Linux 5.7.7
[linux/fpc-iii.git] / net / bluetooth / hci_sock.c
blob9c4a093f89607620f7d4c0c633f3bec84f10f751
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI sockets. */
26 #include <linux/compat.h>
27 #include <linux/export.h>
28 #include <linux/utsname.h>
29 #include <linux/sched.h>
30 #include <asm/unaligned.h>
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/hci_mon.h>
35 #include <net/bluetooth/mgmt.h>
37 #include "mgmt_util.h"
39 static LIST_HEAD(mgmt_chan_list);
40 static DEFINE_MUTEX(mgmt_chan_list_lock);
42 static DEFINE_IDA(sock_cookie_ida);
44 static atomic_t monitor_promisc = ATOMIC_INIT(0);
46 /* ----- HCI socket interface ----- */
48 /* Socket info */
49 #define hci_pi(sk) ((struct hci_pinfo *) sk)
51 struct hci_pinfo {
52 struct bt_sock bt;
53 struct hci_dev *hdev;
54 struct hci_filter filter;
55 __u32 cmsg_mask;
56 unsigned short channel;
57 unsigned long flags;
58 __u32 cookie;
59 char comm[TASK_COMM_LEN];
62 void hci_sock_set_flag(struct sock *sk, int nr)
64 set_bit(nr, &hci_pi(sk)->flags);
67 void hci_sock_clear_flag(struct sock *sk, int nr)
69 clear_bit(nr, &hci_pi(sk)->flags);
72 int hci_sock_test_flag(struct sock *sk, int nr)
74 return test_bit(nr, &hci_pi(sk)->flags);
77 unsigned short hci_sock_get_channel(struct sock *sk)
79 return hci_pi(sk)->channel;
82 u32 hci_sock_get_cookie(struct sock *sk)
84 return hci_pi(sk)->cookie;
87 static bool hci_sock_gen_cookie(struct sock *sk)
89 int id = hci_pi(sk)->cookie;
91 if (!id) {
92 id = ida_simple_get(&sock_cookie_ida, 1, 0, GFP_KERNEL);
93 if (id < 0)
94 id = 0xffffffff;
96 hci_pi(sk)->cookie = id;
97 get_task_comm(hci_pi(sk)->comm, current);
98 return true;
101 return false;
104 static void hci_sock_free_cookie(struct sock *sk)
106 int id = hci_pi(sk)->cookie;
108 if (id) {
109 hci_pi(sk)->cookie = 0xffffffff;
110 ida_simple_remove(&sock_cookie_ida, id);
114 static inline int hci_test_bit(int nr, const void *addr)
116 return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
119 /* Security filter */
120 #define HCI_SFLT_MAX_OGF 5
122 struct hci_sec_filter {
123 __u32 type_mask;
124 __u32 event_mask[2];
125 __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
128 static const struct hci_sec_filter hci_sec_filter = {
129 /* Packet types */
130 0x10,
131 /* Events */
132 { 0x1000d9fe, 0x0000b00c },
133 /* Commands */
135 { 0x0 },
136 /* OGF_LINK_CTL */
137 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
138 /* OGF_LINK_POLICY */
139 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
140 /* OGF_HOST_CTL */
141 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
142 /* OGF_INFO_PARAM */
143 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
144 /* OGF_STATUS_PARAM */
145 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
149 static struct bt_sock_list hci_sk_list = {
150 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
153 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
155 struct hci_filter *flt;
156 int flt_type, flt_event;
158 /* Apply filter */
159 flt = &hci_pi(sk)->filter;
161 flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS;
163 if (!test_bit(flt_type, &flt->type_mask))
164 return true;
166 /* Extra filter for event packets only */
167 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT)
168 return false;
170 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
172 if (!hci_test_bit(flt_event, &flt->event_mask))
173 return true;
175 /* Check filter only when opcode is set */
176 if (!flt->opcode)
177 return false;
179 if (flt_event == HCI_EV_CMD_COMPLETE &&
180 flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
181 return true;
183 if (flt_event == HCI_EV_CMD_STATUS &&
184 flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
185 return true;
187 return false;
190 /* Send frame to RAW socket */
191 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
193 struct sock *sk;
194 struct sk_buff *skb_copy = NULL;
196 BT_DBG("hdev %p len %d", hdev, skb->len);
198 read_lock(&hci_sk_list.lock);
200 sk_for_each(sk, &hci_sk_list.head) {
201 struct sk_buff *nskb;
203 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
204 continue;
206 /* Don't send frame to the socket it came from */
207 if (skb->sk == sk)
208 continue;
210 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
211 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
212 hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
213 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
214 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
215 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT)
216 continue;
217 if (is_filtered_packet(sk, skb))
218 continue;
219 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
220 if (!bt_cb(skb)->incoming)
221 continue;
222 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
223 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
224 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
225 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT)
226 continue;
227 } else {
228 /* Don't send frame to other channel types */
229 continue;
232 if (!skb_copy) {
233 /* Create a private copy with headroom */
234 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
235 if (!skb_copy)
236 continue;
238 /* Put type byte before the data */
239 memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1);
242 nskb = skb_clone(skb_copy, GFP_ATOMIC);
243 if (!nskb)
244 continue;
246 if (sock_queue_rcv_skb(sk, nskb))
247 kfree_skb(nskb);
250 read_unlock(&hci_sk_list.lock);
252 kfree_skb(skb_copy);
255 /* Send frame to sockets with specific channel */
256 static void __hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
257 int flag, struct sock *skip_sk)
259 struct sock *sk;
261 BT_DBG("channel %u len %d", channel, skb->len);
263 sk_for_each(sk, &hci_sk_list.head) {
264 struct sk_buff *nskb;
266 /* Ignore socket without the flag set */
267 if (!hci_sock_test_flag(sk, flag))
268 continue;
270 /* Skip the original socket */
271 if (sk == skip_sk)
272 continue;
274 if (sk->sk_state != BT_BOUND)
275 continue;
277 if (hci_pi(sk)->channel != channel)
278 continue;
280 nskb = skb_clone(skb, GFP_ATOMIC);
281 if (!nskb)
282 continue;
284 if (sock_queue_rcv_skb(sk, nskb))
285 kfree_skb(nskb);
290 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
291 int flag, struct sock *skip_sk)
293 read_lock(&hci_sk_list.lock);
294 __hci_send_to_channel(channel, skb, flag, skip_sk);
295 read_unlock(&hci_sk_list.lock);
298 /* Send frame to monitor socket */
299 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
301 struct sk_buff *skb_copy = NULL;
302 struct hci_mon_hdr *hdr;
303 __le16 opcode;
305 if (!atomic_read(&monitor_promisc))
306 return;
308 BT_DBG("hdev %p len %d", hdev, skb->len);
310 switch (hci_skb_pkt_type(skb)) {
311 case HCI_COMMAND_PKT:
312 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
313 break;
314 case HCI_EVENT_PKT:
315 opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
316 break;
317 case HCI_ACLDATA_PKT:
318 if (bt_cb(skb)->incoming)
319 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
320 else
321 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
322 break;
323 case HCI_SCODATA_PKT:
324 if (bt_cb(skb)->incoming)
325 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
326 else
327 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
328 break;
329 case HCI_ISODATA_PKT:
330 if (bt_cb(skb)->incoming)
331 opcode = cpu_to_le16(HCI_MON_ISO_RX_PKT);
332 else
333 opcode = cpu_to_le16(HCI_MON_ISO_TX_PKT);
334 break;
335 case HCI_DIAG_PKT:
336 opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG);
337 break;
338 default:
339 return;
342 /* Create a private copy with headroom */
343 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true);
344 if (!skb_copy)
345 return;
347 /* Put header before the data */
348 hdr = skb_push(skb_copy, HCI_MON_HDR_SIZE);
349 hdr->opcode = opcode;
350 hdr->index = cpu_to_le16(hdev->id);
351 hdr->len = cpu_to_le16(skb->len);
353 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy,
354 HCI_SOCK_TRUSTED, NULL);
355 kfree_skb(skb_copy);
358 void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event,
359 void *data, u16 data_len, ktime_t tstamp,
360 int flag, struct sock *skip_sk)
362 struct sock *sk;
363 __le16 index;
365 if (hdev)
366 index = cpu_to_le16(hdev->id);
367 else
368 index = cpu_to_le16(MGMT_INDEX_NONE);
370 read_lock(&hci_sk_list.lock);
372 sk_for_each(sk, &hci_sk_list.head) {
373 struct hci_mon_hdr *hdr;
374 struct sk_buff *skb;
376 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
377 continue;
379 /* Ignore socket without the flag set */
380 if (!hci_sock_test_flag(sk, flag))
381 continue;
383 /* Skip the original socket */
384 if (sk == skip_sk)
385 continue;
387 skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC);
388 if (!skb)
389 continue;
391 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
392 put_unaligned_le16(event, skb_put(skb, 2));
394 if (data)
395 skb_put_data(skb, data, data_len);
397 skb->tstamp = tstamp;
399 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
400 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT);
401 hdr->index = index;
402 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
404 __hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
405 HCI_SOCK_TRUSTED, NULL);
406 kfree_skb(skb);
409 read_unlock(&hci_sk_list.lock);
412 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
414 struct hci_mon_hdr *hdr;
415 struct hci_mon_new_index *ni;
416 struct hci_mon_index_info *ii;
417 struct sk_buff *skb;
418 __le16 opcode;
420 switch (event) {
421 case HCI_DEV_REG:
422 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
423 if (!skb)
424 return NULL;
426 ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
427 ni->type = hdev->dev_type;
428 ni->bus = hdev->bus;
429 bacpy(&ni->bdaddr, &hdev->bdaddr);
430 memcpy(ni->name, hdev->name, 8);
432 opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
433 break;
435 case HCI_DEV_UNREG:
436 skb = bt_skb_alloc(0, GFP_ATOMIC);
437 if (!skb)
438 return NULL;
440 opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
441 break;
443 case HCI_DEV_SETUP:
444 if (hdev->manufacturer == 0xffff)
445 return NULL;
447 /* fall through */
449 case HCI_DEV_UP:
450 skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC);
451 if (!skb)
452 return NULL;
454 ii = skb_put(skb, HCI_MON_INDEX_INFO_SIZE);
455 bacpy(&ii->bdaddr, &hdev->bdaddr);
456 ii->manufacturer = cpu_to_le16(hdev->manufacturer);
458 opcode = cpu_to_le16(HCI_MON_INDEX_INFO);
459 break;
461 case HCI_DEV_OPEN:
462 skb = bt_skb_alloc(0, GFP_ATOMIC);
463 if (!skb)
464 return NULL;
466 opcode = cpu_to_le16(HCI_MON_OPEN_INDEX);
467 break;
469 case HCI_DEV_CLOSE:
470 skb = bt_skb_alloc(0, GFP_ATOMIC);
471 if (!skb)
472 return NULL;
474 opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX);
475 break;
477 default:
478 return NULL;
481 __net_timestamp(skb);
483 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
484 hdr->opcode = opcode;
485 hdr->index = cpu_to_le16(hdev->id);
486 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
488 return skb;
491 static struct sk_buff *create_monitor_ctrl_open(struct sock *sk)
493 struct hci_mon_hdr *hdr;
494 struct sk_buff *skb;
495 u16 format;
496 u8 ver[3];
497 u32 flags;
499 /* No message needed when cookie is not present */
500 if (!hci_pi(sk)->cookie)
501 return NULL;
503 switch (hci_pi(sk)->channel) {
504 case HCI_CHANNEL_RAW:
505 format = 0x0000;
506 ver[0] = BT_SUBSYS_VERSION;
507 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
508 break;
509 case HCI_CHANNEL_USER:
510 format = 0x0001;
511 ver[0] = BT_SUBSYS_VERSION;
512 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
513 break;
514 case HCI_CHANNEL_CONTROL:
515 format = 0x0002;
516 mgmt_fill_version_info(ver);
517 break;
518 default:
519 /* No message for unsupported format */
520 return NULL;
523 skb = bt_skb_alloc(14 + TASK_COMM_LEN , GFP_ATOMIC);
524 if (!skb)
525 return NULL;
527 flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0;
529 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
530 put_unaligned_le16(format, skb_put(skb, 2));
531 skb_put_data(skb, ver, sizeof(ver));
532 put_unaligned_le32(flags, skb_put(skb, 4));
533 skb_put_u8(skb, TASK_COMM_LEN);
534 skb_put_data(skb, hci_pi(sk)->comm, TASK_COMM_LEN);
536 __net_timestamp(skb);
538 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
539 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN);
540 if (hci_pi(sk)->hdev)
541 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
542 else
543 hdr->index = cpu_to_le16(HCI_DEV_NONE);
544 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
546 return skb;
549 static struct sk_buff *create_monitor_ctrl_close(struct sock *sk)
551 struct hci_mon_hdr *hdr;
552 struct sk_buff *skb;
554 /* No message needed when cookie is not present */
555 if (!hci_pi(sk)->cookie)
556 return NULL;
558 switch (hci_pi(sk)->channel) {
559 case HCI_CHANNEL_RAW:
560 case HCI_CHANNEL_USER:
561 case HCI_CHANNEL_CONTROL:
562 break;
563 default:
564 /* No message for unsupported format */
565 return NULL;
568 skb = bt_skb_alloc(4, GFP_ATOMIC);
569 if (!skb)
570 return NULL;
572 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
574 __net_timestamp(skb);
576 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
577 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE);
578 if (hci_pi(sk)->hdev)
579 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
580 else
581 hdr->index = cpu_to_le16(HCI_DEV_NONE);
582 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
584 return skb;
587 static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index,
588 u16 opcode, u16 len,
589 const void *buf)
591 struct hci_mon_hdr *hdr;
592 struct sk_buff *skb;
594 skb = bt_skb_alloc(6 + len, GFP_ATOMIC);
595 if (!skb)
596 return NULL;
598 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
599 put_unaligned_le16(opcode, skb_put(skb, 2));
601 if (buf)
602 skb_put_data(skb, buf, len);
604 __net_timestamp(skb);
606 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
607 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND);
608 hdr->index = cpu_to_le16(index);
609 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
611 return skb;
614 static void __printf(2, 3)
615 send_monitor_note(struct sock *sk, const char *fmt, ...)
617 size_t len;
618 struct hci_mon_hdr *hdr;
619 struct sk_buff *skb;
620 va_list args;
622 va_start(args, fmt);
623 len = vsnprintf(NULL, 0, fmt, args);
624 va_end(args);
626 skb = bt_skb_alloc(len + 1, GFP_ATOMIC);
627 if (!skb)
628 return;
630 va_start(args, fmt);
631 vsprintf(skb_put(skb, len), fmt, args);
632 *(u8 *)skb_put(skb, 1) = 0;
633 va_end(args);
635 __net_timestamp(skb);
637 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
638 hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE);
639 hdr->index = cpu_to_le16(HCI_DEV_NONE);
640 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
642 if (sock_queue_rcv_skb(sk, skb))
643 kfree_skb(skb);
646 static void send_monitor_replay(struct sock *sk)
648 struct hci_dev *hdev;
650 read_lock(&hci_dev_list_lock);
652 list_for_each_entry(hdev, &hci_dev_list, list) {
653 struct sk_buff *skb;
655 skb = create_monitor_event(hdev, HCI_DEV_REG);
656 if (!skb)
657 continue;
659 if (sock_queue_rcv_skb(sk, skb))
660 kfree_skb(skb);
662 if (!test_bit(HCI_RUNNING, &hdev->flags))
663 continue;
665 skb = create_monitor_event(hdev, HCI_DEV_OPEN);
666 if (!skb)
667 continue;
669 if (sock_queue_rcv_skb(sk, skb))
670 kfree_skb(skb);
672 if (test_bit(HCI_UP, &hdev->flags))
673 skb = create_monitor_event(hdev, HCI_DEV_UP);
674 else if (hci_dev_test_flag(hdev, HCI_SETUP))
675 skb = create_monitor_event(hdev, HCI_DEV_SETUP);
676 else
677 skb = NULL;
679 if (skb) {
680 if (sock_queue_rcv_skb(sk, skb))
681 kfree_skb(skb);
685 read_unlock(&hci_dev_list_lock);
688 static void send_monitor_control_replay(struct sock *mon_sk)
690 struct sock *sk;
692 read_lock(&hci_sk_list.lock);
694 sk_for_each(sk, &hci_sk_list.head) {
695 struct sk_buff *skb;
697 skb = create_monitor_ctrl_open(sk);
698 if (!skb)
699 continue;
701 if (sock_queue_rcv_skb(mon_sk, skb))
702 kfree_skb(skb);
705 read_unlock(&hci_sk_list.lock);
708 /* Generate internal stack event */
709 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
711 struct hci_event_hdr *hdr;
712 struct hci_ev_stack_internal *ev;
713 struct sk_buff *skb;
715 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
716 if (!skb)
717 return;
719 hdr = skb_put(skb, HCI_EVENT_HDR_SIZE);
720 hdr->evt = HCI_EV_STACK_INTERNAL;
721 hdr->plen = sizeof(*ev) + dlen;
723 ev = skb_put(skb, sizeof(*ev) + dlen);
724 ev->type = type;
725 memcpy(ev->data, data, dlen);
727 bt_cb(skb)->incoming = 1;
728 __net_timestamp(skb);
730 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
731 hci_send_to_sock(hdev, skb);
732 kfree_skb(skb);
735 void hci_sock_dev_event(struct hci_dev *hdev, int event)
737 BT_DBG("hdev %s event %d", hdev->name, event);
739 if (atomic_read(&monitor_promisc)) {
740 struct sk_buff *skb;
742 /* Send event to monitor */
743 skb = create_monitor_event(hdev, event);
744 if (skb) {
745 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
746 HCI_SOCK_TRUSTED, NULL);
747 kfree_skb(skb);
751 if (event <= HCI_DEV_DOWN) {
752 struct hci_ev_si_device ev;
754 /* Send event to sockets */
755 ev.event = event;
756 ev.dev_id = hdev->id;
757 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
760 if (event == HCI_DEV_UNREG) {
761 struct sock *sk;
763 /* Detach sockets from device */
764 read_lock(&hci_sk_list.lock);
765 sk_for_each(sk, &hci_sk_list.head) {
766 bh_lock_sock_nested(sk);
767 if (hci_pi(sk)->hdev == hdev) {
768 hci_pi(sk)->hdev = NULL;
769 sk->sk_err = EPIPE;
770 sk->sk_state = BT_OPEN;
771 sk->sk_state_change(sk);
773 hci_dev_put(hdev);
775 bh_unlock_sock(sk);
777 read_unlock(&hci_sk_list.lock);
781 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel)
783 struct hci_mgmt_chan *c;
785 list_for_each_entry(c, &mgmt_chan_list, list) {
786 if (c->channel == channel)
787 return c;
790 return NULL;
793 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel)
795 struct hci_mgmt_chan *c;
797 mutex_lock(&mgmt_chan_list_lock);
798 c = __hci_mgmt_chan_find(channel);
799 mutex_unlock(&mgmt_chan_list_lock);
801 return c;
804 int hci_mgmt_chan_register(struct hci_mgmt_chan *c)
806 if (c->channel < HCI_CHANNEL_CONTROL)
807 return -EINVAL;
809 mutex_lock(&mgmt_chan_list_lock);
810 if (__hci_mgmt_chan_find(c->channel)) {
811 mutex_unlock(&mgmt_chan_list_lock);
812 return -EALREADY;
815 list_add_tail(&c->list, &mgmt_chan_list);
817 mutex_unlock(&mgmt_chan_list_lock);
819 return 0;
821 EXPORT_SYMBOL(hci_mgmt_chan_register);
823 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c)
825 mutex_lock(&mgmt_chan_list_lock);
826 list_del(&c->list);
827 mutex_unlock(&mgmt_chan_list_lock);
829 EXPORT_SYMBOL(hci_mgmt_chan_unregister);
831 static int hci_sock_release(struct socket *sock)
833 struct sock *sk = sock->sk;
834 struct hci_dev *hdev;
835 struct sk_buff *skb;
837 BT_DBG("sock %p sk %p", sock, sk);
839 if (!sk)
840 return 0;
842 lock_sock(sk);
844 switch (hci_pi(sk)->channel) {
845 case HCI_CHANNEL_MONITOR:
846 atomic_dec(&monitor_promisc);
847 break;
848 case HCI_CHANNEL_RAW:
849 case HCI_CHANNEL_USER:
850 case HCI_CHANNEL_CONTROL:
851 /* Send event to monitor */
852 skb = create_monitor_ctrl_close(sk);
853 if (skb) {
854 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
855 HCI_SOCK_TRUSTED, NULL);
856 kfree_skb(skb);
859 hci_sock_free_cookie(sk);
860 break;
863 bt_sock_unlink(&hci_sk_list, sk);
865 hdev = hci_pi(sk)->hdev;
866 if (hdev) {
867 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
868 /* When releasing a user channel exclusive access,
869 * call hci_dev_do_close directly instead of calling
870 * hci_dev_close to ensure the exclusive access will
871 * be released and the controller brought back down.
873 * The checking of HCI_AUTO_OFF is not needed in this
874 * case since it will have been cleared already when
875 * opening the user channel.
877 hci_dev_do_close(hdev);
878 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
879 mgmt_index_added(hdev);
882 atomic_dec(&hdev->promisc);
883 hci_dev_put(hdev);
886 sock_orphan(sk);
888 skb_queue_purge(&sk->sk_receive_queue);
889 skb_queue_purge(&sk->sk_write_queue);
891 release_sock(sk);
892 sock_put(sk);
893 return 0;
896 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
898 bdaddr_t bdaddr;
899 int err;
901 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
902 return -EFAULT;
904 hci_dev_lock(hdev);
906 err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
908 hci_dev_unlock(hdev);
910 return err;
913 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
915 bdaddr_t bdaddr;
916 int err;
918 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
919 return -EFAULT;
921 hci_dev_lock(hdev);
923 err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR);
925 hci_dev_unlock(hdev);
927 return err;
930 /* Ioctls that require bound socket */
931 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
932 unsigned long arg)
934 struct hci_dev *hdev = hci_pi(sk)->hdev;
936 if (!hdev)
937 return -EBADFD;
939 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
940 return -EBUSY;
942 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
943 return -EOPNOTSUPP;
945 if (hdev->dev_type != HCI_PRIMARY)
946 return -EOPNOTSUPP;
948 switch (cmd) {
949 case HCISETRAW:
950 if (!capable(CAP_NET_ADMIN))
951 return -EPERM;
952 return -EOPNOTSUPP;
954 case HCIGETCONNINFO:
955 return hci_get_conn_info(hdev, (void __user *)arg);
957 case HCIGETAUTHINFO:
958 return hci_get_auth_info(hdev, (void __user *)arg);
960 case HCIBLOCKADDR:
961 if (!capable(CAP_NET_ADMIN))
962 return -EPERM;
963 return hci_sock_blacklist_add(hdev, (void __user *)arg);
965 case HCIUNBLOCKADDR:
966 if (!capable(CAP_NET_ADMIN))
967 return -EPERM;
968 return hci_sock_blacklist_del(hdev, (void __user *)arg);
971 return -ENOIOCTLCMD;
974 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
975 unsigned long arg)
977 void __user *argp = (void __user *)arg;
978 struct sock *sk = sock->sk;
979 int err;
981 BT_DBG("cmd %x arg %lx", cmd, arg);
983 lock_sock(sk);
985 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
986 err = -EBADFD;
987 goto done;
990 /* When calling an ioctl on an unbound raw socket, then ensure
991 * that the monitor gets informed. Ensure that the resulting event
992 * is only send once by checking if the cookie exists or not. The
993 * socket cookie will be only ever generated once for the lifetime
994 * of a given socket.
996 if (hci_sock_gen_cookie(sk)) {
997 struct sk_buff *skb;
999 if (capable(CAP_NET_ADMIN))
1000 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1002 /* Send event to monitor */
1003 skb = create_monitor_ctrl_open(sk);
1004 if (skb) {
1005 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1006 HCI_SOCK_TRUSTED, NULL);
1007 kfree_skb(skb);
1011 release_sock(sk);
1013 switch (cmd) {
1014 case HCIGETDEVLIST:
1015 return hci_get_dev_list(argp);
1017 case HCIGETDEVINFO:
1018 return hci_get_dev_info(argp);
1020 case HCIGETCONNLIST:
1021 return hci_get_conn_list(argp);
1023 case HCIDEVUP:
1024 if (!capable(CAP_NET_ADMIN))
1025 return -EPERM;
1026 return hci_dev_open(arg);
1028 case HCIDEVDOWN:
1029 if (!capable(CAP_NET_ADMIN))
1030 return -EPERM;
1031 return hci_dev_close(arg);
1033 case HCIDEVRESET:
1034 if (!capable(CAP_NET_ADMIN))
1035 return -EPERM;
1036 return hci_dev_reset(arg);
1038 case HCIDEVRESTAT:
1039 if (!capable(CAP_NET_ADMIN))
1040 return -EPERM;
1041 return hci_dev_reset_stat(arg);
1043 case HCISETSCAN:
1044 case HCISETAUTH:
1045 case HCISETENCRYPT:
1046 case HCISETPTYPE:
1047 case HCISETLINKPOL:
1048 case HCISETLINKMODE:
1049 case HCISETACLMTU:
1050 case HCISETSCOMTU:
1051 if (!capable(CAP_NET_ADMIN))
1052 return -EPERM;
1053 return hci_dev_cmd(cmd, argp);
1055 case HCIINQUIRY:
1056 return hci_inquiry(argp);
1059 lock_sock(sk);
1061 err = hci_sock_bound_ioctl(sk, cmd, arg);
1063 done:
1064 release_sock(sk);
1065 return err;
1068 #ifdef CONFIG_COMPAT
1069 static int hci_sock_compat_ioctl(struct socket *sock, unsigned int cmd,
1070 unsigned long arg)
1072 switch (cmd) {
1073 case HCIDEVUP:
1074 case HCIDEVDOWN:
1075 case HCIDEVRESET:
1076 case HCIDEVRESTAT:
1077 return hci_sock_ioctl(sock, cmd, arg);
1080 return hci_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
1082 #endif
1084 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
1085 int addr_len)
1087 struct sockaddr_hci haddr;
1088 struct sock *sk = sock->sk;
1089 struct hci_dev *hdev = NULL;
1090 struct sk_buff *skb;
1091 int len, err = 0;
1093 BT_DBG("sock %p sk %p", sock, sk);
1095 if (!addr)
1096 return -EINVAL;
1098 memset(&haddr, 0, sizeof(haddr));
1099 len = min_t(unsigned int, sizeof(haddr), addr_len);
1100 memcpy(&haddr, addr, len);
1102 if (haddr.hci_family != AF_BLUETOOTH)
1103 return -EINVAL;
1105 lock_sock(sk);
1107 if (sk->sk_state == BT_BOUND) {
1108 err = -EALREADY;
1109 goto done;
1112 switch (haddr.hci_channel) {
1113 case HCI_CHANNEL_RAW:
1114 if (hci_pi(sk)->hdev) {
1115 err = -EALREADY;
1116 goto done;
1119 if (haddr.hci_dev != HCI_DEV_NONE) {
1120 hdev = hci_dev_get(haddr.hci_dev);
1121 if (!hdev) {
1122 err = -ENODEV;
1123 goto done;
1126 atomic_inc(&hdev->promisc);
1129 hci_pi(sk)->channel = haddr.hci_channel;
1131 if (!hci_sock_gen_cookie(sk)) {
1132 /* In the case when a cookie has already been assigned,
1133 * then there has been already an ioctl issued against
1134 * an unbound socket and with that triggerd an open
1135 * notification. Send a close notification first to
1136 * allow the state transition to bounded.
1138 skb = create_monitor_ctrl_close(sk);
1139 if (skb) {
1140 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1141 HCI_SOCK_TRUSTED, NULL);
1142 kfree_skb(skb);
1146 if (capable(CAP_NET_ADMIN))
1147 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1149 hci_pi(sk)->hdev = hdev;
1151 /* Send event to monitor */
1152 skb = create_monitor_ctrl_open(sk);
1153 if (skb) {
1154 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1155 HCI_SOCK_TRUSTED, NULL);
1156 kfree_skb(skb);
1158 break;
1160 case HCI_CHANNEL_USER:
1161 if (hci_pi(sk)->hdev) {
1162 err = -EALREADY;
1163 goto done;
1166 if (haddr.hci_dev == HCI_DEV_NONE) {
1167 err = -EINVAL;
1168 goto done;
1171 if (!capable(CAP_NET_ADMIN)) {
1172 err = -EPERM;
1173 goto done;
1176 hdev = hci_dev_get(haddr.hci_dev);
1177 if (!hdev) {
1178 err = -ENODEV;
1179 goto done;
1182 if (test_bit(HCI_INIT, &hdev->flags) ||
1183 hci_dev_test_flag(hdev, HCI_SETUP) ||
1184 hci_dev_test_flag(hdev, HCI_CONFIG) ||
1185 (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) &&
1186 test_bit(HCI_UP, &hdev->flags))) {
1187 err = -EBUSY;
1188 hci_dev_put(hdev);
1189 goto done;
1192 if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) {
1193 err = -EUSERS;
1194 hci_dev_put(hdev);
1195 goto done;
1198 mgmt_index_removed(hdev);
1200 err = hci_dev_open(hdev->id);
1201 if (err) {
1202 if (err == -EALREADY) {
1203 /* In case the transport is already up and
1204 * running, clear the error here.
1206 * This can happen when opening a user
1207 * channel and HCI_AUTO_OFF grace period
1208 * is still active.
1210 err = 0;
1211 } else {
1212 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
1213 mgmt_index_added(hdev);
1214 hci_dev_put(hdev);
1215 goto done;
1219 hci_pi(sk)->channel = haddr.hci_channel;
1221 if (!hci_sock_gen_cookie(sk)) {
1222 /* In the case when a cookie has already been assigned,
1223 * this socket will transition from a raw socket into
1224 * a user channel socket. For a clean transition, send
1225 * the close notification first.
1227 skb = create_monitor_ctrl_close(sk);
1228 if (skb) {
1229 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1230 HCI_SOCK_TRUSTED, NULL);
1231 kfree_skb(skb);
1235 /* The user channel is restricted to CAP_NET_ADMIN
1236 * capabilities and with that implicitly trusted.
1238 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1240 hci_pi(sk)->hdev = hdev;
1242 /* Send event to monitor */
1243 skb = create_monitor_ctrl_open(sk);
1244 if (skb) {
1245 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1246 HCI_SOCK_TRUSTED, NULL);
1247 kfree_skb(skb);
1250 atomic_inc(&hdev->promisc);
1251 break;
1253 case HCI_CHANNEL_MONITOR:
1254 if (haddr.hci_dev != HCI_DEV_NONE) {
1255 err = -EINVAL;
1256 goto done;
1259 if (!capable(CAP_NET_RAW)) {
1260 err = -EPERM;
1261 goto done;
1264 hci_pi(sk)->channel = haddr.hci_channel;
1266 /* The monitor interface is restricted to CAP_NET_RAW
1267 * capabilities and with that implicitly trusted.
1269 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1271 send_monitor_note(sk, "Linux version %s (%s)",
1272 init_utsname()->release,
1273 init_utsname()->machine);
1274 send_monitor_note(sk, "Bluetooth subsystem version %u.%u",
1275 BT_SUBSYS_VERSION, BT_SUBSYS_REVISION);
1276 send_monitor_replay(sk);
1277 send_monitor_control_replay(sk);
1279 atomic_inc(&monitor_promisc);
1280 break;
1282 case HCI_CHANNEL_LOGGING:
1283 if (haddr.hci_dev != HCI_DEV_NONE) {
1284 err = -EINVAL;
1285 goto done;
1288 if (!capable(CAP_NET_ADMIN)) {
1289 err = -EPERM;
1290 goto done;
1293 hci_pi(sk)->channel = haddr.hci_channel;
1294 break;
1296 default:
1297 if (!hci_mgmt_chan_find(haddr.hci_channel)) {
1298 err = -EINVAL;
1299 goto done;
1302 if (haddr.hci_dev != HCI_DEV_NONE) {
1303 err = -EINVAL;
1304 goto done;
1307 /* Users with CAP_NET_ADMIN capabilities are allowed
1308 * access to all management commands and events. For
1309 * untrusted users the interface is restricted and
1310 * also only untrusted events are sent.
1312 if (capable(CAP_NET_ADMIN))
1313 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1315 hci_pi(sk)->channel = haddr.hci_channel;
1317 /* At the moment the index and unconfigured index events
1318 * are enabled unconditionally. Setting them on each
1319 * socket when binding keeps this functionality. They
1320 * however might be cleared later and then sending of these
1321 * events will be disabled, but that is then intentional.
1323 * This also enables generic events that are safe to be
1324 * received by untrusted users. Example for such events
1325 * are changes to settings, class of device, name etc.
1327 if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) {
1328 if (!hci_sock_gen_cookie(sk)) {
1329 /* In the case when a cookie has already been
1330 * assigned, this socket will transtion from
1331 * a raw socket into a control socket. To
1332 * allow for a clean transtion, send the
1333 * close notification first.
1335 skb = create_monitor_ctrl_close(sk);
1336 if (skb) {
1337 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1338 HCI_SOCK_TRUSTED, NULL);
1339 kfree_skb(skb);
1343 /* Send event to monitor */
1344 skb = create_monitor_ctrl_open(sk);
1345 if (skb) {
1346 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1347 HCI_SOCK_TRUSTED, NULL);
1348 kfree_skb(skb);
1351 hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS);
1352 hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
1353 hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS);
1354 hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS);
1355 hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1356 hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1358 break;
1361 sk->sk_state = BT_BOUND;
1363 done:
1364 release_sock(sk);
1365 return err;
1368 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
1369 int peer)
1371 struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr;
1372 struct sock *sk = sock->sk;
1373 struct hci_dev *hdev;
1374 int err = 0;
1376 BT_DBG("sock %p sk %p", sock, sk);
1378 if (peer)
1379 return -EOPNOTSUPP;
1381 lock_sock(sk);
1383 hdev = hci_pi(sk)->hdev;
1384 if (!hdev) {
1385 err = -EBADFD;
1386 goto done;
1389 haddr->hci_family = AF_BLUETOOTH;
1390 haddr->hci_dev = hdev->id;
1391 haddr->hci_channel= hci_pi(sk)->channel;
1392 err = sizeof(*haddr);
1394 done:
1395 release_sock(sk);
1396 return err;
1399 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
1400 struct sk_buff *skb)
1402 __u32 mask = hci_pi(sk)->cmsg_mask;
1404 if (mask & HCI_CMSG_DIR) {
1405 int incoming = bt_cb(skb)->incoming;
1406 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
1407 &incoming);
1410 if (mask & HCI_CMSG_TSTAMP) {
1411 #ifdef CONFIG_COMPAT
1412 struct old_timeval32 ctv;
1413 #endif
1414 struct __kernel_old_timeval tv;
1415 void *data;
1416 int len;
1418 skb_get_timestamp(skb, &tv);
1420 data = &tv;
1421 len = sizeof(tv);
1422 #ifdef CONFIG_COMPAT
1423 if (!COMPAT_USE_64BIT_TIME &&
1424 (msg->msg_flags & MSG_CMSG_COMPAT)) {
1425 ctv.tv_sec = tv.tv_sec;
1426 ctv.tv_usec = tv.tv_usec;
1427 data = &ctv;
1428 len = sizeof(ctv);
1430 #endif
1432 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
1436 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1437 size_t len, int flags)
1439 int noblock = flags & MSG_DONTWAIT;
1440 struct sock *sk = sock->sk;
1441 struct sk_buff *skb;
1442 int copied, err;
1443 unsigned int skblen;
1445 BT_DBG("sock %p, sk %p", sock, sk);
1447 if (flags & MSG_OOB)
1448 return -EOPNOTSUPP;
1450 if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING)
1451 return -EOPNOTSUPP;
1453 if (sk->sk_state == BT_CLOSED)
1454 return 0;
1456 skb = skb_recv_datagram(sk, flags, noblock, &err);
1457 if (!skb)
1458 return err;
1460 skblen = skb->len;
1461 copied = skb->len;
1462 if (len < copied) {
1463 msg->msg_flags |= MSG_TRUNC;
1464 copied = len;
1467 skb_reset_transport_header(skb);
1468 err = skb_copy_datagram_msg(skb, 0, msg, copied);
1470 switch (hci_pi(sk)->channel) {
1471 case HCI_CHANNEL_RAW:
1472 hci_sock_cmsg(sk, msg, skb);
1473 break;
1474 case HCI_CHANNEL_USER:
1475 case HCI_CHANNEL_MONITOR:
1476 sock_recv_timestamp(msg, sk, skb);
1477 break;
1478 default:
1479 if (hci_mgmt_chan_find(hci_pi(sk)->channel))
1480 sock_recv_timestamp(msg, sk, skb);
1481 break;
1484 skb_free_datagram(sk, skb);
1486 if (flags & MSG_TRUNC)
1487 copied = skblen;
1489 return err ? : copied;
1492 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk,
1493 struct msghdr *msg, size_t msglen)
1495 void *buf;
1496 u8 *cp;
1497 struct mgmt_hdr *hdr;
1498 u16 opcode, index, len;
1499 struct hci_dev *hdev = NULL;
1500 const struct hci_mgmt_handler *handler;
1501 bool var_len, no_hdev;
1502 int err;
1504 BT_DBG("got %zu bytes", msglen);
1506 if (msglen < sizeof(*hdr))
1507 return -EINVAL;
1509 buf = kmalloc(msglen, GFP_KERNEL);
1510 if (!buf)
1511 return -ENOMEM;
1513 if (memcpy_from_msg(buf, msg, msglen)) {
1514 err = -EFAULT;
1515 goto done;
1518 hdr = buf;
1519 opcode = __le16_to_cpu(hdr->opcode);
1520 index = __le16_to_cpu(hdr->index);
1521 len = __le16_to_cpu(hdr->len);
1523 if (len != msglen - sizeof(*hdr)) {
1524 err = -EINVAL;
1525 goto done;
1528 if (chan->channel == HCI_CHANNEL_CONTROL) {
1529 struct sk_buff *skb;
1531 /* Send event to monitor */
1532 skb = create_monitor_ctrl_command(sk, index, opcode, len,
1533 buf + sizeof(*hdr));
1534 if (skb) {
1535 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1536 HCI_SOCK_TRUSTED, NULL);
1537 kfree_skb(skb);
1541 if (opcode >= chan->handler_count ||
1542 chan->handlers[opcode].func == NULL) {
1543 BT_DBG("Unknown op %u", opcode);
1544 err = mgmt_cmd_status(sk, index, opcode,
1545 MGMT_STATUS_UNKNOWN_COMMAND);
1546 goto done;
1549 handler = &chan->handlers[opcode];
1551 if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) &&
1552 !(handler->flags & HCI_MGMT_UNTRUSTED)) {
1553 err = mgmt_cmd_status(sk, index, opcode,
1554 MGMT_STATUS_PERMISSION_DENIED);
1555 goto done;
1558 if (index != MGMT_INDEX_NONE) {
1559 hdev = hci_dev_get(index);
1560 if (!hdev) {
1561 err = mgmt_cmd_status(sk, index, opcode,
1562 MGMT_STATUS_INVALID_INDEX);
1563 goto done;
1566 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1567 hci_dev_test_flag(hdev, HCI_CONFIG) ||
1568 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1569 err = mgmt_cmd_status(sk, index, opcode,
1570 MGMT_STATUS_INVALID_INDEX);
1571 goto done;
1574 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1575 !(handler->flags & HCI_MGMT_UNCONFIGURED)) {
1576 err = mgmt_cmd_status(sk, index, opcode,
1577 MGMT_STATUS_INVALID_INDEX);
1578 goto done;
1582 no_hdev = (handler->flags & HCI_MGMT_NO_HDEV);
1583 if (no_hdev != !hdev) {
1584 err = mgmt_cmd_status(sk, index, opcode,
1585 MGMT_STATUS_INVALID_INDEX);
1586 goto done;
1589 var_len = (handler->flags & HCI_MGMT_VAR_LEN);
1590 if ((var_len && len < handler->data_len) ||
1591 (!var_len && len != handler->data_len)) {
1592 err = mgmt_cmd_status(sk, index, opcode,
1593 MGMT_STATUS_INVALID_PARAMS);
1594 goto done;
1597 if (hdev && chan->hdev_init)
1598 chan->hdev_init(sk, hdev);
1600 cp = buf + sizeof(*hdr);
1602 err = handler->func(sk, hdev, cp, len);
1603 if (err < 0)
1604 goto done;
1606 err = msglen;
1608 done:
1609 if (hdev)
1610 hci_dev_put(hdev);
1612 kfree(buf);
1613 return err;
1616 static int hci_logging_frame(struct sock *sk, struct msghdr *msg, int len)
1618 struct hci_mon_hdr *hdr;
1619 struct sk_buff *skb;
1620 struct hci_dev *hdev;
1621 u16 index;
1622 int err;
1624 /* The logging frame consists at minimum of the standard header,
1625 * the priority byte, the ident length byte and at least one string
1626 * terminator NUL byte. Anything shorter are invalid packets.
1628 if (len < sizeof(*hdr) + 3)
1629 return -EINVAL;
1631 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1632 if (!skb)
1633 return err;
1635 if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1636 err = -EFAULT;
1637 goto drop;
1640 hdr = (void *)skb->data;
1642 if (__le16_to_cpu(hdr->len) != len - sizeof(*hdr)) {
1643 err = -EINVAL;
1644 goto drop;
1647 if (__le16_to_cpu(hdr->opcode) == 0x0000) {
1648 __u8 priority = skb->data[sizeof(*hdr)];
1649 __u8 ident_len = skb->data[sizeof(*hdr) + 1];
1651 /* Only the priorities 0-7 are valid and with that any other
1652 * value results in an invalid packet.
1654 * The priority byte is followed by an ident length byte and
1655 * the NUL terminated ident string. Check that the ident
1656 * length is not overflowing the packet and also that the
1657 * ident string itself is NUL terminated. In case the ident
1658 * length is zero, the length value actually doubles as NUL
1659 * terminator identifier.
1661 * The message follows the ident string (if present) and
1662 * must be NUL terminated. Otherwise it is not a valid packet.
1664 if (priority > 7 || skb->data[len - 1] != 0x00 ||
1665 ident_len > len - sizeof(*hdr) - 3 ||
1666 skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) {
1667 err = -EINVAL;
1668 goto drop;
1670 } else {
1671 err = -EINVAL;
1672 goto drop;
1675 index = __le16_to_cpu(hdr->index);
1677 if (index != MGMT_INDEX_NONE) {
1678 hdev = hci_dev_get(index);
1679 if (!hdev) {
1680 err = -ENODEV;
1681 goto drop;
1683 } else {
1684 hdev = NULL;
1687 hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING);
1689 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL);
1690 err = len;
1692 if (hdev)
1693 hci_dev_put(hdev);
1695 drop:
1696 kfree_skb(skb);
1697 return err;
1700 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1701 size_t len)
1703 struct sock *sk = sock->sk;
1704 struct hci_mgmt_chan *chan;
1705 struct hci_dev *hdev;
1706 struct sk_buff *skb;
1707 int err;
1709 BT_DBG("sock %p sk %p", sock, sk);
1711 if (msg->msg_flags & MSG_OOB)
1712 return -EOPNOTSUPP;
1714 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE|
1715 MSG_CMSG_COMPAT))
1716 return -EINVAL;
1718 if (len < 4 || len > HCI_MAX_FRAME_SIZE)
1719 return -EINVAL;
1721 lock_sock(sk);
1723 switch (hci_pi(sk)->channel) {
1724 case HCI_CHANNEL_RAW:
1725 case HCI_CHANNEL_USER:
1726 break;
1727 case HCI_CHANNEL_MONITOR:
1728 err = -EOPNOTSUPP;
1729 goto done;
1730 case HCI_CHANNEL_LOGGING:
1731 err = hci_logging_frame(sk, msg, len);
1732 goto done;
1733 default:
1734 mutex_lock(&mgmt_chan_list_lock);
1735 chan = __hci_mgmt_chan_find(hci_pi(sk)->channel);
1736 if (chan)
1737 err = hci_mgmt_cmd(chan, sk, msg, len);
1738 else
1739 err = -EINVAL;
1741 mutex_unlock(&mgmt_chan_list_lock);
1742 goto done;
1745 hdev = hci_pi(sk)->hdev;
1746 if (!hdev) {
1747 err = -EBADFD;
1748 goto done;
1751 if (!test_bit(HCI_UP, &hdev->flags)) {
1752 err = -ENETDOWN;
1753 goto done;
1756 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
1757 if (!skb)
1758 goto done;
1760 if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
1761 err = -EFAULT;
1762 goto drop;
1765 hci_skb_pkt_type(skb) = skb->data[0];
1766 skb_pull(skb, 1);
1768 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
1769 /* No permission check is needed for user channel
1770 * since that gets enforced when binding the socket.
1772 * However check that the packet type is valid.
1774 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
1775 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1776 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
1777 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) {
1778 err = -EINVAL;
1779 goto drop;
1782 skb_queue_tail(&hdev->raw_q, skb);
1783 queue_work(hdev->workqueue, &hdev->tx_work);
1784 } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) {
1785 u16 opcode = get_unaligned_le16(skb->data);
1786 u16 ogf = hci_opcode_ogf(opcode);
1787 u16 ocf = hci_opcode_ocf(opcode);
1789 if (((ogf > HCI_SFLT_MAX_OGF) ||
1790 !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
1791 &hci_sec_filter.ocf_mask[ogf])) &&
1792 !capable(CAP_NET_RAW)) {
1793 err = -EPERM;
1794 goto drop;
1797 /* Since the opcode has already been extracted here, store
1798 * a copy of the value for later use by the drivers.
1800 hci_skb_opcode(skb) = opcode;
1802 if (ogf == 0x3f) {
1803 skb_queue_tail(&hdev->raw_q, skb);
1804 queue_work(hdev->workqueue, &hdev->tx_work);
1805 } else {
1806 /* Stand-alone HCI commands must be flagged as
1807 * single-command requests.
1809 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
1811 skb_queue_tail(&hdev->cmd_q, skb);
1812 queue_work(hdev->workqueue, &hdev->cmd_work);
1814 } else {
1815 if (!capable(CAP_NET_RAW)) {
1816 err = -EPERM;
1817 goto drop;
1820 if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1821 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
1822 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) {
1823 err = -EINVAL;
1824 goto drop;
1827 skb_queue_tail(&hdev->raw_q, skb);
1828 queue_work(hdev->workqueue, &hdev->tx_work);
1831 err = len;
1833 done:
1834 release_sock(sk);
1835 return err;
1837 drop:
1838 kfree_skb(skb);
1839 goto done;
1842 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
1843 char __user *optval, unsigned int len)
1845 struct hci_ufilter uf = { .opcode = 0 };
1846 struct sock *sk = sock->sk;
1847 int err = 0, opt = 0;
1849 BT_DBG("sk %p, opt %d", sk, optname);
1851 if (level != SOL_HCI)
1852 return -ENOPROTOOPT;
1854 lock_sock(sk);
1856 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1857 err = -EBADFD;
1858 goto done;
1861 switch (optname) {
1862 case HCI_DATA_DIR:
1863 if (get_user(opt, (int __user *)optval)) {
1864 err = -EFAULT;
1865 break;
1868 if (opt)
1869 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1870 else
1871 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1872 break;
1874 case HCI_TIME_STAMP:
1875 if (get_user(opt, (int __user *)optval)) {
1876 err = -EFAULT;
1877 break;
1880 if (opt)
1881 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1882 else
1883 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1884 break;
1886 case HCI_FILTER:
1888 struct hci_filter *f = &hci_pi(sk)->filter;
1890 uf.type_mask = f->type_mask;
1891 uf.opcode = f->opcode;
1892 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1893 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1896 len = min_t(unsigned int, len, sizeof(uf));
1897 if (copy_from_user(&uf, optval, len)) {
1898 err = -EFAULT;
1899 break;
1902 if (!capable(CAP_NET_RAW)) {
1903 uf.type_mask &= hci_sec_filter.type_mask;
1904 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1905 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1909 struct hci_filter *f = &hci_pi(sk)->filter;
1911 f->type_mask = uf.type_mask;
1912 f->opcode = uf.opcode;
1913 *((u32 *) f->event_mask + 0) = uf.event_mask[0];
1914 *((u32 *) f->event_mask + 1) = uf.event_mask[1];
1916 break;
1918 default:
1919 err = -ENOPROTOOPT;
1920 break;
1923 done:
1924 release_sock(sk);
1925 return err;
1928 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1929 char __user *optval, int __user *optlen)
1931 struct hci_ufilter uf;
1932 struct sock *sk = sock->sk;
1933 int len, opt, err = 0;
1935 BT_DBG("sk %p, opt %d", sk, optname);
1937 if (level != SOL_HCI)
1938 return -ENOPROTOOPT;
1940 if (get_user(len, optlen))
1941 return -EFAULT;
1943 lock_sock(sk);
1945 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1946 err = -EBADFD;
1947 goto done;
1950 switch (optname) {
1951 case HCI_DATA_DIR:
1952 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1953 opt = 1;
1954 else
1955 opt = 0;
1957 if (put_user(opt, optval))
1958 err = -EFAULT;
1959 break;
1961 case HCI_TIME_STAMP:
1962 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1963 opt = 1;
1964 else
1965 opt = 0;
1967 if (put_user(opt, optval))
1968 err = -EFAULT;
1969 break;
1971 case HCI_FILTER:
1973 struct hci_filter *f = &hci_pi(sk)->filter;
1975 memset(&uf, 0, sizeof(uf));
1976 uf.type_mask = f->type_mask;
1977 uf.opcode = f->opcode;
1978 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1979 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1982 len = min_t(unsigned int, len, sizeof(uf));
1983 if (copy_to_user(optval, &uf, len))
1984 err = -EFAULT;
1985 break;
1987 default:
1988 err = -ENOPROTOOPT;
1989 break;
1992 done:
1993 release_sock(sk);
1994 return err;
1997 static const struct proto_ops hci_sock_ops = {
1998 .family = PF_BLUETOOTH,
1999 .owner = THIS_MODULE,
2000 .release = hci_sock_release,
2001 .bind = hci_sock_bind,
2002 .getname = hci_sock_getname,
2003 .sendmsg = hci_sock_sendmsg,
2004 .recvmsg = hci_sock_recvmsg,
2005 .ioctl = hci_sock_ioctl,
2006 #ifdef CONFIG_COMPAT
2007 .compat_ioctl = hci_sock_compat_ioctl,
2008 #endif
2009 .poll = datagram_poll,
2010 .listen = sock_no_listen,
2011 .shutdown = sock_no_shutdown,
2012 .setsockopt = hci_sock_setsockopt,
2013 .getsockopt = hci_sock_getsockopt,
2014 .connect = sock_no_connect,
2015 .socketpair = sock_no_socketpair,
2016 .accept = sock_no_accept,
2017 .mmap = sock_no_mmap
2020 static struct proto hci_sk_proto = {
2021 .name = "HCI",
2022 .owner = THIS_MODULE,
2023 .obj_size = sizeof(struct hci_pinfo)
2026 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
2027 int kern)
2029 struct sock *sk;
2031 BT_DBG("sock %p", sock);
2033 if (sock->type != SOCK_RAW)
2034 return -ESOCKTNOSUPPORT;
2036 sock->ops = &hci_sock_ops;
2038 sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern);
2039 if (!sk)
2040 return -ENOMEM;
2042 sock_init_data(sock, sk);
2044 sock_reset_flag(sk, SOCK_ZAPPED);
2046 sk->sk_protocol = protocol;
2048 sock->state = SS_UNCONNECTED;
2049 sk->sk_state = BT_OPEN;
2051 bt_sock_link(&hci_sk_list, sk);
2052 return 0;
2055 static const struct net_proto_family hci_sock_family_ops = {
2056 .family = PF_BLUETOOTH,
2057 .owner = THIS_MODULE,
2058 .create = hci_sock_create,
2061 int __init hci_sock_init(void)
2063 int err;
2065 BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr));
2067 err = proto_register(&hci_sk_proto, 0);
2068 if (err < 0)
2069 return err;
2071 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
2072 if (err < 0) {
2073 BT_ERR("HCI socket registration failed");
2074 goto error;
2077 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
2078 if (err < 0) {
2079 BT_ERR("Failed to create HCI proc file");
2080 bt_sock_unregister(BTPROTO_HCI);
2081 goto error;
2084 BT_INFO("HCI socket layer initialized");
2086 return 0;
2088 error:
2089 proto_unregister(&hci_sk_proto);
2090 return err;
2093 void hci_sock_cleanup(void)
2095 bt_procfs_cleanup(&init_net, "hci");
2096 bt_sock_unregister(BTPROTO_HCI);
2097 proto_unregister(&hci_sk_proto);