net/bluetooth/hci_sock.c

   1 /*
   2    BlueZ - Bluetooth protocol stack for Linux
   3    Copyright (C) 2000-2001 Qualcomm Incorporated
   4
   5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License version 2 as
   9    published by the Free Software Foundation;
  10
  11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22    SOFTWARE IS DISCLAIMED.
  23 */
  24
  25 /* Bluetooth HCI sockets. */
  26
  27 #include <linux/export.h>
  28 #include <asm/unaligned.h>
  29
  30 #include <net/bluetooth/bluetooth.h>
  31 #include <net/bluetooth/hci_core.h>
  32 #include <net/bluetooth/hci_mon.h>
  33
  34 static atomic_t monitor_promisc = ATOMIC_INIT(0);
  35
  36 /* ----- HCI socket interface ----- */
  37
  38 static inline int hci_test_bit(int nr, void *addr)
  39 {
  40         return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
  41 }
  42
  43 /* Security filter */
  44 #define HCI_SFLT_MAX_OGF  5
  45
  46 struct hci_sec_filter {
  47         __u32 type_mask;
  48         __u32 event_mask[2];
  49         __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
  50 };
  51
  52 static struct hci_sec_filter hci_sec_filter = {
  53         /* Packet types */
  54         0x10,
  55         /* Events */
  56         { 0x1000d9fe, 0x0000b00c },
  57         /* Commands */
  58         {
  59                 { 0x0 },
  60                 /* OGF_LINK_CTL */
  61                 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
  62                 /* OGF_LINK_POLICY */
  63                 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
  64                 /* OGF_HOST_CTL */
  65                 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
  66                 /* OGF_INFO_PARAM */
  67                 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
  68                 /* OGF_STATUS_PARAM */
  69                 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
  70         }
  71 };
  72
  73 static struct bt_sock_list hci_sk_list = {
  74         .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
  75 };
  76
  77 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
  78 {
  79         struct hci_filter *flt;
  80         int flt_type, flt_event;
  81
  82         /* Apply filter */
  83         flt = &hci_pi(sk)->filter;
  84
  85         if (bt_cb(skb)->pkt_type == HCI_VENDOR_PKT)
  86                 flt_type = 0;
  87         else
  88                 flt_type = bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS;
  89
  90         if (!test_bit(flt_type, &flt->type_mask))
  91                 return true;
  92
  93         /* Extra filter for event packets only */
  94         if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT)
  95                 return false;
  96
  97         flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
  98
  99         if (!hci_test_bit(flt_event, &flt->event_mask))
 100                 return true;
 101
 102         /* Check filter only when opcode is set */
 103         if (!flt->opcode)
 104                 return false;
 105
 106         if (flt_event == HCI_EV_CMD_COMPLETE &&
 107             flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
 108                 return true;
 109
 110         if (flt_event == HCI_EV_CMD_STATUS &&
 111             flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
 112                 return true;
 113
 114         return false;
 115 }
 116
 117 /* Send frame to RAW socket */
 118 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
 119 {
 120         struct sock *sk;
 121         struct sk_buff *skb_copy = NULL;
 122
 123         BT_DBG("hdev %p len %d", hdev, skb->len);
 124
 125         read_lock(&hci_sk_list.lock);
 126
 127         sk_for_each(sk, &hci_sk_list.head) {
 128                 struct sk_buff *nskb;
 129
 130                 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
 131                         continue;
 132
 133                 /* Don't send frame to the socket it came from */
 134                 if (skb->sk == sk)
 135                         continue;
 136
 137                 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
 138                         if (is_filtered_packet(sk, skb))
 139                                 continue;
 140                 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 141                         if (!bt_cb(skb)->incoming)
 142                                 continue;
 143                         if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT &&
 144                             bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
 145                             bt_cb(skb)->pkt_type != HCI_SCODATA_PKT)
 146                                 continue;
 147                 } else {
 148                         /* Don't send frame to other channel types */
 149                         continue;
 150                 }
 151
 152                 if (!skb_copy) {
 153                         /* Create a private copy with headroom */
 154                         skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
 155                         if (!skb_copy)
 156                                 continue;
 157
 158                         /* Put type byte before the data */
 159                         memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1);
 160                 }
 161
 162                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 163                 if (!nskb)
 164                         continue;
 165
 166                 if (sock_queue_rcv_skb(sk, nskb))
 167                         kfree_skb(nskb);
 168         }
 169
 170         read_unlock(&hci_sk_list.lock);
 171
 172         kfree_skb(skb_copy);
 173 }
 174
 175 /* Send frame to control socket */
 176 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk)
 177 {
 178         struct sock *sk;
 179
 180         BT_DBG("len %d", skb->len);
 181
 182         read_lock(&hci_sk_list.lock);
 183
 184         sk_for_each(sk, &hci_sk_list.head) {
 185                 struct sk_buff *nskb;
 186
 187                 /* Skip the original socket */
 188                 if (sk == skip_sk)
 189                         continue;
 190
 191                 if (sk->sk_state != BT_BOUND)
 192                         continue;
 193
 194                 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
 195                         continue;
 196
 197                 nskb = skb_clone(skb, GFP_ATOMIC);
 198                 if (!nskb)
 199                         continue;
 200
 201                 if (sock_queue_rcv_skb(sk, nskb))
 202                         kfree_skb(nskb);
 203         }
 204
 205         read_unlock(&hci_sk_list.lock);
 206 }
 207
 208 /* Send frame to monitor socket */
 209 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
 210 {
 211         struct sock *sk;
 212         struct sk_buff *skb_copy = NULL;
 213         __le16 opcode;
 214
 215         if (!atomic_read(&monitor_promisc))
 216                 return;
 217
 218         BT_DBG("hdev %p len %d", hdev, skb->len);
 219
 220         switch (bt_cb(skb)->pkt_type) {
 221         case HCI_COMMAND_PKT:
 222                 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
 223                 break;
 224         case HCI_EVENT_PKT:
 225                 opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
 226                 break;
 227         case HCI_ACLDATA_PKT:
 228                 if (bt_cb(skb)->incoming)
 229                         opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
 230                 else
 231                         opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
 232                 break;
 233         case HCI_SCODATA_PKT:
 234                 if (bt_cb(skb)->incoming)
 235                         opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
 236                 else
 237                         opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
 238                 break;
 239         default:
 240                 return;
 241         }
 242
 243         read_lock(&hci_sk_list.lock);
 244
 245         sk_for_each(sk, &hci_sk_list.head) {
 246                 struct sk_buff *nskb;
 247
 248                 if (sk->sk_state != BT_BOUND)
 249                         continue;
 250
 251                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 252                         continue;
 253
 254                 if (!skb_copy) {
 255                         struct hci_mon_hdr *hdr;
 256
 257                         /* Create a private copy with headroom */
 258                         skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE,
 259                                                       GFP_ATOMIC, true);
 260                         if (!skb_copy)
 261                                 continue;
 262
 263                         /* Put header before the data */
 264                         hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE);
 265                         hdr->opcode = opcode;
 266                         hdr->index = cpu_to_le16(hdev->id);
 267                         hdr->len = cpu_to_le16(skb->len);
 268                 }
 269
 270                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 271                 if (!nskb)
 272                         continue;
 273
 274                 if (sock_queue_rcv_skb(sk, nskb))
 275                         kfree_skb(nskb);
 276         }
 277
 278         read_unlock(&hci_sk_list.lock);
 279
 280         kfree_skb(skb_copy);
 281 }
 282
 283 static void send_monitor_event(struct sk_buff *skb)
 284 {
 285         struct sock *sk;
 286
 287         BT_DBG("len %d", skb->len);
 288
 289         read_lock(&hci_sk_list.lock);
 290
 291         sk_for_each(sk, &hci_sk_list.head) {
 292                 struct sk_buff *nskb;
 293
 294                 if (sk->sk_state != BT_BOUND)
 295                         continue;
 296
 297                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 298                         continue;
 299
 300                 nskb = skb_clone(skb, GFP_ATOMIC);
 301                 if (!nskb)
 302                         continue;
 303
 304                 if (sock_queue_rcv_skb(sk, nskb))
 305                         kfree_skb(nskb);
 306         }
 307
 308         read_unlock(&hci_sk_list.lock);
 309 }
 310
 311 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
 312 {
 313         struct hci_mon_hdr *hdr;
 314         struct hci_mon_new_index *ni;
 315         struct sk_buff *skb;
 316         __le16 opcode;
 317
 318         switch (event) {
 319         case HCI_DEV_REG:
 320                 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
 321                 if (!skb)
 322                         return NULL;
 323
 324                 ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
 325                 ni->type = hdev->dev_type;
 326                 ni->bus = hdev->bus;
 327                 bacpy(&ni->bdaddr, &hdev->bdaddr);
 328                 memcpy(ni->name, hdev->name, 8);
 329
 330                 opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
 331                 break;
 332
 333         case HCI_DEV_UNREG:
 334                 skb = bt_skb_alloc(0, GFP_ATOMIC);
 335                 if (!skb)
 336                         return NULL;
 337
 338                 opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
 339                 break;
 340
 341         default:
 342                 return NULL;
 343         }
 344
 345         __net_timestamp(skb);
 346
 347         hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE);
 348         hdr->opcode = opcode;
 349         hdr->index = cpu_to_le16(hdev->id);
 350         hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
 351
 352         return skb;
 353 }
 354
 355 static void send_monitor_replay(struct sock *sk)
 356 {
 357         struct hci_dev *hdev;
 358
 359         read_lock(&hci_dev_list_lock);
 360
 361         list_for_each_entry(hdev, &hci_dev_list, list) {
 362                 struct sk_buff *skb;
 363
 364                 skb = create_monitor_event(hdev, HCI_DEV_REG);
 365                 if (!skb)
 366                         continue;
 367
 368                 if (sock_queue_rcv_skb(sk, skb))
 369                         kfree_skb(skb);
 370         }
 371
 372         read_unlock(&hci_dev_list_lock);
 373 }
 374
 375 /* Generate internal stack event */
 376 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
 377 {
 378         struct hci_event_hdr *hdr;
 379         struct hci_ev_stack_internal *ev;
 380         struct sk_buff *skb;
 381
 382         skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
 383         if (!skb)
 384                 return;
 385
 386         hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
 387         hdr->evt  = HCI_EV_STACK_INTERNAL;
 388         hdr->plen = sizeof(*ev) + dlen;
 389
 390         ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
 391         ev->type = type;
 392         memcpy(ev->data, data, dlen);
 393
 394         bt_cb(skb)->incoming = 1;
 395         __net_timestamp(skb);
 396
 397         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
 398         hci_send_to_sock(hdev, skb);
 399         kfree_skb(skb);
 400 }
 401
 402 void hci_sock_dev_event(struct hci_dev *hdev, int event)
 403 {
 404         struct hci_ev_si_device ev;
 405
 406         BT_DBG("hdev %s event %d", hdev->name, event);
 407
 408         /* Send event to monitor */
 409         if (atomic_read(&monitor_promisc)) {
 410                 struct sk_buff *skb;
 411
 412                 skb = create_monitor_event(hdev, event);
 413                 if (skb) {
 414                         send_monitor_event(skb);
 415                         kfree_skb(skb);
 416                 }
 417         }
 418
 419         /* Send event to sockets */
 420         ev.event  = event;
 421         ev.dev_id = hdev->id;
 422         hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
 423
 424         if (event == HCI_DEV_UNREG) {
 425                 struct sock *sk;
 426
 427                 /* Detach sockets from device */
 428                 read_lock(&hci_sk_list.lock);
 429                 sk_for_each(sk, &hci_sk_list.head) {
 430                         bh_lock_sock_nested(sk);
 431                         if (hci_pi(sk)->hdev == hdev) {
 432                                 hci_pi(sk)->hdev = NULL;
 433                                 sk->sk_err = EPIPE;
 434                                 sk->sk_state = BT_OPEN;
 435                                 sk->sk_state_change(sk);
 436
 437                                 hci_dev_put(hdev);
 438                         }
 439                         bh_unlock_sock(sk);
 440                 }
 441                 read_unlock(&hci_sk_list.lock);
 442         }
 443 }
 444
 445 static int hci_sock_release(struct socket *sock)
 446 {
 447         struct sock *sk = sock->sk;
 448         struct hci_dev *hdev;
 449
 450         BT_DBG("sock %p sk %p", sock, sk);
 451
 452         if (!sk)
 453                 return 0;
 454
 455         hdev = hci_pi(sk)->hdev;
 456
 457         if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
 458                 atomic_dec(&monitor_promisc);
 459
 460         bt_sock_unlink(&hci_sk_list, sk);
 461
 462         if (hdev) {
 463                 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 464                         mgmt_index_added(hdev);
 465                         clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags);
 466                         hci_dev_close(hdev->id);
 467                 }
 468
 469                 atomic_dec(&hdev->promisc);
 470                 hci_dev_put(hdev);
 471         }
 472
 473         sock_orphan(sk);
 474
 475         skb_queue_purge(&sk->sk_receive_queue);
 476         skb_queue_purge(&sk->sk_write_queue);
 477
 478         sock_put(sk);
 479         return 0;
 480 }
 481
 482 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
 483 {
 484         bdaddr_t bdaddr;
 485         int err;
 486
 487         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 488                 return -EFAULT;
 489
 490         hci_dev_lock(hdev);
 491
 492         err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
 493
 494         hci_dev_unlock(hdev);
 495
 496         return err;
 497 }
 498
 499 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
 500 {
 501         bdaddr_t bdaddr;
 502         int err;
 503
 504         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 505                 return -EFAULT;
 506
 507         hci_dev_lock(hdev);
 508
 509         err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
 510
 511         hci_dev_unlock(hdev);
 512
 513         return err;
 514 }
 515
 516 /* Ioctls that require bound socket */
 517 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
 518                                 unsigned long arg)
 519 {
 520         struct hci_dev *hdev = hci_pi(sk)->hdev;
 521
 522         if (!hdev)
 523                 return -EBADFD;
 524
 525         if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
 526                 return -EBUSY;
 527
 528         if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags))
 529                 return -EOPNOTSUPP;
 530
 531         if (hdev->dev_type != HCI_BREDR)
 532                 return -EOPNOTSUPP;
 533
 534         switch (cmd) {
 535         case HCISETRAW:
 536                 if (!capable(CAP_NET_ADMIN))
 537                         return -EPERM;
 538                 return -EOPNOTSUPP;
 539
 540         case HCIGETCONNINFO:
 541                 return hci_get_conn_info(hdev, (void __user *) arg);
 542
 543         case HCIGETAUTHINFO:
 544                 return hci_get_auth_info(hdev, (void __user *) arg);
 545
 546         case HCIBLOCKADDR:
 547                 if (!capable(CAP_NET_ADMIN))
 548                         return -EPERM;
 549                 return hci_sock_blacklist_add(hdev, (void __user *) arg);
 550
 551         case HCIUNBLOCKADDR:
 552                 if (!capable(CAP_NET_ADMIN))
 553                         return -EPERM;
 554                 return hci_sock_blacklist_del(hdev, (void __user *) arg);
 555         }
 556
 557         return -ENOIOCTLCMD;
 558 }
 559
 560 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 561                           unsigned long arg)
 562 {
 563         void __user *argp = (void __user *) arg;
 564         struct sock *sk = sock->sk;
 565         int err;
 566
 567         BT_DBG("cmd %x arg %lx", cmd, arg);
 568
 569         lock_sock(sk);
 570
 571         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
 572                 err = -EBADFD;
 573                 goto done;
 574         }
 575
 576         release_sock(sk);
 577
 578         switch (cmd) {
 579         case HCIGETDEVLIST:
 580                 return hci_get_dev_list(argp);
 581
 582         case HCIGETDEVINFO:
 583                 return hci_get_dev_info(argp);
 584
 585         case HCIGETCONNLIST:
 586                 return hci_get_conn_list(argp);
 587
 588         case HCIDEVUP:
 589                 if (!capable(CAP_NET_ADMIN))
 590                         return -EPERM;
 591                 return hci_dev_open(arg);
 592
 593         case HCIDEVDOWN:
 594                 if (!capable(CAP_NET_ADMIN))
 595                         return -EPERM;
 596                 return hci_dev_close(arg);
 597
 598         case HCIDEVRESET:
 599                 if (!capable(CAP_NET_ADMIN))
 600                         return -EPERM;
 601                 return hci_dev_reset(arg);
 602
 603         case HCIDEVRESTAT:
 604                 if (!capable(CAP_NET_ADMIN))
 605                         return -EPERM;
 606                 return hci_dev_reset_stat(arg);
 607
 608         case HCISETSCAN:
 609         case HCISETAUTH:
 610         case HCISETENCRYPT:
 611         case HCISETPTYPE:
 612         case HCISETLINKPOL:
 613         case HCISETLINKMODE:
 614         case HCISETACLMTU:
 615         case HCISETSCOMTU:
 616                 if (!capable(CAP_NET_ADMIN))
 617                         return -EPERM;
 618                 return hci_dev_cmd(cmd, argp);
 619
 620         case HCIINQUIRY:
 621                 return hci_inquiry(argp);
 622         }
 623
 624         lock_sock(sk);
 625
 626         err = hci_sock_bound_ioctl(sk, cmd, arg);
 627
 628 done:
 629         release_sock(sk);
 630         return err;
 631 }
 632
 633 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
 634                          int addr_len)
 635 {
 636         struct sockaddr_hci haddr;
 637         struct sock *sk = sock->sk;
 638         struct hci_dev *hdev = NULL;
 639         int len, err = 0;
 640
 641         BT_DBG("sock %p sk %p", sock, sk);
 642
 643         if (!addr)
 644                 return -EINVAL;
 645
 646         memset(&haddr, 0, sizeof(haddr));
 647         len = min_t(unsigned int, sizeof(haddr), addr_len);
 648         memcpy(&haddr, addr, len);
 649
 650         if (haddr.hci_family != AF_BLUETOOTH)
 651                 return -EINVAL;
 652
 653         lock_sock(sk);
 654
 655         if (sk->sk_state == BT_BOUND) {
 656                 err = -EALREADY;
 657                 goto done;
 658         }
 659
 660         switch (haddr.hci_channel) {
 661         case HCI_CHANNEL_RAW:
 662                 if (hci_pi(sk)->hdev) {
 663                         err = -EALREADY;
 664                         goto done;
 665                 }
 666
 667                 if (haddr.hci_dev != HCI_DEV_NONE) {
 668                         hdev = hci_dev_get(haddr.hci_dev);
 669                         if (!hdev) {
 670                                 err = -ENODEV;
 671                                 goto done;
 672                         }
 673
 674                         atomic_inc(&hdev->promisc);
 675                 }
 676
 677                 hci_pi(sk)->hdev = hdev;
 678                 break;
 679
 680         case HCI_CHANNEL_USER:
 681                 if (hci_pi(sk)->hdev) {
 682                         err = -EALREADY;
 683                         goto done;
 684                 }
 685
 686                 if (haddr.hci_dev == HCI_DEV_NONE) {
 687                         err = -EINVAL;
 688                         goto done;
 689                 }
 690
 691                 if (!capable(CAP_NET_ADMIN)) {
 692                         err = -EPERM;
 693                         goto done;
 694                 }
 695
 696                 hdev = hci_dev_get(haddr.hci_dev);
 697                 if (!hdev) {
 698                         err = -ENODEV;
 699                         goto done;
 700                 }
 701
 702                 if (test_bit(HCI_UP, &hdev->flags) ||
 703                     test_bit(HCI_INIT, &hdev->flags) ||
 704                     test_bit(HCI_SETUP, &hdev->dev_flags) ||
 705                     test_bit(HCI_CONFIG, &hdev->dev_flags)) {
 706                         err = -EBUSY;
 707                         hci_dev_put(hdev);
 708                         goto done;
 709                 }
 710
 711                 if (test_and_set_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
 712                         err = -EUSERS;
 713                         hci_dev_put(hdev);
 714                         goto done;
 715                 }
 716
 717                 mgmt_index_removed(hdev);
 718
 719                 err = hci_dev_open(hdev->id);
 720                 if (err) {
 721                         clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags);
 722                         mgmt_index_added(hdev);
 723                         hci_dev_put(hdev);
 724                         goto done;
 725                 }
 726
 727                 atomic_inc(&hdev->promisc);
 728
 729                 hci_pi(sk)->hdev = hdev;
 730                 break;
 731
 732         case HCI_CHANNEL_CONTROL:
 733                 if (haddr.hci_dev != HCI_DEV_NONE) {
 734                         err = -EINVAL;
 735                         goto done;
 736                 }
 737
 738                 if (!capable(CAP_NET_ADMIN)) {
 739                         err = -EPERM;
 740                         goto done;
 741                 }
 742
 743                 break;
 744
 745         case HCI_CHANNEL_MONITOR:
 746                 if (haddr.hci_dev != HCI_DEV_NONE) {
 747                         err = -EINVAL;
 748                         goto done;
 749                 }
 750
 751                 if (!capable(CAP_NET_RAW)) {
 752                         err = -EPERM;
 753                         goto done;
 754                 }
 755
 756                 send_monitor_replay(sk);
 757
 758                 atomic_inc(&monitor_promisc);
 759                 break;
 760
 761         default:
 762                 err = -EINVAL;
 763                 goto done;
 764         }
 765
 766
 767         hci_pi(sk)->channel = haddr.hci_channel;
 768         sk->sk_state = BT_BOUND;
 769
 770 done:
 771         release_sock(sk);
 772         return err;
 773 }
 774
 775 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
 776                             int *addr_len, int peer)
 777 {
 778         struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
 779         struct sock *sk = sock->sk;
 780         struct hci_dev *hdev;
 781         int err = 0;
 782
 783         BT_DBG("sock %p sk %p", sock, sk);
 784
 785         if (peer)
 786                 return -EOPNOTSUPP;
 787
 788         lock_sock(sk);
 789
 790         hdev = hci_pi(sk)->hdev;
 791         if (!hdev) {
 792                 err = -EBADFD;
 793                 goto done;
 794         }
 795
 796         *addr_len = sizeof(*haddr);
 797         haddr->hci_family = AF_BLUETOOTH;
 798         haddr->hci_dev    = hdev->id;
 799         haddr->hci_channel= hci_pi(sk)->channel;
 800
 801 done:
 802         release_sock(sk);
 803         return err;
 804 }
 805
 806 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
 807                           struct sk_buff *skb)
 808 {
 809         __u32 mask = hci_pi(sk)->cmsg_mask;
 810
 811         if (mask & HCI_CMSG_DIR) {
 812                 int incoming = bt_cb(skb)->incoming;
 813                 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
 814                          &incoming);
 815         }
 816
 817         if (mask & HCI_CMSG_TSTAMP) {
 818 #ifdef CONFIG_COMPAT
 819                 struct compat_timeval ctv;
 820 #endif
 821                 struct timeval tv;
 822                 void *data;
 823                 int len;
 824
 825                 skb_get_timestamp(skb, &tv);
 826
 827                 data = &tv;
 828                 len = sizeof(tv);
 829 #ifdef CONFIG_COMPAT
 830                 if (!COMPAT_USE_64BIT_TIME &&
 831                     (msg->msg_flags & MSG_CMSG_COMPAT)) {
 832                         ctv.tv_sec = tv.tv_sec;
 833                         ctv.tv_usec = tv.tv_usec;
 834                         data = &ctv;
 835                         len = sizeof(ctv);
 836                 }
 837 #endif
 838
 839                 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
 840         }
 841 }
 842
 843 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
 844                             struct msghdr *msg, size_t len, int flags)
 845 {
 846         int noblock = flags & MSG_DONTWAIT;
 847         struct sock *sk = sock->sk;
 848         struct sk_buff *skb;
 849         int copied, err;
 850
 851         BT_DBG("sock %p, sk %p", sock, sk);
 852
 853         if (flags & (MSG_OOB))
 854                 return -EOPNOTSUPP;
 855
 856         if (sk->sk_state == BT_CLOSED)
 857                 return 0;
 858
 859         skb = skb_recv_datagram(sk, flags, noblock, &err);
 860         if (!skb)
 861                 return err;
 862
 863         copied = skb->len;
 864         if (len < copied) {
 865                 msg->msg_flags |= MSG_TRUNC;
 866                 copied = len;
 867         }
 868
 869         skb_reset_transport_header(skb);
 870         err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
 871
 872         switch (hci_pi(sk)->channel) {
 873         case HCI_CHANNEL_RAW:
 874                 hci_sock_cmsg(sk, msg, skb);
 875                 break;
 876         case HCI_CHANNEL_USER:
 877         case HCI_CHANNEL_CONTROL:
 878         case HCI_CHANNEL_MONITOR:
 879                 sock_recv_timestamp(msg, sk, skb);
 880                 break;
 881         }
 882
 883         skb_free_datagram(sk, skb);
 884
 885         return err ? : copied;
 886 }
 887
 888 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
 889                             struct msghdr *msg, size_t len)
 890 {
 891         struct sock *sk = sock->sk;
 892         struct hci_dev *hdev;
 893         struct sk_buff *skb;
 894         int err;
 895
 896         BT_DBG("sock %p sk %p", sock, sk);
 897
 898         if (msg->msg_flags & MSG_OOB)
 899                 return -EOPNOTSUPP;
 900
 901         if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
 902                 return -EINVAL;
 903
 904         if (len < 4 || len > HCI_MAX_FRAME_SIZE)
 905                 return -EINVAL;
 906
 907         lock_sock(sk);
 908
 909         switch (hci_pi(sk)->channel) {
 910         case HCI_CHANNEL_RAW:
 911         case HCI_CHANNEL_USER:
 912                 break;
 913         case HCI_CHANNEL_CONTROL:
 914                 err = mgmt_control(sk, msg, len);
 915                 goto done;
 916         case HCI_CHANNEL_MONITOR:
 917                 err = -EOPNOTSUPP;
 918                 goto done;
 919         default:
 920                 err = -EINVAL;
 921                 goto done;
 922         }
 923
 924         hdev = hci_pi(sk)->hdev;
 925         if (!hdev) {
 926                 err = -EBADFD;
 927                 goto done;
 928         }
 929
 930         if (!test_bit(HCI_UP, &hdev->flags)) {
 931                 err = -ENETDOWN;
 932                 goto done;
 933         }
 934
 935         skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
 936         if (!skb)
 937                 goto done;
 938
 939         if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
 940                 err = -EFAULT;
 941                 goto drop;
 942         }
 943
 944         bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
 945         skb_pull(skb, 1);
 946
 947         if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 948                 /* No permission check is needed for user channel
 949                  * since that gets enforced when binding the socket.
 950                  *
 951                  * However check that the packet type is valid.
 952                  */
 953                 if (bt_cb(skb)->pkt_type != HCI_COMMAND_PKT &&
 954                     bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
 955                     bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) {
 956                         err = -EINVAL;
 957                         goto drop;
 958                 }
 959
 960                 skb_queue_tail(&hdev->raw_q, skb);
 961                 queue_work(hdev->workqueue, &hdev->tx_work);
 962         } else if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
 963                 u16 opcode = get_unaligned_le16(skb->data);
 964                 u16 ogf = hci_opcode_ogf(opcode);
 965                 u16 ocf = hci_opcode_ocf(opcode);
 966
 967                 if (((ogf > HCI_SFLT_MAX_OGF) ||
 968                      !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
 969                                    &hci_sec_filter.ocf_mask[ogf])) &&
 970                     !capable(CAP_NET_RAW)) {
 971                         err = -EPERM;
 972                         goto drop;
 973                 }
 974
 975                 if (ogf == 0x3f) {
 976                         skb_queue_tail(&hdev->raw_q, skb);
 977                         queue_work(hdev->workqueue, &hdev->tx_work);
 978                 } else {
 979                         /* Stand-alone HCI commands must be flaged as
 980                          * single-command requests.
 981                          */
 982                         bt_cb(skb)->req.start = true;
 983
 984                         skb_queue_tail(&hdev->cmd_q, skb);
 985                         queue_work(hdev->workqueue, &hdev->cmd_work);
 986                 }
 987         } else {
 988                 if (!capable(CAP_NET_RAW)) {
 989                         err = -EPERM;
 990                         goto drop;
 991                 }
 992
 993                 skb_queue_tail(&hdev->raw_q, skb);
 994                 queue_work(hdev->workqueue, &hdev->tx_work);
 995         }
 996
 997         err = len;
 998
 999 done:
1000         release_sock(sk);
1001         return err;
1002
1003 drop:
1004         kfree_skb(skb);
1005         goto done;
1006 }
1007
1008 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
1009                                char __user *optval, unsigned int len)
1010 {
1011         struct hci_ufilter uf = { .opcode = 0 };
1012         struct sock *sk = sock->sk;
1013         int err = 0, opt = 0;
1014
1015         BT_DBG("sk %p, opt %d", sk, optname);
1016
1017         lock_sock(sk);
1018
1019         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1020                 err = -EBADFD;
1021                 goto done;
1022         }
1023
1024         switch (optname) {
1025         case HCI_DATA_DIR:
1026                 if (get_user(opt, (int __user *)optval)) {
1027                         err = -EFAULT;
1028                         break;
1029                 }
1030
1031                 if (opt)
1032                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1033                 else
1034                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1035                 break;
1036
1037         case HCI_TIME_STAMP:
1038                 if (get_user(opt, (int __user *)optval)) {
1039                         err = -EFAULT;
1040                         break;
1041                 }
1042
1043                 if (opt)
1044                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1045                 else
1046                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1047                 break;
1048
1049         case HCI_FILTER:
1050                 {
1051                         struct hci_filter *f = &hci_pi(sk)->filter;
1052
1053                         uf.type_mask = f->type_mask;
1054                         uf.opcode    = f->opcode;
1055                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1056                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1057                 }
1058
1059                 len = min_t(unsigned int, len, sizeof(uf));
1060                 if (copy_from_user(&uf, optval, len)) {
1061                         err = -EFAULT;
1062                         break;
1063                 }
1064
1065                 if (!capable(CAP_NET_RAW)) {
1066                         uf.type_mask &= hci_sec_filter.type_mask;
1067                         uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1068                         uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1069                 }
1070
1071                 {
1072                         struct hci_filter *f = &hci_pi(sk)->filter;
1073
1074                         f->type_mask = uf.type_mask;
1075                         f->opcode    = uf.opcode;
1076                         *((u32 *) f->event_mask + 0) = uf.event_mask[0];
1077                         *((u32 *) f->event_mask + 1) = uf.event_mask[1];
1078                 }
1079                 break;
1080
1081         default:
1082                 err = -ENOPROTOOPT;
1083                 break;
1084         }
1085
1086 done:
1087         release_sock(sk);
1088         return err;
1089 }
1090
1091 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1092                                char __user *optval, int __user *optlen)
1093 {
1094         struct hci_ufilter uf;
1095         struct sock *sk = sock->sk;
1096         int len, opt, err = 0;
1097
1098         BT_DBG("sk %p, opt %d", sk, optname);
1099
1100         if (get_user(len, optlen))
1101                 return -EFAULT;
1102
1103         lock_sock(sk);
1104
1105         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1106                 err = -EBADFD;
1107                 goto done;
1108         }
1109
1110         switch (optname) {
1111         case HCI_DATA_DIR:
1112                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1113                         opt = 1;
1114                 else
1115                         opt = 0;
1116
1117                 if (put_user(opt, optval))
1118                         err = -EFAULT;
1119                 break;
1120
1121         case HCI_TIME_STAMP:
1122                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1123                         opt = 1;
1124                 else
1125                         opt = 0;
1126
1127                 if (put_user(opt, optval))
1128                         err = -EFAULT;
1129                 break;
1130
1131         case HCI_FILTER:
1132                 {
1133                         struct hci_filter *f = &hci_pi(sk)->filter;
1134
1135                         memset(&uf, 0, sizeof(uf));
1136                         uf.type_mask = f->type_mask;
1137                         uf.opcode    = f->opcode;
1138                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1139                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1140                 }
1141
1142                 len = min_t(unsigned int, len, sizeof(uf));
1143                 if (copy_to_user(optval, &uf, len))
1144                         err = -EFAULT;
1145                 break;
1146
1147         default:
1148                 err = -ENOPROTOOPT;
1149                 break;
1150         }
1151
1152 done:
1153         release_sock(sk);
1154         return err;
1155 }
1156
1157 static const struct proto_ops hci_sock_ops = {
1158         .family         = PF_BLUETOOTH,
1159         .owner          = THIS_MODULE,
1160         .release        = hci_sock_release,
1161         .bind           = hci_sock_bind,
1162         .getname        = hci_sock_getname,
1163         .sendmsg        = hci_sock_sendmsg,
1164         .recvmsg        = hci_sock_recvmsg,
1165         .ioctl          = hci_sock_ioctl,
1166         .poll           = datagram_poll,
1167         .listen         = sock_no_listen,
1168         .shutdown       = sock_no_shutdown,
1169         .setsockopt     = hci_sock_setsockopt,
1170         .getsockopt     = hci_sock_getsockopt,
1171         .connect        = sock_no_connect,
1172         .socketpair     = sock_no_socketpair,
1173         .accept         = sock_no_accept,
1174         .mmap           = sock_no_mmap
1175 };
1176
1177 static struct proto hci_sk_proto = {
1178         .name           = "HCI",
1179         .owner          = THIS_MODULE,
1180         .obj_size       = sizeof(struct hci_pinfo)
1181 };
1182
1183 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1184                            int kern)
1185 {
1186         struct sock *sk;
1187
1188         BT_DBG("sock %p", sock);
1189
1190         if (sock->type != SOCK_RAW)
1191                 return -ESOCKTNOSUPPORT;
1192
1193         sock->ops = &hci_sock_ops;
1194
1195         sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto);
1196         if (!sk)
1197                 return -ENOMEM;
1198
1199         sock_init_data(sock, sk);
1200
1201         sock_reset_flag(sk, SOCK_ZAPPED);
1202
1203         sk->sk_protocol = protocol;
1204
1205         sock->state = SS_UNCONNECTED;
1206         sk->sk_state = BT_OPEN;
1207
1208         bt_sock_link(&hci_sk_list, sk);
1209         return 0;
1210 }
1211
1212 static const struct net_proto_family hci_sock_family_ops = {
1213         .family = PF_BLUETOOTH,
1214         .owner  = THIS_MODULE,
1215         .create = hci_sock_create,
1216 };
1217
1218 int __init hci_sock_init(void)
1219 {
1220         int err;
1221
1222         err = proto_register(&hci_sk_proto, 0);
1223         if (err < 0)
1224                 return err;
1225
1226         err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1227         if (err < 0) {
1228                 BT_ERR("HCI socket registration failed");
1229                 goto error;
1230         }
1231
1232         err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
1233         if (err < 0) {
1234                 BT_ERR("Failed to create HCI proc file");
1235                 bt_sock_unregister(BTPROTO_HCI);
1236                 goto error;
1237         }
1238
1239         BT_INFO("HCI socket layer initialized");
1240
1241         return 0;
1242
1243 error:
1244         proto_unregister(&hci_sk_proto);
1245         return err;
1246 }
1247
1248 void hci_sock_cleanup(void)
1249 {
1250         bt_procfs_cleanup(&init_net, "hci");
1251         bt_sock_unregister(BTPROTO_HCI);
1252         proto_unregister(&hci_sk_proto);
1253 }