~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/bluetooth/hci_sock.c

Version: ~ [ linux-5.11-rc3 ] ~ [ linux-5.10.7 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.89 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.167 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.215 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.251 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.251 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2    BlueZ - Bluetooth protocol stack for Linux
  3    Copyright (C) 2000-2001 Qualcomm Incorporated
  4 
  5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
  6 
  7    This program is free software; you can redistribute it and/or modify
  8    it under the terms of the GNU General Public License version 2 as
  9    published by the Free Software Foundation;
 10 
 11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 19 
 20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 22    SOFTWARE IS DISCLAIMED.
 23 */
 24 
 25 /* Bluetooth HCI sockets. */
 26 
 27 #include <linux/export.h>
 28 #include <linux/utsname.h>
 29 #include <asm/unaligned.h>
 30 
 31 #include <net/bluetooth/bluetooth.h>
 32 #include <net/bluetooth/hci_core.h>
 33 #include <net/bluetooth/hci_mon.h>
 34 #include <net/bluetooth/mgmt.h>
 35 
 36 #include "mgmt_util.h"
 37 
 38 static LIST_HEAD(mgmt_chan_list);
 39 static DEFINE_MUTEX(mgmt_chan_list_lock);
 40 
 41 static atomic_t monitor_promisc = ATOMIC_INIT(0);
 42 
 43 /* ----- HCI socket interface ----- */
 44 
 45 /* Socket info */
 46 #define hci_pi(sk) ((struct hci_pinfo *) sk)
 47 
 48 struct hci_pinfo {
 49         struct bt_sock    bt;
 50         struct hci_dev    *hdev;
 51         struct hci_filter filter;
 52         __u32             cmsg_mask;
 53         unsigned short    channel;
 54         unsigned long     flags;
 55 };
 56 
 57 void hci_sock_set_flag(struct sock *sk, int nr)
 58 {
 59         set_bit(nr, &hci_pi(sk)->flags);
 60 }
 61 
 62 void hci_sock_clear_flag(struct sock *sk, int nr)
 63 {
 64         clear_bit(nr, &hci_pi(sk)->flags);
 65 }
 66 
 67 int hci_sock_test_flag(struct sock *sk, int nr)
 68 {
 69         return test_bit(nr, &hci_pi(sk)->flags);
 70 }
 71 
 72 unsigned short hci_sock_get_channel(struct sock *sk)
 73 {
 74         return hci_pi(sk)->channel;
 75 }
 76 
 77 static inline int hci_test_bit(int nr, const void *addr)
 78 {
 79         return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
 80 }
 81 
 82 /* Security filter */
 83 #define HCI_SFLT_MAX_OGF  5
 84 
 85 struct hci_sec_filter {
 86         __u32 type_mask;
 87         __u32 event_mask[2];
 88         __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
 89 };
 90 
 91 static const struct hci_sec_filter hci_sec_filter = {
 92         /* Packet types */
 93         0x10,
 94         /* Events */
 95         { 0x1000d9fe, 0x0000b00c },
 96         /* Commands */
 97         {
 98                 { 0x0 },
 99                 /* OGF_LINK_CTL */
100                 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
101                 /* OGF_LINK_POLICY */
102                 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
103                 /* OGF_HOST_CTL */
104                 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
105                 /* OGF_INFO_PARAM */
106                 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
107                 /* OGF_STATUS_PARAM */
108                 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
109         }
110 };
111 
112 static struct bt_sock_list hci_sk_list = {
113         .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
114 };
115 
116 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
117 {
118         struct hci_filter *flt;
119         int flt_type, flt_event;
120 
121         /* Apply filter */
122         flt = &hci_pi(sk)->filter;
123 
124         flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS;
125 
126         if (!test_bit(flt_type, &flt->type_mask))
127                 return true;
128 
129         /* Extra filter for event packets only */
130         if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT)
131                 return false;
132 
133         flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
134 
135         if (!hci_test_bit(flt_event, &flt->event_mask))
136                 return true;
137 
138         /* Check filter only when opcode is set */
139         if (!flt->opcode)
140                 return false;
141 
142         if (flt_event == HCI_EV_CMD_COMPLETE &&
143             flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
144                 return true;
145 
146         if (flt_event == HCI_EV_CMD_STATUS &&
147             flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
148                 return true;
149 
150         return false;
151 }
152 
153 /* Send frame to RAW socket */
154 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
155 {
156         struct sock *sk;
157         struct sk_buff *skb_copy = NULL;
158 
159         BT_DBG("hdev %p len %d", hdev, skb->len);
160 
161         read_lock(&hci_sk_list.lock);
162 
163         sk_for_each(sk, &hci_sk_list.head) {
164                 struct sk_buff *nskb;
165 
166                 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
167                         continue;
168 
169                 /* Don't send frame to the socket it came from */
170                 if (skb->sk == sk)
171                         continue;
172 
173                 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
174                         if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
175                             hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
176                             hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
177                             hci_skb_pkt_type(skb) != HCI_SCODATA_PKT)
178                                 continue;
179                         if (is_filtered_packet(sk, skb))
180                                 continue;
181                 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
182                         if (!bt_cb(skb)->incoming)
183                                 continue;
184                         if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
185                             hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
186                             hci_skb_pkt_type(skb) != HCI_SCODATA_PKT)
187                                 continue;
188                 } else {
189                         /* Don't send frame to other channel types */
190                         continue;
191                 }
192 
193                 if (!skb_copy) {
194                         /* Create a private copy with headroom */
195                         skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
196                         if (!skb_copy)
197                                 continue;
198 
199                         /* Put type byte before the data */
200                         memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1);
201                 }
202 
203                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
204                 if (!nskb)
205                         continue;
206 
207                 if (sock_queue_rcv_skb(sk, nskb))
208                         kfree_skb(nskb);
209         }
210 
211         read_unlock(&hci_sk_list.lock);
212 
213         kfree_skb(skb_copy);
214 }
215 
216 /* Send frame to sockets with specific channel */
217 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
218                          int flag, struct sock *skip_sk)
219 {
220         struct sock *sk;
221 
222         BT_DBG("channel %u len %d", channel, skb->len);
223 
224         read_lock(&hci_sk_list.lock);
225 
226         sk_for_each(sk, &hci_sk_list.head) {
227                 struct sk_buff *nskb;
228 
229                 /* Ignore socket without the flag set */
230                 if (!hci_sock_test_flag(sk, flag))
231                         continue;
232 
233                 /* Skip the original socket */
234                 if (sk == skip_sk)
235                         continue;
236 
237                 if (sk->sk_state != BT_BOUND)
238                         continue;
239 
240                 if (hci_pi(sk)->channel != channel)
241                         continue;
242 
243                 nskb = skb_clone(skb, GFP_ATOMIC);
244                 if (!nskb)
245                         continue;
246 
247                 if (sock_queue_rcv_skb(sk, nskb))
248                         kfree_skb(nskb);
249         }
250 
251         read_unlock(&hci_sk_list.lock);
252 }
253 
254 /* Send frame to monitor socket */
255 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
256 {
257         struct sk_buff *skb_copy = NULL;
258         struct hci_mon_hdr *hdr;
259         __le16 opcode;
260 
261         if (!atomic_read(&monitor_promisc))
262                 return;
263 
264         BT_DBG("hdev %p len %d", hdev, skb->len);
265 
266         switch (hci_skb_pkt_type(skb)) {
267         case HCI_COMMAND_PKT:
268                 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
269                 break;
270         case HCI_EVENT_PKT:
271                 opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
272                 break;
273         case HCI_ACLDATA_PKT:
274                 if (bt_cb(skb)->incoming)
275                         opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
276                 else
277                         opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
278                 break;
279         case HCI_SCODATA_PKT:
280                 if (bt_cb(skb)->incoming)
281                         opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
282                 else
283                         opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
284                 break;
285         case HCI_DIAG_PKT:
286                 opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG);
287                 break;
288         default:
289                 return;
290         }
291 
292         /* Create a private copy with headroom */
293         skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true);
294         if (!skb_copy)
295                 return;
296 
297         /* Put header before the data */
298         hdr = (void *)skb_push(skb_copy, HCI_MON_HDR_SIZE);
299         hdr->opcode = opcode;
300         hdr->index = cpu_to_le16(hdev->id);
301         hdr->len = cpu_to_le16(skb->len);
302 
303         hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy,
304                             HCI_SOCK_TRUSTED, NULL);
305         kfree_skb(skb_copy);
306 }
307 
308 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
309 {
310         struct hci_mon_hdr *hdr;
311         struct hci_mon_new_index *ni;
312         struct hci_mon_index_info *ii;
313         struct sk_buff *skb;
314         __le16 opcode;
315 
316         switch (event) {
317         case HCI_DEV_REG:
318                 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
319                 if (!skb)
320                         return NULL;
321 
322                 ni = (void *)skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
323                 ni->type = hdev->dev_type;
324                 ni->bus = hdev->bus;
325                 bacpy(&ni->bdaddr, &hdev->bdaddr);
326                 memcpy(ni->name, hdev->name, 8);
327 
328                 opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
329                 break;
330 
331         case HCI_DEV_UNREG:
332                 skb = bt_skb_alloc(0, GFP_ATOMIC);
333                 if (!skb)
334                         return NULL;
335 
336                 opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
337                 break;
338 
339         case HCI_DEV_SETUP:
340                 if (hdev->manufacturer == 0xffff)
341                         return NULL;
342 
343                 /* fall through */
344 
345         case HCI_DEV_UP:
346                 skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC);
347                 if (!skb)
348                         return NULL;
349 
350                 ii = (void *)skb_put(skb, HCI_MON_INDEX_INFO_SIZE);
351                 bacpy(&ii->bdaddr, &hdev->bdaddr);
352                 ii->manufacturer = cpu_to_le16(hdev->manufacturer);
353 
354                 opcode = cpu_to_le16(HCI_MON_INDEX_INFO);
355                 break;
356 
357         case HCI_DEV_OPEN:
358                 skb = bt_skb_alloc(0, GFP_ATOMIC);
359                 if (!skb)
360                         return NULL;
361 
362                 opcode = cpu_to_le16(HCI_MON_OPEN_INDEX);
363                 break;
364 
365         case HCI_DEV_CLOSE:
366                 skb = bt_skb_alloc(0, GFP_ATOMIC);
367                 if (!skb)
368                         return NULL;
369 
370                 opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX);
371                 break;
372 
373         default:
374                 return NULL;
375         }
376 
377         __net_timestamp(skb);
378 
379         hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
380         hdr->opcode = opcode;
381         hdr->index = cpu_to_le16(hdev->id);
382         hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
383 
384         return skb;
385 }
386 
387 static void __printf(2, 3)
388 send_monitor_note(struct sock *sk, const char *fmt, ...)
389 {
390         size_t len;
391         struct hci_mon_hdr *hdr;
392         struct sk_buff *skb;
393         va_list args;
394 
395         va_start(args, fmt);
396         len = vsnprintf(NULL, 0, fmt, args);
397         va_end(args);
398 
399         skb = bt_skb_alloc(len + 1, GFP_ATOMIC);
400         if (!skb)
401                 return;
402 
403         va_start(args, fmt);
404         vsprintf(skb_put(skb, len), fmt, args);
405         *skb_put(skb, 1) = 0;
406         va_end(args);
407 
408         __net_timestamp(skb);
409 
410         hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
411         hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE);
412         hdr->index = cpu_to_le16(HCI_DEV_NONE);
413         hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
414 
415         if (sock_queue_rcv_skb(sk, skb))
416                 kfree_skb(skb);
417 }
418 
419 static void send_monitor_replay(struct sock *sk)
420 {
421         struct hci_dev *hdev;
422 
423         read_lock(&hci_dev_list_lock);
424 
425         list_for_each_entry(hdev, &hci_dev_list, list) {
426                 struct sk_buff *skb;
427 
428                 skb = create_monitor_event(hdev, HCI_DEV_REG);
429                 if (!skb)
430                         continue;
431 
432                 if (sock_queue_rcv_skb(sk, skb))
433                         kfree_skb(skb);
434 
435                 if (!test_bit(HCI_RUNNING, &hdev->flags))
436                         continue;
437 
438                 skb = create_monitor_event(hdev, HCI_DEV_OPEN);
439                 if (!skb)
440                         continue;
441 
442                 if (sock_queue_rcv_skb(sk, skb))
443                         kfree_skb(skb);
444 
445                 if (test_bit(HCI_UP, &hdev->flags))
446                         skb = create_monitor_event(hdev, HCI_DEV_UP);
447                 else if (hci_dev_test_flag(hdev, HCI_SETUP))
448                         skb = create_monitor_event(hdev, HCI_DEV_SETUP);
449                 else
450                         skb = NULL;
451 
452                 if (skb) {
453                         if (sock_queue_rcv_skb(sk, skb))
454                                 kfree_skb(skb);
455                 }
456         }
457 
458         read_unlock(&hci_dev_list_lock);
459 }
460 
461 /* Generate internal stack event */
462 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
463 {
464         struct hci_event_hdr *hdr;
465         struct hci_ev_stack_internal *ev;
466         struct sk_buff *skb;
467 
468         skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
469         if (!skb)
470                 return;
471 
472         hdr = (void *)skb_put(skb, HCI_EVENT_HDR_SIZE);
473         hdr->evt  = HCI_EV_STACK_INTERNAL;
474         hdr->plen = sizeof(*ev) + dlen;
475 
476         ev  = (void *)skb_put(skb, sizeof(*ev) + dlen);
477         ev->type = type;
478         memcpy(ev->data, data, dlen);
479 
480         bt_cb(skb)->incoming = 1;
481         __net_timestamp(skb);
482 
483         hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
484         hci_send_to_sock(hdev, skb);
485         kfree_skb(skb);
486 }
487 
488 void hci_sock_dev_event(struct hci_dev *hdev, int event)
489 {
490         BT_DBG("hdev %s event %d", hdev->name, event);
491 
492         if (atomic_read(&monitor_promisc)) {
493                 struct sk_buff *skb;
494 
495                 /* Send event to monitor */
496                 skb = create_monitor_event(hdev, event);
497                 if (skb) {
498                         hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
499                                             HCI_SOCK_TRUSTED, NULL);
500                         kfree_skb(skb);
501                 }
502         }
503 
504         if (event <= HCI_DEV_DOWN) {
505                 struct hci_ev_si_device ev;
506 
507                 /* Send event to sockets */
508                 ev.event  = event;
509                 ev.dev_id = hdev->id;
510                 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
511         }
512 
513         if (event == HCI_DEV_UNREG) {
514                 struct sock *sk;
515 
516                 /* Detach sockets from device */
517                 read_lock(&hci_sk_list.lock);
518                 sk_for_each(sk, &hci_sk_list.head) {
519                         bh_lock_sock_nested(sk);
520                         if (hci_pi(sk)->hdev == hdev) {
521                                 hci_pi(sk)->hdev = NULL;
522                                 sk->sk_err = EPIPE;
523                                 sk->sk_state = BT_OPEN;
524                                 sk->sk_state_change(sk);
525 
526                                 hci_dev_put(hdev);
527                         }
528                         bh_unlock_sock(sk);
529                 }
530                 read_unlock(&hci_sk_list.lock);
531         }
532 }
533 
534 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel)
535 {
536         struct hci_mgmt_chan *c;
537 
538         list_for_each_entry(c, &mgmt_chan_list, list) {
539                 if (c->channel == channel)
540                         return c;
541         }
542 
543         return NULL;
544 }
545 
546 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel)
547 {
548         struct hci_mgmt_chan *c;
549 
550         mutex_lock(&mgmt_chan_list_lock);
551         c = __hci_mgmt_chan_find(channel);
552         mutex_unlock(&mgmt_chan_list_lock);
553 
554         return c;
555 }
556 
557 int hci_mgmt_chan_register(struct hci_mgmt_chan *c)
558 {
559         if (c->channel < HCI_CHANNEL_CONTROL)
560                 return -EINVAL;
561 
562         mutex_lock(&mgmt_chan_list_lock);
563         if (__hci_mgmt_chan_find(c->channel)) {
564                 mutex_unlock(&mgmt_chan_list_lock);
565                 return -EALREADY;
566         }
567 
568         list_add_tail(&c->list, &mgmt_chan_list);
569 
570         mutex_unlock(&mgmt_chan_list_lock);
571 
572         return 0;
573 }
574 EXPORT_SYMBOL(hci_mgmt_chan_register);
575 
576 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c)
577 {
578         mutex_lock(&mgmt_chan_list_lock);
579         list_del(&c->list);
580         mutex_unlock(&mgmt_chan_list_lock);
581 }
582 EXPORT_SYMBOL(hci_mgmt_chan_unregister);
583 
584 static int hci_sock_release(struct socket *sock)
585 {
586         struct sock *sk = sock->sk;
587         struct hci_dev *hdev;
588 
589         BT_DBG("sock %p sk %p", sock, sk);
590 
591         if (!sk)
592                 return 0;
593 
594         hdev = hci_pi(sk)->hdev;
595 
596         if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
597                 atomic_dec(&monitor_promisc);
598 
599         bt_sock_unlink(&hci_sk_list, sk);
600 
601         if (hdev) {
602                 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
603                         /* When releasing an user channel exclusive access,
604                          * call hci_dev_do_close directly instead of calling
605                          * hci_dev_close to ensure the exclusive access will
606                          * be released and the controller brought back down.
607                          *
608                          * The checking of HCI_AUTO_OFF is not needed in this
609                          * case since it will have been cleared already when
610                          * opening the user channel.
611                          */
612                         hci_dev_do_close(hdev);
613                         hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
614                         mgmt_index_added(hdev);
615                 }
616 
617                 atomic_dec(&hdev->promisc);
618                 hci_dev_put(hdev);
619         }
620 
621         sock_orphan(sk);
622 
623         skb_queue_purge(&sk->sk_receive_queue);
624         skb_queue_purge(&sk->sk_write_queue);
625 
626         sock_put(sk);
627         return 0;
628 }
629 
630 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
631 {
632         bdaddr_t bdaddr;
633         int err;
634 
635         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
636                 return -EFAULT;
637 
638         hci_dev_lock(hdev);
639 
640         err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
641 
642         hci_dev_unlock(hdev);
643 
644         return err;
645 }
646 
647 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
648 {
649         bdaddr_t bdaddr;
650         int err;
651 
652         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
653                 return -EFAULT;
654 
655         hci_dev_lock(hdev);
656 
657         err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
658 
659         hci_dev_unlock(hdev);
660 
661         return err;
662 }
663 
664 /* Ioctls that require bound socket */
665 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
666                                 unsigned long arg)
667 {
668         struct hci_dev *hdev = hci_pi(sk)->hdev;
669 
670         if (!hdev)
671                 return -EBADFD;
672 
673         if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
674                 return -EBUSY;
675 
676         if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
677                 return -EOPNOTSUPP;
678 
679         if (hdev->dev_type != HCI_PRIMARY)
680                 return -EOPNOTSUPP;
681 
682         switch (cmd) {
683         case HCISETRAW:
684                 if (!capable(CAP_NET_ADMIN))
685                         return -EPERM;
686                 return -EOPNOTSUPP;
687 
688         case HCIGETCONNINFO:
689                 return hci_get_conn_info(hdev, (void __user *)arg);
690 
691         case HCIGETAUTHINFO:
692                 return hci_get_auth_info(hdev, (void __user *)arg);
693 
694         case HCIBLOCKADDR:
695                 if (!capable(CAP_NET_ADMIN))
696                         return -EPERM;
697                 return hci_sock_blacklist_add(hdev, (void __user *)arg);
698 
699         case HCIUNBLOCKADDR:
700                 if (!capable(CAP_NET_ADMIN))
701                         return -EPERM;
702                 return hci_sock_blacklist_del(hdev, (void __user *)arg);
703         }
704 
705         return -ENOIOCTLCMD;
706 }
707 
708 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
709                           unsigned long arg)
710 {
711         void __user *argp = (void __user *)arg;
712         struct sock *sk = sock->sk;
713         int err;
714 
715         BT_DBG("cmd %x arg %lx", cmd, arg);
716 
717         lock_sock(sk);
718 
719         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
720                 err = -EBADFD;
721                 goto done;
722         }
723 
724         release_sock(sk);
725 
726         switch (cmd) {
727         case HCIGETDEVLIST:
728                 return hci_get_dev_list(argp);
729 
730         case HCIGETDEVINFO:
731                 return hci_get_dev_info(argp);
732 
733         case HCIGETCONNLIST:
734                 return hci_get_conn_list(argp);
735 
736         case HCIDEVUP:
737                 if (!capable(CAP_NET_ADMIN))
738                         return -EPERM;
739                 return hci_dev_open(arg);
740 
741         case HCIDEVDOWN:
742                 if (!capable(CAP_NET_ADMIN))
743                         return -EPERM;
744                 return hci_dev_close(arg);
745 
746         case HCIDEVRESET:
747                 if (!capable(CAP_NET_ADMIN))
748                         return -EPERM;
749                 return hci_dev_reset(arg);
750 
751         case HCIDEVRESTAT:
752                 if (!capable(CAP_NET_ADMIN))
753                         return -EPERM;
754                 return hci_dev_reset_stat(arg);
755 
756         case HCISETSCAN:
757         case HCISETAUTH:
758         case HCISETENCRYPT:
759         case HCISETPTYPE:
760         case HCISETLINKPOL:
761         case HCISETLINKMODE:
762         case HCISETACLMTU:
763         case HCISETSCOMTU:
764                 if (!capable(CAP_NET_ADMIN))
765                         return -EPERM;
766                 return hci_dev_cmd(cmd, argp);
767 
768         case HCIINQUIRY:
769                 return hci_inquiry(argp);
770         }
771 
772         lock_sock(sk);
773 
774         err = hci_sock_bound_ioctl(sk, cmd, arg);
775 
776 done:
777         release_sock(sk);
778         return err;
779 }
780 
781 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
782                          int addr_len)
783 {
784         struct sockaddr_hci haddr;
785         struct sock *sk = sock->sk;
786         struct hci_dev *hdev = NULL;
787         int len, err = 0;
788 
789         BT_DBG("sock %p sk %p", sock, sk);
790 
791         if (!addr)
792                 return -EINVAL;
793 
794         memset(&haddr, 0, sizeof(haddr));
795         len = min_t(unsigned int, sizeof(haddr), addr_len);
796         memcpy(&haddr, addr, len);
797 
798         if (haddr.hci_family != AF_BLUETOOTH)
799                 return -EINVAL;
800 
801         lock_sock(sk);
802 
803         if (sk->sk_state == BT_BOUND) {
804                 err = -EALREADY;
805                 goto done;
806         }
807 
808         switch (haddr.hci_channel) {
809         case HCI_CHANNEL_RAW:
810                 if (hci_pi(sk)->hdev) {
811                         err = -EALREADY;
812                         goto done;
813                 }
814 
815                 if (haddr.hci_dev != HCI_DEV_NONE) {
816                         hdev = hci_dev_get(haddr.hci_dev);
817                         if (!hdev) {
818                                 err = -ENODEV;
819                                 goto done;
820                         }
821 
822                         atomic_inc(&hdev->promisc);
823                 }
824 
825                 hci_pi(sk)->hdev = hdev;
826                 break;
827 
828         case HCI_CHANNEL_USER:
829                 if (hci_pi(sk)->hdev) {
830                         err = -EALREADY;
831                         goto done;
832                 }
833 
834                 if (haddr.hci_dev == HCI_DEV_NONE) {
835                         err = -EINVAL;
836                         goto done;
837                 }
838 
839                 if (!capable(CAP_NET_ADMIN)) {
840                         err = -EPERM;
841                         goto done;
842                 }
843 
844                 hdev = hci_dev_get(haddr.hci_dev);
845                 if (!hdev) {
846                         err = -ENODEV;
847                         goto done;
848                 }
849 
850                 if (test_bit(HCI_INIT, &hdev->flags) ||
851                     hci_dev_test_flag(hdev, HCI_SETUP) ||
852                     hci_dev_test_flag(hdev, HCI_CONFIG) ||
853                     (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) &&
854                      test_bit(HCI_UP, &hdev->flags))) {
855                         err = -EBUSY;
856                         hci_dev_put(hdev);
857                         goto done;
858                 }
859 
860                 if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) {
861                         err = -EUSERS;
862                         hci_dev_put(hdev);
863                         goto done;
864                 }
865 
866                 mgmt_index_removed(hdev);
867 
868                 err = hci_dev_open(hdev->id);
869                 if (err) {
870                         if (err == -EALREADY) {
871                                 /* In case the transport is already up and
872                                  * running, clear the error here.
873                                  *
874                                  * This can happen when opening an user
875                                  * channel and HCI_AUTO_OFF grace period
876                                  * is still active.
877                                  */
878                                 err = 0;
879                         } else {
880                                 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
881                                 mgmt_index_added(hdev);
882                                 hci_dev_put(hdev);
883                                 goto done;
884                         }
885                 }
886 
887                 atomic_inc(&hdev->promisc);
888 
889                 hci_pi(sk)->hdev = hdev;
890                 break;
891 
892         case HCI_CHANNEL_MONITOR:
893                 if (haddr.hci_dev != HCI_DEV_NONE) {
894                         err = -EINVAL;
895                         goto done;
896                 }
897 
898                 if (!capable(CAP_NET_RAW)) {
899                         err = -EPERM;
900                         goto done;
901                 }
902 
903                 /* The monitor interface is restricted to CAP_NET_RAW
904                  * capabilities and with that implicitly trusted.
905                  */
906                 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
907 
908                 send_monitor_note(sk, "Linux version %s (%s)",
909                                   init_utsname()->release,
910                                   init_utsname()->machine);
911                 send_monitor_note(sk, "Bluetooth subsystem version %s",
912                                   BT_SUBSYS_VERSION);
913                 send_monitor_replay(sk);
914 
915                 atomic_inc(&monitor_promisc);
916                 break;
917 
918         case HCI_CHANNEL_LOGGING:
919                 if (haddr.hci_dev != HCI_DEV_NONE) {
920                         err = -EINVAL;
921                         goto done;
922                 }
923 
924                 if (!capable(CAP_NET_ADMIN)) {
925                         err = -EPERM;
926                         goto done;
927                 }
928                 break;
929 
930         default:
931                 if (!hci_mgmt_chan_find(haddr.hci_channel)) {
932                         err = -EINVAL;
933                         goto done;
934                 }
935 
936                 if (haddr.hci_dev != HCI_DEV_NONE) {
937                         err = -EINVAL;
938                         goto done;
939                 }
940 
941                 /* Users with CAP_NET_ADMIN capabilities are allowed
942                  * access to all management commands and events. For
943                  * untrusted users the interface is restricted and
944                  * also only untrusted events are sent.
945                  */
946                 if (capable(CAP_NET_ADMIN))
947                         hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
948 
949                 /* At the moment the index and unconfigured index events
950                  * are enabled unconditionally. Setting them on each
951                  * socket when binding keeps this functionality. They
952                  * however might be cleared later and then sending of these
953                  * events will be disabled, but that is then intentional.
954                  *
955                  * This also enables generic events that are safe to be
956                  * received by untrusted users. Example for such events
957                  * are changes to settings, class of device, name etc.
958                  */
959                 if (haddr.hci_channel == HCI_CHANNEL_CONTROL) {
960                         hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS);
961                         hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
962                         hci_sock_set_flag(sk, HCI_MGMT_GENERIC_EVENTS);
963                 }
964                 break;
965         }
966 
967 
968         hci_pi(sk)->channel = haddr.hci_channel;
969         sk->sk_state = BT_BOUND;
970 
971 done:
972         release_sock(sk);
973         return err;
974 }
975 
976 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
977                             int *addr_len, int peer)
978 {
979         struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr;
980         struct sock *sk = sock->sk;
981         struct hci_dev *hdev;
982         int err = 0;
983 
984         BT_DBG("sock %p sk %p", sock, sk);
985 
986         if (peer)
987                 return -EOPNOTSUPP;
988 
989         lock_sock(sk);
990 
991         hdev = hci_pi(sk)->hdev;
992         if (!hdev) {
993                 err = -EBADFD;
994                 goto done;
995         }
996 
997         *addr_len = sizeof(*haddr);
998         haddr->hci_family = AF_BLUETOOTH;
999         haddr->hci_dev    = hdev->id;
1000         haddr->hci_channel= hci_pi(sk)->channel;
1001 
1002 done:
1003         release_sock(sk);
1004         return err;
1005 }
1006 
1007 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
1008                           struct sk_buff *skb)
1009 {
1010         __u32 mask = hci_pi(sk)->cmsg_mask;
1011 
1012         if (mask & HCI_CMSG_DIR) {
1013                 int incoming = bt_cb(skb)->incoming;
1014                 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
1015                          &incoming);
1016         }
1017 
1018         if (mask & HCI_CMSG_TSTAMP) {
1019 #ifdef CONFIG_COMPAT
1020                 struct compat_timeval ctv;
1021 #endif
1022                 struct timeval tv;
1023                 void *data;
1024                 int len;
1025 
1026                 skb_get_timestamp(skb, &tv);
1027 
1028                 data = &tv;
1029                 len = sizeof(tv);
1030 #ifdef CONFIG_COMPAT
1031                 if (!COMPAT_USE_64BIT_TIME &&
1032                     (msg->msg_flags & MSG_CMSG_COMPAT)) {
1033                         ctv.tv_sec = tv.tv_sec;
1034                         ctv.tv_usec = tv.tv_usec;
1035                         data = &ctv;
1036                         len = sizeof(ctv);
1037                 }
1038 #endif
1039 
1040                 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
1041         }
1042 }
1043 
1044 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1045                             size_t len, int flags)
1046 {
1047         int noblock = flags & MSG_DONTWAIT;
1048         struct sock *sk = sock->sk;
1049         struct sk_buff *skb;
1050         int copied, err;
1051         unsigned int skblen;
1052 
1053         BT_DBG("sock %p, sk %p", sock, sk);
1054 
1055         if (flags & MSG_OOB)
1056                 return -EOPNOTSUPP;
1057 
1058         if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING)
1059                 return -EOPNOTSUPP;
1060 
1061         if (sk->sk_state == BT_CLOSED)
1062                 return 0;
1063 
1064         skb = skb_recv_datagram(sk, flags, noblock, &err);
1065         if (!skb)
1066                 return err;
1067 
1068         skblen = skb->len;
1069         copied = skb->len;
1070         if (len < copied) {
1071                 msg->msg_flags |= MSG_TRUNC;
1072                 copied = len;
1073         }
1074 
1075         skb_reset_transport_header(skb);
1076         err = skb_copy_datagram_msg(skb, 0, msg, copied);
1077 
1078         switch (hci_pi(sk)->channel) {
1079         case HCI_CHANNEL_RAW:
1080                 hci_sock_cmsg(sk, msg, skb);
1081                 break;
1082         case HCI_CHANNEL_USER:
1083         case HCI_CHANNEL_MONITOR:
1084                 sock_recv_timestamp(msg, sk, skb);
1085                 break;
1086         default:
1087                 if (hci_mgmt_chan_find(hci_pi(sk)->channel))
1088                         sock_recv_timestamp(msg, sk, skb);
1089                 break;
1090         }
1091 
1092         skb_free_datagram(sk, skb);
1093 
1094         if (flags & MSG_TRUNC)
1095                 copied = skblen;
1096 
1097         return err ? : copied;
1098 }
1099 
1100 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk,
1101                         struct msghdr *msg, size_t msglen)
1102 {
1103         void *buf;
1104         u8 *cp;
1105         struct mgmt_hdr *hdr;
1106         u16 opcode, index, len;
1107         struct hci_dev *hdev = NULL;
1108         const struct hci_mgmt_handler *handler;
1109         bool var_len, no_hdev;
1110         int err;
1111 
1112         BT_DBG("got %zu bytes", msglen);
1113 
1114         if (msglen < sizeof(*hdr))
1115                 return -EINVAL;
1116 
1117         buf = kmalloc(msglen, GFP_KERNEL);
1118         if (!buf)
1119                 return -ENOMEM;
1120 
1121         if (memcpy_from_msg(buf, msg, msglen)) {
1122                 err = -EFAULT;
1123                 goto done;
1124         }
1125 
1126         hdr = buf;
1127         opcode = __le16_to_cpu(hdr->opcode);
1128         index = __le16_to_cpu(hdr->index);
1129         len = __le16_to_cpu(hdr->len);
1130 
1131         if (len != msglen - sizeof(*hdr)) {
1132                 err = -EINVAL;
1133                 goto done;
1134         }
1135 
1136         if (opcode >= chan->handler_count ||
1137             chan->handlers[opcode].func == NULL) {
1138                 BT_DBG("Unknown op %u", opcode);
1139                 err = mgmt_cmd_status(sk, index, opcode,
1140                                       MGMT_STATUS_UNKNOWN_COMMAND);
1141                 goto done;
1142         }
1143 
1144         handler = &chan->handlers[opcode];
1145 
1146         if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) &&
1147             !(handler->flags & HCI_MGMT_UNTRUSTED)) {
1148                 err = mgmt_cmd_status(sk, index, opcode,
1149                                       MGMT_STATUS_PERMISSION_DENIED);
1150                 goto done;
1151         }
1152 
1153         if (index != MGMT_INDEX_NONE) {
1154                 hdev = hci_dev_get(index);
1155                 if (!hdev) {
1156                         err = mgmt_cmd_status(sk, index, opcode,
1157                                               MGMT_STATUS_INVALID_INDEX);
1158                         goto done;
1159                 }
1160 
1161                 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1162                     hci_dev_test_flag(hdev, HCI_CONFIG) ||
1163                     hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1164                         err = mgmt_cmd_status(sk, index, opcode,
1165                                               MGMT_STATUS_INVALID_INDEX);
1166                         goto done;
1167                 }
1168 
1169                 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1170                     !(handler->flags & HCI_MGMT_UNCONFIGURED)) {
1171                         err = mgmt_cmd_status(sk, index, opcode,
1172                                               MGMT_STATUS_INVALID_INDEX);
1173                         goto done;
1174                 }
1175         }
1176 
1177         no_hdev = (handler->flags & HCI_MGMT_NO_HDEV);
1178         if (no_hdev != !hdev) {
1179                 err = mgmt_cmd_status(sk, index, opcode,
1180                                       MGMT_STATUS_INVALID_INDEX);
1181                 goto done;
1182         }
1183 
1184         var_len = (handler->flags & HCI_MGMT_VAR_LEN);
1185         if ((var_len && len < handler->data_len) ||
1186             (!var_len && len != handler->data_len)) {
1187                 err = mgmt_cmd_status(sk, index, opcode,
1188                                       MGMT_STATUS_INVALID_PARAMS);
1189                 goto done;
1190         }
1191 
1192         if (hdev && chan->hdev_init)
1193                 chan->hdev_init(sk, hdev);
1194 
1195         cp = buf + sizeof(*hdr);
1196 
1197         err = handler->func(sk, hdev, cp, len);
1198         if (err < 0)
1199                 goto done;
1200 
1201         err = msglen;
1202 
1203 done:
1204         if (hdev)
1205                 hci_dev_put(hdev);
1206 
1207         kfree(buf);
1208         return err;
1209 }
1210 
1211 static int hci_logging_frame(struct sock *sk, struct msghdr *msg, int len)
1212 {
1213         struct hci_mon_hdr *hdr;
1214         struct sk_buff *skb;
1215         struct hci_dev *hdev;
1216         u16 index;
1217         int err;
1218 
1219         /* The logging frame consists at minimum of the standard header,
1220          * the priority byte, the ident length byte and at least one string
1221          * terminator NUL byte. Anything shorter are invalid packets.
1222          */
1223         if (len < sizeof(*hdr) + 3)
1224                 return -EINVAL;
1225 
1226         skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1227         if (!skb)
1228                 return err;
1229 
1230         if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1231                 err = -EFAULT;
1232                 goto drop;
1233         }
1234 
1235         hdr = (void *)skb->data;
1236 
1237         if (__le16_to_cpu(hdr->len) != len - sizeof(*hdr)) {
1238                 err = -EINVAL;
1239                 goto drop;
1240         }
1241 
1242         if (__le16_to_cpu(hdr->opcode) == 0x0000) {
1243                 __u8 priority = skb->data[sizeof(*hdr)];
1244                 __u8 ident_len = skb->data[sizeof(*hdr) + 1];
1245 
1246                 /* Only the priorities 0-7 are valid and with that any other
1247                  * value results in an invalid packet.
1248                  *
1249                  * The priority byte is followed by an ident length byte and
1250                  * the NUL terminated ident string. Check that the ident
1251                  * length is not overflowing the packet and also that the
1252                  * ident string itself is NUL terminated. In case the ident
1253                  * length is zero, the length value actually doubles as NUL
1254                  * terminator identifier.
1255                  *
1256                  * The message follows the ident string (if present) and
1257                  * must be NUL terminated. Otherwise it is not a valid packet.
1258                  */
1259                 if (priority > 7 || skb->data[len - 1] != 0x00 ||
1260                     ident_len > len - sizeof(*hdr) - 3 ||
1261                     skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) {
1262                         err = -EINVAL;
1263                         goto drop;
1264                 }
1265         } else {
1266                 err = -EINVAL;
1267                 goto drop;
1268         }
1269 
1270         index = __le16_to_cpu(hdr->index);
1271 
1272         if (index != MGMT_INDEX_NONE) {
1273                 hdev = hci_dev_get(index);
1274                 if (!hdev) {
1275                         err = -ENODEV;
1276                         goto drop;
1277                 }
1278         } else {
1279                 hdev = NULL;
1280         }
1281 
1282         hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING);
1283 
1284         hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL);
1285         err = len;
1286 
1287         if (hdev)
1288                 hci_dev_put(hdev);
1289 
1290 drop:
1291         kfree_skb(skb);
1292         return err;
1293 }
1294 
1295 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1296                             size_t len)
1297 {
1298         struct sock *sk = sock->sk;
1299         struct hci_mgmt_chan *chan;
1300         struct hci_dev *hdev;
1301         struct sk_buff *skb;
1302         int err;
1303 
1304         BT_DBG("sock %p sk %p", sock, sk);
1305 
1306         if (msg->msg_flags & MSG_OOB)
1307                 return -EOPNOTSUPP;
1308 
1309         if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
1310                 return -EINVAL;
1311 
1312         if (len < 4 || len > HCI_MAX_FRAME_SIZE)
1313                 return -EINVAL;
1314 
1315         lock_sock(sk);
1316 
1317         switch (hci_pi(sk)->channel) {
1318         case HCI_CHANNEL_RAW:
1319         case HCI_CHANNEL_USER:
1320                 break;
1321         case HCI_CHANNEL_MONITOR:
1322                 err = -EOPNOTSUPP;
1323                 goto done;
1324         case HCI_CHANNEL_LOGGING:
1325                 err = hci_logging_frame(sk, msg, len);
1326                 goto done;
1327         default:
1328                 mutex_lock(&mgmt_chan_list_lock);
1329                 chan = __hci_mgmt_chan_find(hci_pi(sk)->channel);
1330                 if (chan)
1331                         err = hci_mgmt_cmd(chan, sk, msg, len);
1332                 else
1333                         err = -EINVAL;
1334 
1335                 mutex_unlock(&mgmt_chan_list_lock);
1336                 goto done;
1337         }
1338 
1339         hdev = hci_pi(sk)->hdev;
1340         if (!hdev) {
1341                 err = -EBADFD;
1342                 goto done;
1343         }
1344 
1345         if (!test_bit(HCI_UP, &hdev->flags)) {
1346                 err = -ENETDOWN;
1347                 goto done;
1348         }
1349 
1350         skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1351         if (!skb)
1352                 goto done;
1353 
1354         if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1355                 err = -EFAULT;
1356                 goto drop;
1357         }
1358 
1359         hci_skb_pkt_type(skb) = skb->data[0];
1360         skb_pull(skb, 1);
1361 
1362         if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
1363                 /* No permission check is needed for user channel
1364                  * since that gets enforced when binding the socket.
1365                  *
1366                  * However check that the packet type is valid.
1367                  */
1368                 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
1369                     hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1370                     hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
1371                         err = -EINVAL;
1372                         goto drop;
1373                 }
1374 
1375                 skb_queue_tail(&hdev->raw_q, skb);
1376                 queue_work(hdev->workqueue, &hdev->tx_work);
1377         } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) {
1378                 u16 opcode = get_unaligned_le16(skb->data);
1379                 u16 ogf = hci_opcode_ogf(opcode);
1380                 u16 ocf = hci_opcode_ocf(opcode);
1381 
1382                 if (((ogf > HCI_SFLT_MAX_OGF) ||
1383                      !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
1384                                    &hci_sec_filter.ocf_mask[ogf])) &&
1385                     !capable(CAP_NET_RAW)) {
1386                         err = -EPERM;
1387                         goto drop;
1388                 }
1389 
1390                 /* Since the opcode has already been extracted here, store
1391                  * a copy of the value for later use by the drivers.
1392                  */
1393                 hci_skb_opcode(skb) = opcode;
1394 
1395                 if (ogf == 0x3f) {
1396                         skb_queue_tail(&hdev->raw_q, skb);
1397                         queue_work(hdev->workqueue, &hdev->tx_work);
1398                 } else {
1399                         /* Stand-alone HCI commands must be flagged as
1400                          * single-command requests.
1401                          */
1402                         bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
1403 
1404                         skb_queue_tail(&hdev->cmd_q, skb);
1405                         queue_work(hdev->workqueue, &hdev->cmd_work);
1406                 }
1407         } else {
1408                 if (!capable(CAP_NET_RAW)) {
1409                         err = -EPERM;
1410                         goto drop;
1411                 }
1412 
1413                 if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1414                     hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
1415                         err = -EINVAL;
1416                         goto drop;
1417                 }
1418 
1419                 skb_queue_tail(&hdev->raw_q, skb);
1420                 queue_work(hdev->workqueue, &hdev->tx_work);
1421         }
1422 
1423         err = len;
1424 
1425 done:
1426         release_sock(sk);
1427         return err;
1428 
1429 drop:
1430         kfree_skb(skb);
1431         goto done;
1432 }
1433 
1434 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
1435                                char __user *optval, unsigned int len)
1436 {
1437         struct hci_ufilter uf = { .opcode = 0 };
1438         struct sock *sk = sock->sk;
1439         int err = 0, opt = 0;
1440 
1441         BT_DBG("sk %p, opt %d", sk, optname);
1442 
1443         lock_sock(sk);
1444 
1445         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1446                 err = -EBADFD;
1447                 goto done;
1448         }
1449 
1450         switch (optname) {
1451         case HCI_DATA_DIR:
1452                 if (get_user(opt, (int __user *)optval)) {
1453                         err = -EFAULT;
1454                         break;
1455                 }
1456 
1457                 if (opt)
1458                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1459                 else
1460                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1461                 break;
1462 
1463         case HCI_TIME_STAMP:
1464                 if (get_user(opt, (int __user *)optval)) {
1465                         err = -EFAULT;
1466                         break;
1467                 }
1468 
1469                 if (opt)
1470                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1471                 else
1472                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1473                 break;
1474 
1475         case HCI_FILTER:
1476                 {
1477                         struct hci_filter *f = &hci_pi(sk)->filter;
1478 
1479                         uf.type_mask = f->type_mask;
1480                         uf.opcode    = f->opcode;
1481                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1482                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1483                 }
1484 
1485                 len = min_t(unsigned int, len, sizeof(uf));
1486                 if (copy_from_user(&uf, optval, len)) {
1487                         err = -EFAULT;
1488                         break;
1489                 }
1490 
1491                 if (!capable(CAP_NET_RAW)) {
1492                         uf.type_mask &= hci_sec_filter.type_mask;
1493                         uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1494                         uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1495                 }
1496 
1497                 {
1498                         struct hci_filter *f = &hci_pi(sk)->filter;
1499 
1500                         f->type_mask = uf.type_mask;
1501                         f->opcode    = uf.opcode;
1502                         *((u32 *) f->event_mask + 0) = uf.event_mask[0];
1503                         *((u32 *) f->event_mask + 1) = uf.event_mask[1];
1504                 }
1505                 break;
1506 
1507         default:
1508                 err = -ENOPROTOOPT;
1509                 break;
1510         }
1511 
1512 done:
1513         release_sock(sk);
1514         return err;
1515 }
1516 
1517 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1518                                char __user *optval, int __user *optlen)
1519 {
1520         struct hci_ufilter uf;
1521         struct sock *sk = sock->sk;
1522         int len, opt, err = 0;
1523 
1524         BT_DBG("sk %p, opt %d", sk, optname);
1525 
1526         if (get_user(len, optlen))
1527                 return -EFAULT;
1528 
1529         lock_sock(sk);
1530 
1531         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1532                 err = -EBADFD;
1533                 goto done;
1534         }
1535 
1536         switch (optname) {
1537         case HCI_DATA_DIR:
1538                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1539                         opt = 1;
1540                 else
1541                         opt = 0;
1542 
1543                 if (put_user(opt, optval))
1544                         err = -EFAULT;
1545                 break;
1546 
1547         case HCI_TIME_STAMP:
1548                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1549                         opt = 1;
1550                 else
1551                         opt = 0;
1552 
1553                 if (put_user(opt, optval))
1554                         err = -EFAULT;
1555                 break;
1556 
1557         case HCI_FILTER:
1558                 {
1559                         struct hci_filter *f = &hci_pi(sk)->filter;
1560 
1561                         memset(&uf, 0, sizeof(uf));
1562                         uf.type_mask = f->type_mask;
1563                         uf.opcode    = f->opcode;
1564                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1565                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1566                 }
1567 
1568                 len = min_t(unsigned int, len, sizeof(uf));
1569                 if (copy_to_user(optval, &uf, len))
1570                         err = -EFAULT;
1571                 break;
1572 
1573         default:
1574                 err = -ENOPROTOOPT;
1575                 break;
1576         }
1577 
1578 done:
1579         release_sock(sk);
1580         return err;
1581 }
1582 
1583 static const struct proto_ops hci_sock_ops = {
1584         .family         = PF_BLUETOOTH,
1585         .owner          = THIS_MODULE,
1586         .release        = hci_sock_release,
1587         .bind           = hci_sock_bind,
1588         .getname        = hci_sock_getname,
1589         .sendmsg        = hci_sock_sendmsg,
1590         .recvmsg        = hci_sock_recvmsg,
1591         .ioctl          = hci_sock_ioctl,
1592         .poll           = datagram_poll,
1593         .listen         = sock_no_listen,
1594         .shutdown       = sock_no_shutdown,
1595         .setsockopt     = hci_sock_setsockopt,
1596         .getsockopt     = hci_sock_getsockopt,
1597         .connect        = sock_no_connect,
1598         .socketpair     = sock_no_socketpair,
1599         .accept         = sock_no_accept,
1600         .mmap           = sock_no_mmap
1601 };
1602 
1603 static struct proto hci_sk_proto = {
1604         .name           = "HCI",
1605         .owner          = THIS_MODULE,
1606         .obj_size       = sizeof(struct hci_pinfo)
1607 };
1608 
1609 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1610                            int kern)
1611 {
1612         struct sock *sk;
1613 
1614         BT_DBG("sock %p", sock);
1615 
1616         if (sock->type != SOCK_RAW)
1617                 return -ESOCKTNOSUPPORT;
1618 
1619         sock->ops = &hci_sock_ops;
1620 
1621         sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern);
1622         if (!sk)
1623                 return -ENOMEM;
1624 
1625         sock_init_data(sock, sk);
1626 
1627         sock_reset_flag(sk, SOCK_ZAPPED);
1628 
1629         sk->sk_protocol = protocol;
1630 
1631         sock->state = SS_UNCONNECTED;
1632         sk->sk_state = BT_OPEN;
1633 
1634         bt_sock_link(&hci_sk_list, sk);
1635         return 0;
1636 }
1637 
1638 static const struct net_proto_family hci_sock_family_ops = {
1639         .family = PF_BLUETOOTH,
1640         .owner  = THIS_MODULE,
1641         .create = hci_sock_create,
1642 };
1643 
1644 int __init hci_sock_init(void)
1645 {
1646         int err;
1647 
1648         BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr));
1649 
1650         err = proto_register(&hci_sk_proto, 0);
1651         if (err < 0)
1652                 return err;
1653 
1654         err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1655         if (err < 0) {
1656                 BT_ERR("HCI socket registration failed");
1657                 goto error;
1658         }
1659 
1660         err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
1661         if (err < 0) {
1662                 BT_ERR("Failed to create HCI proc file");
1663                 bt_sock_unregister(BTPROTO_HCI);
1664                 goto error;
1665         }
1666 
1667         BT_INFO("HCI socket layer initialized");
1668 
1669         return 0;
1670 
1671 error:
1672         proto_unregister(&hci_sk_proto);
1673         return err;
1674 }
1675 
1676 void hci_sock_cleanup(void)
1677 {
1678         bt_procfs_cleanup(&init_net, "hci");
1679         bt_sock_unregister(BTPROTO_HCI);
1680         proto_unregister(&hci_sk_proto);
1681 }
1682 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp