)552 static struct sk_buff *create_monitor_ctrl_open(struct sock *sk)
553 {
554 struct hci_mon_hdr *hdr;
555 struct sk_buff *skb;
556 u16 format;
557 u8 ver[3];
558 u32 flags;
559
560 /* No message needed when cookie is not present */
561 if (!hci_pi(sk)->cookie)
562 return NULL;
563
564 switch (hci_pi(sk)->channel) {
565 case HCI_CHANNEL_RAW:
566 format = 0x0000;
567 ver[0] = BT_SUBSYS_VERSION;
568 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
569 break;
570 case HCI_CHANNEL_USER:
571 format = 0x0001;
572 ver[0] = BT_SUBSYS_VERSION;
573 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
574 break;
575 case HCI_CHANNEL_CONTROL:
576 format = 0x0002;
577 mgmt_fill_version_info(ver);
578 break;
579 default:
580 /* No message for unsupported format */
581 return NULL;
582 }
583
584 skb = bt_skb_alloc(14 + TASK_COMM_LEN, GFP_ATOMIC);
585 if (!skb)
586 return NULL;
587
588 hci_sock_copy_creds(sk, skb);
589
590 flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0;
591
592 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
593 put_unaligned_le16(format, skb_put(skb, 2));
594 skb_put_data(skb, ver, sizeof(ver));
595 put_unaligned_le32(flags, skb_put(skb, 4));
596 skb_put_u8(skb, TASK_COMM_LEN);
597 skb_put_data(skb, hci_pi(sk)->comm, TASK_COMM_LEN);
598
599 __net_timestamp(skb);
600
601 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
602 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN);
603 if (hci_pi(sk)->hdev)
604 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
605 else
606 hdr->index = cpu_to_le16(HCI_DEV_NONE);
607 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
608
609 return skb;
610 }
611
create_monitor_ctrl_close(struct sock * sk)612 static struct sk_buff *create_monitor_ctrl_close(struct sock *sk)
613 {
614 struct hci_mon_hdr *hdr;
615 struct sk_buff *skb;
616
617 /* No message needed when cookie is not present */
618 if (!hci_pi(sk)->cookie)
619 return NULL;
620
621 switch (hci_pi(sk)->channel) {
622 case HCI_CHANNEL_RAW:
623 case HCI_CHANNEL_USER:
624 case HCI_CHANNEL_CONTROL:
625 break;
626 default:
627 /* No message for unsupported format */
628 return NULL;
629 }
630
631 skb = bt_skb_alloc(4, GFP_ATOMIC);
632 if (!skb)
633 return NULL;
634
635 hci_sock_copy_creds(sk, skb);
636
637 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
638
639 __net_timestamp(skb);
640
641 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
642 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE);
643 if (hci_pi(sk)->hdev)
644 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
645 else
646 hdr->index = cpu_to_le16(HCI_DEV_NONE);
647 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
648
649 return skb;
650 }
651
create_monitor_ctrl_command(struct sock * sk,u16 index,u16 opcode,u16 len,const void * buf)652 static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index,
653 u16 opcode, u16 len,
654 const void *buf)
655 {
656 struct hci_mon_hdr *hdr;
657 struct sk_buff *skb;
658
659 skb = bt_skb_alloc(6 + len, GFP_ATOMIC);
660 if (!skb)
661 return NULL;
662
663 hci_sock_copy_creds(sk, skb);
664
665 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
666 put_unaligned_le16(opcode, skb_put(skb, 2));
667
668 if (buf)
669 skb_put_data(skb, buf, len);
670
671 __net_timestamp(skb);
672
673 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
674 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND);
675 hdr->index = cpu_to_le16(index);
676 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
677
678 return skb;
679 }
680
681 static void __printf(2, 3)
send_monitor_note(struct sock * sk,const char * fmt,...)682 send_monitor_note(struct sock *sk, const char *fmt, ...)
683 {
684 size_t len;
685 struct hci_mon_hdr *hdr;
686 struct sk_buff *skb;
687 va_list args;
688
689 va_start(args, fmt);
690 len = vsnprintf(NULL, 0, fmt, args);
691 va_end(args);
692
693 skb = bt_skb_alloc(len + 1, GFP_ATOMIC);
694 if (!skb)
695 return;
696
697 hci_sock_copy_creds(sk, skb);
698
699 va_start(args, fmt);
700 vsprintf(skb_put(skb, len), fmt, args);
701 *(u8 *)skb_put(skb, 1) = 0;
702 va_end(args);
703
704 __net_timestamp(skb);
705
706 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
707 hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE);
708 hdr->index = cpu_to_le16(HCI_DEV_NONE);
709 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
710
711 if (sock_queue_rcv_skb(sk, skb))
712 kfree_skb(skb);
713 }
714
send_monitor_replay(struct sock * sk)715 static void send_monitor_replay(struct sock *sk)
716 {
717 struct hci_dev *hdev;
718
719 read_lock(&hci_dev_list_lock);
720
721 list_for_each_entry(hdev, &hci_dev_list, list) {
722 struct sk_buff *skb;
723
724 skb = create_monitor_event(hdev, HCI_DEV_REG);
725 if (!skb)
726 continue;
727
728 if (sock_queue_rcv_skb(sk, skb))
729 kfree_skb(skb);
730
731 if (!test_bit(HCI_RUNNING, &hdev->flags))
732 continue;
733
734 skb = create_monitor_event(hdev, HCI_DEV_OPEN);
735 if (!skb)
736 continue;
737
738 if (sock_queue_rcv_skb(sk, skb))
739 kfree_skb(skb);
740
741 if (test_bit(HCI_UP, &hdev->flags))
742 skb = create_monitor_event(hdev, HCI_DEV_UP);
743 else if (hci_dev_test_flag(hdev, HCI_SETUP))
744 skb = create_monitor_event(hdev, HCI_DEV_SETUP);
745 else
746 skb = NULL;
747
748 if (skb) {
749 if (sock_queue_rcv_skb(sk, skb))
750 kfree_skb(skb);
751 }
752 }
753
754 read_unlock(&hci_dev_list_lock);
755 }
756
send_monitor_control_replay(struct sock * mon_sk)757 static void send_monitor_control_replay(struct sock *mon_sk)
758 {
759 struct sock *sk;
760
761 read_lock(&hci_sk_list.lock);
762
763 sk_for_each(sk, &hci_sk_list.head) {
764 struct sk_buff *skb;
765
766 skb = create_monitor_ctrl_open(sk);
767 if (!skb)
768 continue;
769
770 if (sock_queue_rcv_skb(mon_sk, skb))
771 kfree_skb(skb);
772 }
773
774 read_unlock(&hci_sk_list.lock);
775 }
776
777 /* Generate internal stack event */
hci_si_event(struct hci_dev * hdev,int type,int dlen,void * data)778 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
779 {
780 struct hci_event_hdr *hdr;
781 struct hci_ev_stack_internal *ev;
782 struct sk_buff *skb;
783
784 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
785 if (!skb)
786 return;
787
788 hdr = skb_put(skb, HCI_EVENT_HDR_SIZE);
789 hdr->evt = HCI_EV_STACK_INTERNAL;
790 hdr->plen = sizeof(*ev) + dlen;
791
792 ev = skb_put(skb, sizeof(*ev) + dlen);
793 ev->type = type;
794 memcpy(ev->data, data, dlen);
795
796 bt_cb(skb)->incoming = 1;
797 __net_timestamp(skb);
798
799 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
800 hci_send_to_sock(hdev, skb);
801 kfree_skb(skb);
802 }
803
hci_sock_dev_event(struct hci_dev * hdev,int event)804 void hci_sock_dev_event(struct hci_dev *hdev, int event)
805 {
806 BT_DBG("hdev %s event %d", hdev->name, event);
807
808 if (atomic_read(&monitor_promisc)) {
809 struct sk_buff *skb;
810
811 /* Send event to monitor */
812 skb = create_monitor_event(hdev, event);
813 if (skb) {
814 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
815 HCI_SOCK_TRUSTED, NULL);
816 kfree_skb(skb);
817 }
818 }
819
820 if (event <= HCI_DEV_DOWN) {
821 struct hci_ev_si_device ev;
822
823 /* Send event to sockets */
824 ev.event = event;
825 ev.dev_id = hdev->id;
826 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
827 }
828
829 if (event == HCI_DEV_UNREG) {
830 struct sock *sk;
831
832 /* Wake up sockets using this dead device */
833 read_lock(&hci_sk_list.lock);
834 sk_for_each(sk, &hci_sk_list.head) {
835 if (hci_pi(sk)->hdev == hdev) {
836 sk->sk_err = EPIPE;
837 sk->sk_state_change(sk);
838 }
839 }
840 read_unlock(&hci_sk_list.lock);
841 }
842 }
843
__hci_mgmt_chan_find(unsigned short channel)844 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel)
845 {
846 struct hci_mgmt_chan *c;
847
848 list_for_each_entry(c, &mgmt_chan_list, list) {
849 if (c->channel == channel)
850 return c;
851 }
852
853 return NULL;
854 }
855
hci_mgmt_chan_find(unsigned short channel)856 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel)
857 {
858 struct hci_mgmt_chan *c;
859
860 mutex_lock(&mgmt_chan_list_lock);
861 c = __hci_mgmt_chan_find(channel);
862 mutex_unlock(&mgmt_chan_list_lock);
863
864 return c;
865 }
866
hci_mgmt_chan_register(struct hci_mgmt_chan * c)867 int hci_mgmt_chan_register(struct hci_mgmt_chan *c)
868 {
869 if (c->channel < HCI_CHANNEL_CONTROL)
870 return -EINVAL;
871
872 mutex_lock(&mgmt_chan_list_lock);
873 if (__hci_mgmt_chan_find(c->channel)) {
874 mutex_unlock(&mgmt_chan_list_lock);
875 return -EALREADY;
876 }
877
878 list_add_tail(&c->list, &mgmt_chan_list);
879
880 mutex_unlock(&mgmt_chan_list_lock);
881
882 return 0;
883 }
884 EXPORT_SYMBOL(hci_mgmt_chan_register);
885
hci_mgmt_chan_unregister(struct hci_mgmt_chan * c)886 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c)
887 {
888 mutex_lock(&mgmt_chan_list_lock);
889 list_del(&c->list);
890 mutex_unlock(&mgmt_chan_list_lock);
891 }
892 EXPORT_SYMBOL(hci_mgmt_chan_unregister);
893
hci_sock_release(struct socket * sock)894 static int hci_sock_release(struct socket *sock)
895 {
896 struct sock *sk = sock->sk;
897 struct hci_dev *hdev;
898 struct sk_buff *skb;
899
900 BT_DBG("sock %p sk %p", sock, sk);
901
902 if (!sk)
903 return 0;
904
905 lock_sock(sk);
906
907 switch (hci_pi(sk)->channel) {
908 case HCI_CHANNEL_MONITOR:
909 atomic_dec(&monitor_promisc);
910 break;
911 case HCI_CHANNEL_RAW:
912 case HCI_CHANNEL_USER:
913 case HCI_CHANNEL_CONTROL:
914 /* Send event to monitor */
915 skb = create_monitor_ctrl_close(sk);
916 if (skb) {
917 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
918 HCI_SOCK_TRUSTED, NULL);
919 kfree_skb(skb);
920 }
921
922 hci_sock_free_cookie(sk);
923 break;
924 }
925
926 bt_sock_unlink(&hci_sk_list, sk);
927
928 hdev = hci_pi(sk)->hdev;
929 if (hdev) {
930 if (hci_pi(sk)->channel == HCI_CHANNEL_USER &&
931 !hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
932 /* When releasing a user channel exclusive access,
933 * call hci_dev_do_close directly instead of calling
934 * hci_dev_close to ensure the exclusive access will
935 * be released and the controller brought back down.
936 *
937 * The checking of HCI_AUTO_OFF is not needed in this
938 * case since it will have been cleared already when
939 * opening the user channel.
940 *
941 * Make sure to also check that we haven't already
942 * unregistered since all the cleanup will have already
943 * been complete and hdev will get released when we put
944 * below.
945 */
946 hci_dev_do_close(hdev);
947 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
948 mgmt_index_added(hdev);
949 }
950
951 atomic_dec(&hdev->promisc);
952 hci_dev_put(hdev);
953 }
954
955 sock_orphan(sk);
956 release_sock(sk);
957 sock_put(sk);
958 return 0;
959 }
960
hci_sock_reject_list_add(struct hci_dev * hdev,void __user * arg)961 static int hci_sock_reject_list_add(struct hci_dev *hdev, void __user *arg)
962 {
963 bdaddr_t bdaddr;
964 int err;
965
966 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
967 return -EFAULT;
968
969 hci_dev_lock(hdev);
970
971 err = hci_bdaddr_list_add(&hdev->reject_list, &bdaddr, BDADDR_BREDR);
972
973 hci_dev_unlock(hdev);
974
975 return err;
976 }
977
hci_sock_reject_list_del(struct hci_dev * hdev,void __user * arg)978 static int hci_sock_reject_list_del(struct hci_dev *hdev, void __user *arg)
979 {
980 bdaddr_t bdaddr;
981 int err;
982
983 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
984 return -EFAULT;
985
986 hci_dev_lock(hdev);
987
988 err = hci_bdaddr_list_del(&hdev->reject_list, &bdaddr, BDADDR_BREDR);
989
990 hci_dev_unlock(hdev);
991
992 return err;
993 }
994
995 /* Ioctls that require bound socket */
hci_sock_bound_ioctl(struct sock * sk,unsigned int cmd,unsigned long arg)996 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
997 unsigned long arg)
998 {
999 struct hci_dev *hdev = hci_hdev_from_sock(sk);
1000
1001 if (IS_ERR(hdev))
1002 return PTR_ERR(hdev);
1003
1004 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
1005 return -EBUSY;
1006
1007 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1008 return -EOPNOTSUPP;
1009
1010 if (hdev->dev_type != HCI_PRIMARY)
1011 return -EOPNOTSUPP;
1012
1013 switch (cmd) {
1014 case HCISETRAW:
1015 if (!capable(CAP_NET_ADMIN))
1016 return -EPERM;
1017 return -EOPNOTSUPP;
1018
1019 case HCIGETCONNINFO:
1020 return hci_get_conn_info(hdev, (void __user *)arg);
1021
1022 case HCIGETAUTHINFO:
1023 return hci_get_auth_info(hdev, (void __user *)arg);
1024
1025 case HCIBLOCKADDR:
1026 if (!capable(CAP_NET_ADMIN))
1027 return -EPERM;
1028 return hci_sock_reject_list_add(hdev, (void __user *)arg);
1029
1030 case HCIUNBLOCKADDR:
1031 if (!capable(CAP_NET_ADMIN))
1032 return -EPERM;
1033 return hci_sock_reject_list_del(hdev, (void __user *)arg);
1034 }
1035
1036 return -ENOIOCTLCMD;
1037 }
1038
hci_sock_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)1039 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
1040 unsigned long arg)
1041 {
1042 void __user *argp = (void __user *)arg;
1043 struct sock *sk = sock->sk;
1044 int err;
1045
1046 BT_DBG("cmd %x arg %lx", cmd, arg);
1047
1048 /* Make sure the cmd is valid before doing anything */
1049 switch (cmd) {
1050 case HCIGETDEVLIST:
1051 case HCIGETDEVINFO:
1052 case HCIGETCONNLIST:
1053 case HCIDEVUP:
1054 case HCIDEVDOWN:
1055 case HCIDEVRESET:
1056 case HCIDEVRESTAT:
1057 case HCISETSCAN:
1058 case HCISETAUTH:
1059 case HCISETENCRYPT:
1060 case HCISETPTYPE:
1061 case HCISETLINKPOL:
1062 case HCISETLINKMODE:
1063 case HCISETACLMTU:
1064 case HCISETSCOMTU:
1065 case HCIINQUIRY:
1066 case HCISETRAW:
1067 case HCIGETCONNINFO:
1068 case HCIGETAUTHINFO:
1069 case HCIBLOCKADDR:
1070 case HCIUNBLOCKADDR:
1071 break;
1072 default:
1073 return -ENOIOCTLCMD;
1074 }
1075
1076 lock_sock(sk);
1077
1078 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1079 err = -EBADFD;
1080 goto done;
1081 }
1082
1083 /* When calling an ioctl on an unbound raw socket, then ensure
1084 * that the monitor gets informed. Ensure that the resulting event
1085 * is only send once by checking if the cookie exists or not. The
1086 * socket cookie will be only ever generated once for the lifetime
1087 * of a given socket.
1088 */
1089 if (hci_sock_gen_cookie(sk)) {
1090 struct sk_buff *skb;
1091
1092 /* Perform careful checks before setting the HCI_SOCK_TRUSTED
1093 * flag. Make sure that not only the current task but also
1094 * the socket opener has the required capability, since
1095 * privileged programs can be tricked into making ioctl calls
1096 * on HCI sockets, and the socket should not be marked as
1097 * trusted simply because the ioctl caller is privileged.
1098 */
1099 if (sk_capable(sk, CAP_NET_ADMIN))
1100 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1101
1102 /* Send event to monitor */
1103 skb = create_monitor_ctrl_open(sk);
1104 if (skb) {
1105 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1106 HCI_SOCK_TRUSTED, NULL);
1107 kfree_skb(skb);
1108 }
1109 }
1110
1111 release_sock(sk);
1112
1113 switch (cmd) {
1114 case HCIGETDEVLIST:
1115 return hci_get_dev_list(argp);
1116
1117 case HCIGETDEVINFO:
1118 return hci_get_dev_info(argp);
1119
1120 case HCIGETCONNLIST:
1121 return hci_get_conn_list(argp);
1122
1123 case HCIDEVUP:
1124 if (!capable(CAP_NET_ADMIN))
1125 return -EPERM;
1126 return hci_dev_open(arg);
1127
1128 case HCIDEVDOWN:
1129 if (!capable(CAP_NET_ADMIN))
1130 return -EPERM;
1131 return hci_dev_close(arg);
1132
1133 case HCIDEVRESET:
1134 if (!capable(CAP_NET_ADMIN))
1135 return -EPERM;
1136 return hci_dev_reset(arg);
1137
1138 case HCIDEVRESTAT:
1139 if (!capable(CAP_NET_ADMIN))
1140 return -EPERM;
1141 return hci_dev_reset_stat(arg);
1142
1143 case HCISETSCAN:
1144 case HCISETAUTH:
1145 case HCISETENCRYPT:
1146 case HCISETPTYPE:
1147 case HCISETLINKPOL:
1148 case HCISETLINKMODE:
1149 case HCISETACLMTU:
1150 case HCISETSCOMTU:
1151 if (!capable(CAP_NET_ADMIN))
1152 return -EPERM;
1153 return hci_dev_cmd(cmd, argp);
1154
1155 case HCIINQUIRY:
1156 return hci_inquiry(argp);
1157 }
1158
1159 lock_sock(sk);
1160
1161 err = hci_sock_bound_ioctl(sk, cmd, arg);
1162
1163 done:
1164 release_sock(sk);
1165 return err;
1166 }
1167
1168 #ifdef CONFIG_COMPAT
hci_sock_compat_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)1169 static int hci_sock_compat_ioctl(struct socket *sock, unsigned int cmd,
1170 unsigned long arg)
1171 {
1172 switch (cmd) {
1173 case HCIDEVUP:
1174 case HCIDEVDOWN:
1175 case HCIDEVRESET:
1176 case HCIDEVRESTAT:
1177 return hci_sock_ioctl(sock, cmd, arg);
1178 }
1179
1180 return hci_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
1181 }
1182 #endif
1183
hci_sock_bind(struct socket * sock,struct sockaddr * addr,int addr_len)1184 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
1185 int addr_len)
1186 {
1187 struct sockaddr_hci haddr;
1188 struct sock *sk = sock->sk;
1189 struct hci_dev *hdev = NULL;
1190 struct sk_buff *skb;
1191 int len, err = 0;
1192
1193 BT_DBG("sock %p sk %p", sock, sk);
1194
1195 if (!addr)
1196 return -EINVAL;
1197
1198 memset(&haddr, 0, sizeof(haddr));
1199 len = min_t(unsigned int, sizeof(haddr), addr_len);
1200 memcpy(&haddr, addr, len);
1201
1202 if (haddr.hci_family != AF_BLUETOOTH)
1203 return -EINVAL;
1204
1205 lock_sock(sk);
1206
1207 /* Allow detaching from dead device and attaching to alive device, if
1208 * the caller wants to re-bind (instead of close) this socket in
1209 * response to hci_sock_dev_event(HCI_DEV_UNREG) notification.
1210 */
1211 hdev = hci_pi(sk)->hdev;
1212 if (hdev && hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
1213 hci_pi(sk)->hdev = NULL;
1214 sk->sk_state = BT_OPEN;
1215 hci_dev_put(hdev);
1216 }
1217 hdev = NULL;
1218
1219 if (sk->sk_state == BT_BOUND) {
1220 err = -EALREADY;
1221 goto done;
1222 }
1223
1224 switch (haddr.hci_channel) {
1225 case HCI_CHANNEL_RAW:
1226 if (hci_pi(sk)->hdev) {
1227 err = -EALREADY;
1228 goto done;
1229 }
1230
1231 if (haddr.hci_dev != HCI_DEV_NONE) {
1232 hdev = hci_dev_get(haddr.hci_dev);
1233 if (!hdev) {
1234 err = -ENODEV;
1235 goto done;
1236 }
1237
1238 atomic_inc(&hdev->promisc);
1239 }
1240
1241 hci_pi(sk)->channel = haddr.hci_channel;
1242
1243 if (!hci_sock_gen_cookie(sk)) {
1244 /* In the case when a cookie has already been assigned,
1245 * then there has been already an ioctl issued against
1246 * an unbound socket and with that triggered an open
1247 * notification. Send a close notification first to
1248 * allow the state transition to bounded.
1249 */
1250 skb = create_monitor_ctrl_close(sk);
1251 if (skb) {
1252 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1253 HCI_SOCK_TRUSTED, NULL);
1254 kfree_skb(skb);
1255 }
1256 }
1257
1258 if (capable(CAP_NET_ADMIN))
1259 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1260
1261 hci_pi(sk)->hdev = hdev;
1262
1263 /* Send event to monitor */
1264 skb = create_monitor_ctrl_open(sk);
1265 if (skb) {
1266 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1267 HCI_SOCK_TRUSTED, NULL);
1268 kfree_skb(skb);
1269 }
1270 break;
1271
1272 case HCI_CHANNEL_USER:
1273 if (hci_pi(sk)->hdev) {
1274 err = -EALREADY;
1275 goto done;
1276 }
1277
1278 if (haddr.hci_dev == HCI_DEV_NONE) {
1279 err = -EINVAL;
1280 goto done;
1281 }
1282
1283 if (!capable(CAP_NET_ADMIN)) {
1284 err = -EPERM;
1285 goto done;
1286 }
1287
1288 hdev = hci_dev_get(haddr.hci_dev);
1289 if (!hdev) {
1290 err = -ENODEV;
1291 goto done;
1292 }
1293
1294 if (test_bit(HCI_INIT, &hdev->flags) ||
1295 hci_dev_test_flag(hdev, HCI_SETUP) ||
1296 hci_dev_test_flag(hdev, HCI_CONFIG) ||
1297 (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) &&
1298 test_bit(HCI_UP, &hdev->flags))) {
1299 err = -EBUSY;
1300 hci_dev_put(hdev);
1301 goto done;
1302 }
1303
1304 if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) {
1305 err = -EUSERS;
1306 hci_dev_put(hdev);
1307 goto done;
1308 }
1309
1310 mgmt_index_removed(hdev);
1311
1312 err = hci_dev_open(hdev->id);
1313 if (err) {
1314 if (err == -EALREADY) {
1315 /* In case the transport is already up and
1316 * running, clear the error here.
1317 *
1318 * This can happen when opening a user
1319 * channel and HCI_AUTO_OFF grace period
1320 * is still active.
1321 */
1322 err = 0;
1323 } else {
1324 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
1325 mgmt_index_added(hdev);
1326 hci_dev_put(hdev);
1327 goto done;
1328 }
1329 }
1330
1331 hci_pi(sk)->channel = haddr.hci_channel;
1332
1333 if (!hci_sock_gen_cookie(sk)) {
1334 /* In the case when a cookie has already been assigned,
1335 * this socket will transition from a raw socket into
1336 * a user channel socket. For a clean transition, send
1337 * the close notification first.
1338 */
1339 skb = create_monitor_ctrl_close(sk);
1340 if (skb) {
1341 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1342 HCI_SOCK_TRUSTED, NULL);
1343 kfree_skb(skb);
1344 }
1345 }
1346
1347 /* The user channel is restricted to CAP_NET_ADMIN
1348 * capabilities and with that implicitly trusted.
1349 */
1350 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1351
1352 hci_pi(sk)->hdev = hdev;
1353
1354 /* Send event to monitor */
1355 skb = create_monitor_ctrl_open(sk);
1356 if (skb) {
1357 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1358 HCI_SOCK_TRUSTED, NULL);
1359 kfree_skb(skb);
1360 }
1361
1362 atomic_inc(&hdev->promisc);
1363 break;
1364
1365 case HCI_CHANNEL_MONITOR:
1366 if (haddr.hci_dev != HCI_DEV_NONE) {
1367 err = -EINVAL;
1368 goto done;
1369 }
1370
1371 if (!capable(CAP_NET_RAW)) {
1372 err = -EPERM;
1373 goto done;
1374 }
1375
1376 hci_pi(sk)->channel = haddr.hci_channel;
1377
1378 /* The monitor interface is restricted to CAP_NET_RAW
1379 * capabilities and with that implicitly trusted.
1380 */
1381 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1382
1383 send_monitor_note(sk, "Linux version %s (%s)",
1384 init_utsname()->release,
1385 init_utsname()->machine);
1386 send_monitor_note(sk, "Bluetooth subsystem version %u.%u",
1387 BT_SUBSYS_VERSION, BT_SUBSYS_REVISION);
1388 send_monitor_replay(sk);
1389 send_monitor_control_replay(sk);
1390
1391 atomic_inc(&monitor_promisc);
1392 break;
1393
1394 case HCI_CHANNEL_LOGGING:
1395 if (haddr.hci_dev != HCI_DEV_NONE) {
1396 err = -EINVAL;
1397 goto done;
1398 }
1399
1400 if (!capable(CAP_NET_ADMIN)) {
1401 err = -EPERM;
1402 goto done;
1403 }
1404
1405 hci_pi(sk)->channel = haddr.hci_channel;
1406 break;
1407
1408 default:
1409 if (!hci_mgmt_chan_find(haddr.hci_channel)) {
1410 err = -EINVAL;
1411 goto done;
1412 }
1413
1414 if (haddr.hci_dev != HCI_DEV_NONE) {
1415 err = -EINVAL;
1416 goto done;
1417 }
1418
1419 /* Users with CAP_NET_ADMIN capabilities are allowed
1420 * access to all management commands and events. For
1421 * untrusted users the interface is restricted and
1422 * also only untrusted events are sent.
1423 */
1424 if (capable(CAP_NET_ADMIN))
1425 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1426
1427 hci_pi(sk)->channel = haddr.hci_channel;
1428
1429 /* At the moment the index and unconfigured index events
1430 * are enabled unconditionally. Setting them on each
1431 * socket when binding keeps this functionality. They
1432 * however might be cleared later and then sending of these
1433 * events will be disabled, but that is then intentional.
1434 *
1435 * This also enables generic events that are safe to be
1436 * received by untrusted users. Example for such events
1437 * are changes to settings, class of device, name etc.
1438 */
1439 if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) {
1440 if (!hci_sock_gen_cookie(sk)) {
1441 /* In the case when a cookie has already been
1442 * assigned, this socket will transition from
1443 * a raw socket into a control socket. To
1444 * allow for a clean transition, send the
1445 * close notification first.
1446 */
1447 skb = create_monitor_ctrl_close(sk);
1448 if (skb) {
1449 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1450 HCI_SOCK_TRUSTED, NULL);
1451 kfree_skb(skb);
1452 }
1453 }
1454
1455 /* Send event to monitor */
1456 skb = create_monitor_ctrl_open(sk);
1457 if (skb) {
1458 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1459 HCI_SOCK_TRUSTED, NULL);
1460 kfree_skb(skb);
1461 }
1462
1463 hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS);
1464 hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
1465 hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS);
1466 hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS);
1467 hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1468 hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1469 }
1470 break;
1471 }
1472
1473 /* Default MTU to HCI_MAX_FRAME_SIZE if not set */
1474 if (!hci_pi(sk)->mtu)
1475 hci_pi(sk)->mtu = HCI_MAX_FRAME_SIZE;
1476
1477 sk->sk_state = BT_BOUND;
1478
1479 done:
1480 release_sock(sk);
1481 return err;
1482 }
1483
hci_sock_getname(struct socket * sock,struct sockaddr * addr,int peer)1484 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
1485 int peer)
1486 {
1487 struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr;
1488 struct sock *sk = sock->sk;
1489 struct hci_dev *hdev;
1490 int err = 0;
1491
1492 BT_DBG("sock %p sk %p", sock, sk);
1493
1494 if (peer)
1495 return -EOPNOTSUPP;
1496
1497 lock_sock(sk);
1498
1499 hdev = hci_hdev_from_sock(sk);
1500 if (IS_ERR(hdev)) {
1501 err = PTR_ERR(hdev);
1502 goto done;
1503 }
1504
1505 haddr->hci_family = AF_BLUETOOTH;
1506 haddr->hci_dev = hdev->id;
1507 haddr->hci_channel= hci_pi(sk)->channel;
1508 err = sizeof(*haddr);
1509
1510 done:
1511 release_sock(sk);
1512 return err;
1513 }
1514
hci_sock_cmsg(struct sock * sk,struct msghdr * msg,struct sk_buff * skb)1515 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
1516 struct sk_buff *skb)
1517 {
1518 __u8 mask = hci_pi(sk)->cmsg_mask;
1519
1520 if (mask & HCI_CMSG_DIR) {
1521 int incoming = bt_cb(skb)->incoming;
1522 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
1523 &incoming);
1524 }
1525
1526 if (mask & HCI_CMSG_TSTAMP) {
1527 #ifdef CONFIG_COMPAT
1528 struct old_timeval32 ctv;
1529 #endif
1530 struct __kernel_old_timeval tv;
1531 void *data;
1532 int len;
1533
1534 skb_get_timestamp(skb, &tv);
1535
1536 data = &tv;
1537 len = sizeof(tv);
1538 #ifdef CONFIG_COMPAT
1539 if (!COMPAT_USE_64BIT_TIME &&
1540 (msg->msg_flags & MSG_CMSG_COMPAT)) {
1541 ctv.tv_sec = tv.tv_sec;
1542 ctv.tv_usec = tv.tv_usec;
1543 data = &ctv;
1544 len = sizeof(ctv);
1545 }
1546 #endif
1547
1548 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
1549 }
1550 }
1551
hci_sock_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)1552 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1553 size_t len, int flags)
1554 {
1555 struct scm_cookie scm;
1556 struct sock *sk = sock->sk;
1557 struct sk_buff *skb;
1558 int copied, err;
1559 unsigned int skblen;
1560
1561 BT_DBG("sock %p, sk %p", sock, sk);
1562
1563 if (flags & MSG_OOB)
1564 return -EOPNOTSUPP;
1565
1566 if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING)
1567 return -EOPNOTSUPP;
1568
1569 if (sk->sk_state == BT_CLOSED)
1570 return 0;
1571
1572 skb = skb_recv_datagram(sk, flags, &err);
1573 if (!skb)
1574 return err;
1575
1576 skblen = skb->len;
1577 copied = skb->len;
1578 if (len < copied) {
1579 msg->msg_flags |= MSG_TRUNC;
1580 copied = len;
1581 }
1582
1583 skb_reset_transport_header(skb);
1584 err = skb_copy_datagram_msg(skb, 0, msg, copied);
1585
1586 switch (hci_pi(sk)->channel) {
1587 case HCI_CHANNEL_RAW:
1588 hci_sock_cmsg(sk, msg, skb);
1589 break;
1590 case HCI_CHANNEL_USER:
1591 case HCI_CHANNEL_MONITOR:
1592 sock_recv_timestamp(msg, sk, skb);
1593 break;
1594 default:
1595 if (hci_mgmt_chan_find(hci_pi(sk)->channel))
1596 sock_recv_timestamp(msg, sk, skb);
1597 break;
1598 }
1599
1600 memset(&scm, 0, sizeof(scm));
1601 scm.creds = bt_cb(skb)->creds;
1602
1603 skb_free_datagram(sk, skb);
1604
1605 if (flags & MSG_TRUNC)
1606 copied = skblen;
1607
1608 scm_recv(sock, msg, &scm, flags);
1609
1610 return err ? : copied;
1611 }
1612
hci_mgmt_cmd(struct hci_mgmt_chan * chan,struct sock * sk,struct sk_buff * skb)1613 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk,
1614 struct sk_buff *skb)
1615 {
1616 u8 *cp;
1617 struct mgmt_hdr *hdr;
1618 u16 opcode, index, len;
1619 struct hci_dev *hdev = NULL;
1620 const struct hci_mgmt_handler *handler;
1621 bool var_len, no_hdev;
1622 int err;
1623
1624 BT_DBG("got %d bytes", skb->len);
1625
1626 if (skb->len < sizeof(*hdr))
1627 return -EINVAL;
1628
1629 hdr = (void *)skb->data;
1630 opcode = __le16_to_cpu(hdr->opcode);
1631 index = __le16_to_cpu(hdr->index);
1632 len = __le16_to_cpu(hdr->len);
1633
1634 if (len != skb->len - sizeof(*hdr)) {
1635 err = -EINVAL;
1636 goto done;
1637 }
1638
1639 if (chan->channel == HCI_CHANNEL_CONTROL) {
1640 struct sk_buff *cmd;
1641
1642 /* Send event to monitor */
1643 cmd = create_monitor_ctrl_command(sk, index, opcode, len,
1644 skb->data + sizeof(*hdr));
1645 if (cmd) {
1646 hci_send_to_channel(HCI_CHANNEL_MONITOR, cmd,
1647 HCI_SOCK_TRUSTED, NULL);
1648 kfree_skb(cmd);
1649 }
1650 }
1651
1652 if (opcode >= chan->handler_count ||
1653 chan->handlers[opcode].func == NULL) {
1654 BT_DBG("Unknown op %u", opcode);
1655 err = mgmt_cmd_status(sk, index, opcode,
1656 MGMT_STATUS_UNKNOWN_COMMAND);
1657 goto done;
1658 }
1659
1660 handler = &chan->handlers[opcode];
1661
1662 if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) &&
1663 !(handler->flags & HCI_MGMT_UNTRUSTED)) {
1664 err = mgmt_cmd_status(sk, index, opcode,
1665 MGMT_STATUS_PERMISSION_DENIED);
1666 goto done;
1667 }
1668
1669 if (index != MGMT_INDEX_NONE) {
1670 hdev = hci_dev_get(index);
1671 if (!hdev) {
1672 err = mgmt_cmd_status(sk, index, opcode,
1673 MGMT_STATUS_INVALID_INDEX);
1674 goto done;
1675 }
1676
1677 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1678 hci_dev_test_flag(hdev, HCI_CONFIG) ||
1679 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1680 err = mgmt_cmd_status(sk, index, opcode,
1681 MGMT_STATUS_INVALID_INDEX);
1682 goto done;
1683 }
1684
1685 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1686 !(handler->flags & HCI_MGMT_UNCONFIGURED)) {
1687 err = mgmt_cmd_status(sk, index, opcode,
1688 MGMT_STATUS_INVALID_INDEX);
1689 goto done;
1690 }
1691 }
1692
1693 if (!(handler->flags & HCI_MGMT_HDEV_OPTIONAL)) {
1694 no_hdev = (handler->flags & HCI_MGMT_NO_HDEV);
1695 if (no_hdev != !hdev) {
1696 err = mgmt_cmd_status(sk, index, opcode,
1697 MGMT_STATUS_INVALID_INDEX);
1698 goto done;
1699 }
1700 }
1701
1702 var_len = (handler->flags & HCI_MGMT_VAR_LEN);
1703 if ((var_len && len < handler->data_len) ||
1704 (!var_len && len != handler->data_len)) {
1705 err = mgmt_cmd_status(sk, index, opcode,
1706 MGMT_STATUS_INVALID_PARAMS);
1707 goto done;
1708 }
1709
1710 if (hdev && chan->hdev_init)
1711 chan->hdev_init(sk, hdev);
1712
1713 cp = skb->data + sizeof(*hdr);
1714
1715 err = handler->func(sk, hdev, cp, len);
1716 if (err < 0)
1717 goto done;
1718
1719 err = skb->len;
1720
1721 done:
1722 if (hdev)
1723 hci_dev_put(hdev);
1724
1725 return err;
1726 }
1727
hci_logging_frame(struct sock * sk,struct sk_buff * skb,unsigned int flags)1728 static int hci_logging_frame(struct sock *sk, struct sk_buff *skb,
1729 unsigned int flags)
1730 {
1731 struct hci_mon_hdr *hdr;
1732 struct hci_dev *hdev;
1733 u16 index;
1734 int err;
1735
1736 /* The logging frame consists at minimum of the standard header,
1737 * the priority byte, the ident length byte and at least one string
1738 * terminator NUL byte. Anything shorter are invalid packets.
1739 */
1740 if (skb->len < sizeof(*hdr) + 3)
1741 return -EINVAL;
1742
1743 hdr = (void *)skb->data;
1744
1745 if (__le16_to_cpu(hdr->len) != skb->len - sizeof(*hdr))
1746 return -EINVAL;
1747
1748 if (__le16_to_cpu(hdr->opcode) == 0x0000) {
1749 __u8 priority = skb->data[sizeof(*hdr)];
1750 __u8 ident_len = skb->data[sizeof(*hdr) + 1];
1751
1752 /* Only the priorities 0-7 are valid and with that any other
1753 * value results in an invalid packet.
1754 *
1755 * The priority byte is followed by an ident length byte and
1756 * the NUL terminated ident string. Check that the ident
1757 * length is not overflowing the packet and also that the
1758 * ident string itself is NUL terminated. In case the ident
1759 * length is zero, the length value actually doubles as NUL
1760 * terminator identifier.
1761 *
1762 * The message follows the ident string (if present) and
1763 * must be NUL terminated. Otherwise it is not a valid packet.
1764 */
1765 if (priority > 7 || skb->data[skb->len - 1] != 0x00 ||
1766 ident_len > skb->len - sizeof(*hdr) - 3 ||
1767 skb->data[sizeof(*hdr) + ident_len + 1] != 0x00)
1768 return -EINVAL;
1769 } else {
1770 return -EINVAL;
1771 }
1772
1773 index = __le16_to_cpu(hdr->index);
1774
1775 if (index != MGMT_INDEX_NONE) {
1776 hdev = hci_dev_get(index);
1777 if (!hdev)
1778 return -ENODEV;
1779 } else {
1780 hdev = NULL;
1781 }
1782
1783 hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING);
1784
1785 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL);
1786 err = skb->len;
1787
1788 if (hdev)
1789 hci_dev_put(hdev);
1790
1791 return err;
1792 }
1793
hci_sock_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)1794 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1795 size_t len)
1796 {
1797 struct sock *sk = sock->sk;
1798 struct hci_mgmt_chan *chan;
1799 struct hci_dev *hdev;
1800 struct sk_buff *skb;
1801 int err;
1802 const unsigned int flags = msg->msg_flags;
1803
1804 BT_DBG("sock %p sk %p", sock, sk);
1805
1806 if (flags & MSG_OOB)
1807 return -EOPNOTSUPP;
1808
1809 if (flags & ~(MSG_DONTWAIT | MSG_NOSIGNAL | MSG_ERRQUEUE | MSG_CMSG_COMPAT))
1810 return -EINVAL;
1811
1812 if (len < 4 || len > hci_pi(sk)->mtu)
1813 return -EINVAL;
1814
1815 skb = bt_skb_sendmsg(sk, msg, len, len, 0, 0);
1816 if (IS_ERR(skb))
1817 return PTR_ERR(skb);
1818
1819 lock_sock(sk);
1820
1821 switch (hci_pi(sk)->channel) {
1822 case HCI_CHANNEL_RAW:
1823 case HCI_CHANNEL_USER:
1824 break;
1825 case HCI_CHANNEL_MONITOR:
1826 err = -EOPNOTSUPP;
1827 goto drop;
1828 case HCI_CHANNEL_LOGGING:
1829 err = hci_logging_frame(sk, skb, flags);
1830 goto drop;
1831 default:
1832 mutex_lock(&mgmt_chan_list_lock);
1833 chan = __hci_mgmt_chan_find(hci_pi(sk)->channel);
1834 if (chan)
1835 err = hci_mgmt_cmd(chan, sk, skb);
1836 else
1837 err = -EINVAL;
1838
1839 mutex_unlock(&mgmt_chan_list_lock);
1840 goto drop;
1841 }
1842
1843 hdev = hci_hdev_from_sock(sk);
1844 if (IS_ERR(hdev)) {
1845 err = PTR_ERR(hdev);
1846 goto drop;
1847 }
1848
1849 if (!test_bit(HCI_UP, &hdev->flags)) {
1850 err = -ENETDOWN;
1851 goto drop;
1852 }
1853
1854 hci_skb_pkt_type(skb) = skb->data[0];
1855 skb_pull(skb, 1);
1856
1857 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
1858 /* No permission check is needed for user channel
1859 * since that gets enforced when binding the socket.
1860 *
1861 * However check that the packet type is valid.
1862 */
1863 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
1864 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1865 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
1866 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) {
1867 err = -EINVAL;
1868 goto drop;
1869 }
1870
1871 skb_queue_tail(&hdev->raw_q, skb);
1872 queue_work(hdev->workqueue, &hdev->tx_work);
1873 } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) {
1874 u16 opcode = get_unaligned_le16(skb->data);
1875 u16 ogf = hci_opcode_ogf(opcode);
1876 u16 ocf = hci_opcode_ocf(opcode);
1877
1878 if (((ogf > HCI_SFLT_MAX_OGF) ||
1879 !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
1880 &hci_sec_filter.ocf_mask[ogf])) &&
1881 !capable(CAP_NET_RAW)) {
1882 err = -EPERM;
1883 goto drop;
1884 }
1885
1886 /* Since the opcode has already been extracted here, store
1887 * a copy of the value for later use by the drivers.
1888 */
1889 hci_skb_opcode(skb) = opcode;
1890
1891 if (ogf == 0x3f) {
1892 skb_queue_tail(&hdev->raw_q, skb);
1893 queue_work(hdev->workqueue, &hdev->tx_work);
1894 } else {
1895 /* Stand-alone HCI commands must be flagged as
1896 * single-command requests.
1897 */
1898 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
1899
1900 skb_queue_tail(&hdev->cmd_q, skb);
1901 queue_work(hdev->workqueue, &hdev->cmd_work);
1902 }
1903 } else {
1904 if (!capable(CAP_NET_RAW)) {
1905 err = -EPERM;
1906 goto drop;
1907 }
1908
1909 if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1910 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
1911 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) {
1912 err = -EINVAL;
1913 goto drop;
1914 }
1915
1916 skb_queue_tail(&hdev->raw_q, skb);
1917 queue_work(hdev->workqueue, &hdev->tx_work);
1918 }
1919
1920 err = len;
1921
1922 done:
1923 release_sock(sk);
1924 return err;
1925
1926 drop:
1927 kfree_skb(skb);
1928 goto done;
1929 }
1930
hci_sock_setsockopt_old(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int len)1931 static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
1932 sockptr_t optval, unsigned int len)
1933 {
1934 struct hci_ufilter uf = { .opcode = 0 };
1935 struct sock *sk = sock->sk;
1936 int err = 0, opt = 0;
1937
1938 BT_DBG("sk %p, opt %d", sk, optname);
1939
1940 lock_sock(sk);
1941
1942 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1943 err = -EBADFD;
1944 goto done;
1945 }
1946
1947 switch (optname) {
1948 case HCI_DATA_DIR:
1949 if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
1950 err = -EFAULT;
1951 break;
1952 }
1953
1954 if (opt)
1955 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1956 else
1957 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1958 break;
1959
1960 case HCI_TIME_STAMP:
1961 if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
1962 err = -EFAULT;
1963 break;
1964 }
1965
1966 if (opt)
1967 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1968 else
1969 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1970 break;
1971
1972 case HCI_FILTER:
1973 {
1974 struct hci_filter *f = &hci_pi(sk)->filter;
1975
1976 uf.type_mask = f->type_mask;
1977 uf.opcode = f->opcode;
1978 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1979 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1980 }
1981
1982 len = min_t(unsigned int, len, sizeof(uf));
1983 if (copy_from_sockptr(&uf, optval, len)) {
1984 err = -EFAULT;
1985 break;
1986 }
1987
1988 if (!capable(CAP_NET_RAW)) {
1989 uf.type_mask &= hci_sec_filter.type_mask;
1990 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1991 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1992 }
1993
1994 {
1995 struct hci_filter *f = &hci_pi(sk)->filter;
1996
1997 f->type_mask = uf.type_mask;
1998 f->opcode = uf.opcode;
1999 *((u32 *) f->event_mask + 0) = uf.event_mask[0];
2000 *((u32 *) f->event_mask + 1) = uf.event_mask[1];
2001 }
2002 break;
2003
2004 default:
2005 err = -ENOPROTOOPT;
2006 break;
2007 }
2008
2009 done:
2010 release_sock(sk);
2011 return err;
2012 }
2013
hci_sock_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int len)2014 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
2015 sockptr_t optval, unsigned int len)
2016 {
2017 struct sock *sk = sock->sk;
2018 int err = 0;
2019 u16 opt;
2020
2021 BT_DBG("sk %p, opt %d", sk, optname);
2022
2023 if (level == SOL_HCI)
2024 return hci_sock_setsockopt_old(sock, level, optname, optval,
2025 len);
2026
2027 if (level != SOL_BLUETOOTH)
2028 return -ENOPROTOOPT;
2029
2030 lock_sock(sk);
2031
2032 switch (optname) {
2033 case BT_SNDMTU:
2034 case BT_RCVMTU:
2035 switch (hci_pi(sk)->channel) {
2036 /* Don't allow changing MTU for channels that are meant for HCI
2037 * traffic only.
2038 */
2039 case HCI_CHANNEL_RAW:
2040 case HCI_CHANNEL_USER:
2041 err = -ENOPROTOOPT;
2042 goto done;
2043 }
2044
2045 if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
2046 err = -EFAULT;
2047 break;
2048 }
2049
2050 hci_pi(sk)->mtu = opt;
2051 break;
2052
2053 default:
2054 err = -ENOPROTOOPT;
2055 break;
2056 }
2057
2058 done:
2059 release_sock(sk);
2060 return err;
2061 }
2062
hci_sock_getsockopt_old(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)2063 static int hci_sock_getsockopt_old(struct socket *sock, int level, int optname,
2064 char __user *optval, int __user *optlen)
2065 {
2066 struct hci_ufilter uf;
2067 struct sock *sk = sock->sk;
2068 int len, opt, err = 0;
2069
2070 BT_DBG("sk %p, opt %d", sk, optname);
2071
2072 if (get_user(len, optlen))
2073 return -EFAULT;
2074
2075 lock_sock(sk);
2076
2077 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
2078 err = -EBADFD;
2079 goto done;
2080 }
2081
2082 switch (optname) {
2083 case HCI_DATA_DIR:
2084 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
2085 opt = 1;
2086 else
2087 opt = 0;
2088
2089 if (put_user(opt, optval))
2090 err = -EFAULT;
2091 break;
2092
2093 case HCI_TIME_STAMP:
2094 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
2095 opt = 1;
2096 else
2097 opt = 0;
2098
2099 if (put_user(opt, optval))
2100 err = -EFAULT;
2101 break;
2102
2103 case HCI_FILTER:
2104 {
2105 struct hci_filter *f = &hci_pi(sk)->filter;
2106
2107 memset(&uf, 0, sizeof(uf));
2108 uf.type_mask = f->type_mask;
2109 uf.opcode = f->opcode;
2110 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
2111 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
2112 }
2113
2114 len = min_t(unsigned int, len, sizeof(uf));
2115 if (copy_to_user(optval, &uf, len))
2116 err = -EFAULT;
2117 break;
2118
2119 default:
2120 err = -ENOPROTOOPT;
2121 break;
2122 }
2123
2124 done:
2125 release_sock(sk);
2126 return err;
2127 }
2128
hci_sock_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)2129 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
2130 char __user *optval, int __user *optlen)
2131 {
2132 struct sock *sk = sock->sk;
2133 int err = 0;
2134
2135 BT_DBG("sk %p, opt %d", sk, optname);
2136
2137 if (level == SOL_HCI)
2138 return hci_sock_getsockopt_old(sock, level, optname, optval,
2139 optlen);
2140
2141 if (level != SOL_BLUETOOTH)
2142 return -ENOPROTOOPT;
2143
2144 lock_sock(sk);
2145
2146 switch (optname) {
2147 case BT_SNDMTU:
2148 case BT_RCVMTU:
2149 if (put_user(hci_pi(sk)->mtu, (u16 __user *)optval))
2150 err = -EFAULT;
2151 break;
2152
2153 default:
2154 err = -ENOPROTOOPT;
2155 break;
2156 }
2157
2158 release_sock(sk);
2159 return err;
2160 }
2161
hci_sock_destruct(struct sock * sk)2162 static void hci_sock_destruct(struct sock *sk)
2163 {
2164 mgmt_cleanup(sk);
2165 skb_queue_purge(&sk->sk_receive_queue);
2166 skb_queue_purge(&sk->sk_write_queue);
2167 }
2168
2169 static const struct proto_ops hci_sock_ops = {
2170 .family = PF_BLUETOOTH,
2171 .owner = THIS_MODULE,
2172 .release = hci_sock_release,
2173 .bind = hci_sock_bind,
2174 .getname = hci_sock_getname,
2175 .sendmsg = hci_sock_sendmsg,
2176 .recvmsg = hci_sock_recvmsg,
2177 .ioctl = hci_sock_ioctl,
2178 #ifdef CONFIG_COMPAT
2179 .compat_ioctl = hci_sock_compat_ioctl,
2180 #endif
2181 .poll = datagram_poll,
2182 .listen = sock_no_listen,
2183 .shutdown = sock_no_shutdown,
2184 .setsockopt = hci_sock_setsockopt,
2185 .getsockopt = hci_sock_getsockopt,
2186 .connect = sock_no_connect,
2187 .socketpair = sock_no_socketpair,
2188 .accept = sock_no_accept,
2189 .mmap = sock_no_mmap
2190 };
2191
2192 static struct proto hci_sk_proto = {
2193 .name = "HCI",
2194 .owner = THIS_MODULE,
2195 .obj_size = sizeof(struct hci_pinfo)
2196 };
2197
hci_sock_create(struct net * net,struct socket * sock,int protocol,int kern)2198 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
2199 int kern)
2200 {
2201 struct sock *sk;
2202
2203 BT_DBG("sock %p", sock);
2204
2205 if (sock->type != SOCK_RAW)
2206 return -ESOCKTNOSUPPORT;
2207
2208 sock->ops = &hci_sock_ops;
2209
2210 sk = bt_sock_alloc(net, sock, &hci_sk_proto, protocol, GFP_ATOMIC,
2211 kern);
2212 if (!sk)
2213 return -ENOMEM;
2214
2215 sock->state = SS_UNCONNECTED;
2216 sk->sk_destruct = hci_sock_destruct;
2217
2218 bt_sock_link(&hci_sk_list, sk);
2219 return 0;
2220 }
2221
2222 static const struct net_proto_family hci_sock_family_ops = {
2223 .family = PF_BLUETOOTH,
2224 .owner = THIS_MODULE,
2225 .create = hci_sock_create,
2226 };
2227
hci_sock_init(void)2228 int __init hci_sock_init(void)
2229 {
2230 int err;
2231
2232 BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr));
2233
2234 err = proto_register(&hci_sk_proto, 0);
2235 if (err < 0)
2236 return err;
2237
2238 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
2239 if (err < 0) {
2240 BT_ERR("HCI socket registration failed");
2241 goto error;
2242 }
2243
2244 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
2245 if (err < 0) {
2246 BT_ERR("Failed to create HCI proc file");
2247 bt_sock_unregister(BTPROTO_HCI);
2248 goto error;
2249 }
2250
2251 BT_INFO("HCI socket layer initialized");
2252
2253 return 0;
2254
2255 error:
2256 proto_unregister(&hci_sk_proto);
2257 return err;
2258 }
2259
hci_sock_cleanup(void)2260 void hci_sock_cleanup(void)
2261 {
2262 bt_procfs_cleanup(&init_net, "hci");
2263 bt_sock_unregister(BTPROTO_HCI);
2264 proto_unregister(&hci_sk_proto);
2265 }
2266