net/bluetooth/hci_sock.c

   1 /*
   2    BlueZ - Bluetooth protocol stack for Linux
   3    Copyright (C) 2000-2001 Qualcomm Incorporated
   4
   5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License version 2 as
   9    published by the Free Software Foundation;
  10
  11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22    SOFTWARE IS DISCLAIMED.
  23 */
  24
  25 /* Bluetooth HCI sockets. */
  26
  27 #include <linux/export.h>
  28 #include <asm/unaligned.h>
  29
  30 #include <net/bluetooth/bluetooth.h>
  31 #include <net/bluetooth/hci_core.h>
  32 #include <net/bluetooth/hci_mon.h>
  33
  34 static atomic_t monitor_promisc = ATOMIC_INIT(0);
  35
  36 /* ----- HCI socket interface ----- */
  37
  38 static inline int hci_test_bit(int nr, void *addr)
  39 {
  40         return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
  41 }
  42
  43 /* Security filter */
  44 static struct hci_sec_filter hci_sec_filter = {
  45         /* Packet types */
  46         0x10,
  47         /* Events */
  48         { 0x1000d9fe, 0x0000b00c },
  49         /* Commands */
  50         {
  51                 { 0x0 },
  52                 /* OGF_LINK_CTL */
  53                 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
  54                 /* OGF_LINK_POLICY */
  55                 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
  56                 /* OGF_HOST_CTL */
  57                 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
  58                 /* OGF_INFO_PARAM */
  59                 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
  60                 /* OGF_STATUS_PARAM */
  61                 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
  62         }
  63 };
  64
  65 static struct bt_sock_list hci_sk_list = {
  66         .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
  67 };
  68
  69 /* Send frame to RAW socket */
  70 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
  71 {
  72         struct sock *sk;
  73         struct sk_buff *skb_copy = NULL;
  74
  75         BT_DBG("hdev %p len %d", hdev, skb->len);
  76
  77         read_lock(&hci_sk_list.lock);
  78
  79         sk_for_each(sk, &hci_sk_list.head) {
  80                 struct hci_filter *flt;
  81                 struct sk_buff *nskb;
  82
  83                 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
  84                         continue;
  85
  86                 /* Don't send frame to the socket it came from */
  87                 if (skb->sk == sk)
  88                         continue;
  89
  90                 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW)
  91                         continue;
  92
  93                 /* Apply filter */
  94                 flt = &hci_pi(sk)->filter;
  95
  96                 if (!test_bit((bt_cb(skb)->pkt_type == HCI_VENDOR_PKT) ?
  97                               0 : (bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS),
  98                               &flt->type_mask))
  99                         continue;
 100
 101                 if (bt_cb(skb)->pkt_type == HCI_EVENT_PKT) {
 102                         int evt = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
 103
 104                         if (!hci_test_bit(evt, &flt->event_mask))
 105                                 continue;
 106
 107                         if (flt->opcode &&
 108                             ((evt == HCI_EV_CMD_COMPLETE &&
 109                               flt->opcode !=
 110                               get_unaligned((__le16 *)(skb->data + 3))) ||
 111                              (evt == HCI_EV_CMD_STATUS &&
 112                               flt->opcode !=
 113                               get_unaligned((__le16 *)(skb->data + 4)))))
 114                                 continue;
 115                 }
 116
 117                 if (!skb_copy) {
 118                         /* Create a private copy with headroom */
 119                         skb_copy = __pskb_copy(skb, 1, GFP_ATOMIC);
 120                         if (!skb_copy)
 121                                 continue;
 122
 123                         /* Put type byte before the data */
 124                         memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1);
 125                 }
 126
 127                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 128                 if (!nskb)
 129                         continue;
 130
 131                 if (sock_queue_rcv_skb(sk, nskb))
 132                         kfree_skb(nskb);
 133         }
 134
 135         read_unlock(&hci_sk_list.lock);
 136
 137         kfree_skb(skb_copy);
 138 }
 139
 140 /* Send frame to control socket */
 141 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk)
 142 {
 143         struct sock *sk;
 144
 145         BT_DBG("len %d", skb->len);
 146
 147         read_lock(&hci_sk_list.lock);
 148
 149         sk_for_each(sk, &hci_sk_list.head) {
 150                 struct sk_buff *nskb;
 151
 152                 /* Skip the original socket */
 153                 if (sk == skip_sk)
 154                         continue;
 155
 156                 if (sk->sk_state != BT_BOUND)
 157                         continue;
 158
 159                 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
 160                         continue;
 161
 162                 nskb = skb_clone(skb, GFP_ATOMIC);
 163                 if (!nskb)
 164                         continue;
 165
 166                 if (sock_queue_rcv_skb(sk, nskb))
 167                         kfree_skb(nskb);
 168         }
 169
 170         read_unlock(&hci_sk_list.lock);
 171 }
 172
 173 /* Send frame to monitor socket */
 174 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
 175 {
 176         struct sock *sk;
 177         struct sk_buff *skb_copy = NULL;
 178         __le16 opcode;
 179
 180         if (!atomic_read(&monitor_promisc))
 181                 return;
 182
 183         BT_DBG("hdev %p len %d", hdev, skb->len);
 184
 185         switch (bt_cb(skb)->pkt_type) {
 186         case HCI_COMMAND_PKT:
 187                 opcode = __constant_cpu_to_le16(HCI_MON_COMMAND_PKT);
 188                 break;
 189         case HCI_EVENT_PKT:
 190                 opcode = __constant_cpu_to_le16(HCI_MON_EVENT_PKT);
 191                 break;
 192         case HCI_ACLDATA_PKT:
 193                 if (bt_cb(skb)->incoming)
 194                         opcode = __constant_cpu_to_le16(HCI_MON_ACL_RX_PKT);
 195                 else
 196                         opcode = __constant_cpu_to_le16(HCI_MON_ACL_TX_PKT);
 197                 break;
 198         case HCI_SCODATA_PKT:
 199                 if (bt_cb(skb)->incoming)
 200                         opcode = __constant_cpu_to_le16(HCI_MON_SCO_RX_PKT);
 201                 else
 202                         opcode = __constant_cpu_to_le16(HCI_MON_SCO_TX_PKT);
 203                 break;
 204         default:
 205                 return;
 206         }
 207
 208         read_lock(&hci_sk_list.lock);
 209
 210         sk_for_each(sk, &hci_sk_list.head) {
 211                 struct sk_buff *nskb;
 212
 213                 if (sk->sk_state != BT_BOUND)
 214                         continue;
 215
 216                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 217                         continue;
 218
 219                 if (!skb_copy) {
 220                         struct hci_mon_hdr *hdr;
 221
 222                         /* Create a private copy with headroom */
 223                         skb_copy = __pskb_copy(skb, HCI_MON_HDR_SIZE,
 224                                                GFP_ATOMIC);
 225                         if (!skb_copy)
 226                                 continue;
 227
 228                         /* Put header before the data */
 229                         hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE);
 230                         hdr->opcode = opcode;
 231                         hdr->index = cpu_to_le16(hdev->id);
 232                         hdr->len = cpu_to_le16(skb->len);
 233                 }
 234
 235                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 236                 if (!nskb)
 237                         continue;
 238
 239                 if (sock_queue_rcv_skb(sk, nskb))
 240                         kfree_skb(nskb);
 241         }
 242
 243         read_unlock(&hci_sk_list.lock);
 244
 245         kfree_skb(skb_copy);
 246 }
 247
 248 static void send_monitor_event(struct sk_buff *skb)
 249 {
 250         struct sock *sk;
 251
 252         BT_DBG("len %d", skb->len);
 253
 254         read_lock(&hci_sk_list.lock);
 255
 256         sk_for_each(sk, &hci_sk_list.head) {
 257                 struct sk_buff *nskb;
 258
 259                 if (sk->sk_state != BT_BOUND)
 260                         continue;
 261
 262                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 263                         continue;
 264
 265                 nskb = skb_clone(skb, GFP_ATOMIC);
 266                 if (!nskb)
 267                         continue;
 268
 269                 if (sock_queue_rcv_skb(sk, nskb))
 270                         kfree_skb(nskb);
 271         }
 272
 273         read_unlock(&hci_sk_list.lock);
 274 }
 275
 276 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
 277 {
 278         struct hci_mon_hdr *hdr;
 279         struct hci_mon_new_index *ni;
 280         struct sk_buff *skb;
 281         __le16 opcode;
 282
 283         switch (event) {
 284         case HCI_DEV_REG:
 285                 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
 286                 if (!skb)
 287                         return NULL;
 288
 289                 ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
 290                 ni->type = hdev->dev_type;
 291                 ni->bus = hdev->bus;
 292                 bacpy(&ni->bdaddr, &hdev->bdaddr);
 293                 memcpy(ni->name, hdev->name, 8);
 294
 295                 opcode = __constant_cpu_to_le16(HCI_MON_NEW_INDEX);
 296                 break;
 297
 298         case HCI_DEV_UNREG:
 299                 skb = bt_skb_alloc(0, GFP_ATOMIC);
 300                 if (!skb)
 301                         return NULL;
 302
 303                 opcode = __constant_cpu_to_le16(HCI_MON_DEL_INDEX);
 304                 break;
 305
 306         default:
 307                 return NULL;
 308         }
 309
 310         __net_timestamp(skb);
 311
 312         hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE);
 313         hdr->opcode = opcode;
 314         hdr->index = cpu_to_le16(hdev->id);
 315         hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
 316
 317         return skb;
 318 }
 319
 320 static void send_monitor_replay(struct sock *sk)
 321 {
 322         struct hci_dev *hdev;
 323
 324         read_lock(&hci_dev_list_lock);
 325
 326         list_for_each_entry(hdev, &hci_dev_list, list) {
 327                 struct sk_buff *skb;
 328
 329                 skb = create_monitor_event(hdev, HCI_DEV_REG);
 330                 if (!skb)
 331                         continue;
 332
 333                 if (sock_queue_rcv_skb(sk, skb))
 334                         kfree_skb(skb);
 335         }
 336
 337         read_unlock(&hci_dev_list_lock);
 338 }
 339
 340 /* Generate internal stack event */
 341 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
 342 {
 343         struct hci_event_hdr *hdr;
 344         struct hci_ev_stack_internal *ev;
 345         struct sk_buff *skb;
 346
 347         skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
 348         if (!skb)
 349                 return;
 350
 351         hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
 352         hdr->evt  = HCI_EV_STACK_INTERNAL;
 353         hdr->plen = sizeof(*ev) + dlen;
 354
 355         ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
 356         ev->type = type;
 357         memcpy(ev->data, data, dlen);
 358
 359         bt_cb(skb)->incoming = 1;
 360         __net_timestamp(skb);
 361
 362         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
 363         skb->dev = (void *) hdev;
 364         hci_send_to_sock(hdev, skb);
 365         kfree_skb(skb);
 366 }
 367
 368 void hci_sock_dev_event(struct hci_dev *hdev, int event)
 369 {
 370         struct hci_ev_si_device ev;
 371
 372         BT_DBG("hdev %s event %d", hdev->name, event);
 373
 374         /* Send event to monitor */
 375         if (atomic_read(&monitor_promisc)) {
 376                 struct sk_buff *skb;
 377
 378                 skb = create_monitor_event(hdev, event);
 379                 if (skb) {
 380                         send_monitor_event(skb);
 381                         kfree_skb(skb);
 382                 }
 383         }
 384
 385         /* Send event to sockets */
 386         ev.event  = event;
 387         ev.dev_id = hdev->id;
 388         hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
 389
 390         if (event == HCI_DEV_UNREG) {
 391                 struct sock *sk;
 392
 393                 /* Detach sockets from device */
 394                 read_lock(&hci_sk_list.lock);
 395                 sk_for_each(sk, &hci_sk_list.head) {
 396                         bh_lock_sock_nested(sk);
 397                         if (hci_pi(sk)->hdev == hdev) {
 398                                 hci_pi(sk)->hdev = NULL;
 399                                 sk->sk_err = EPIPE;
 400                                 sk->sk_state = BT_OPEN;
 401                                 sk->sk_state_change(sk);
 402
 403                                 hci_dev_put(hdev);
 404                         }
 405                         bh_unlock_sock(sk);
 406                 }
 407                 read_unlock(&hci_sk_list.lock);
 408         }
 409 }
 410
 411 static int hci_sock_release(struct socket *sock)
 412 {
 413         struct sock *sk = sock->sk;
 414         struct hci_dev *hdev;
 415
 416         BT_DBG("sock %p sk %p", sock, sk);
 417
 418         if (!sk)
 419                 return 0;
 420
 421         hdev = hci_pi(sk)->hdev;
 422
 423         if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
 424                 atomic_dec(&monitor_promisc);
 425
 426         bt_sock_unlink(&hci_sk_list, sk);
 427
 428         if (hdev) {
 429                 atomic_dec(&hdev->promisc);
 430                 hci_dev_put(hdev);
 431         }
 432
 433         sock_orphan(sk);
 434
 435         skb_queue_purge(&sk->sk_receive_queue);
 436         skb_queue_purge(&sk->sk_write_queue);
 437
 438         sock_put(sk);
 439         return 0;
 440 }
 441
 442 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
 443 {
 444         bdaddr_t bdaddr;
 445         int err;
 446
 447         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 448                 return -EFAULT;
 449
 450         hci_dev_lock(hdev);
 451
 452         err = hci_blacklist_add(hdev, &bdaddr, 0);
 453
 454         hci_dev_unlock(hdev);
 455
 456         return err;
 457 }
 458
 459 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
 460 {
 461         bdaddr_t bdaddr;
 462         int err;
 463
 464         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 465                 return -EFAULT;
 466
 467         hci_dev_lock(hdev);
 468
 469         err = hci_blacklist_del(hdev, &bdaddr, 0);
 470
 471         hci_dev_unlock(hdev);
 472
 473         return err;
 474 }
 475
 476 /* Ioctls that require bound socket */
 477 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
 478                                 unsigned long arg)
 479 {
 480         struct hci_dev *hdev = hci_pi(sk)->hdev;
 481
 482         if (!hdev)
 483                 return -EBADFD;
 484
 485         switch (cmd) {
 486         case HCISETRAW:
 487                 if (!capable(CAP_NET_ADMIN))
 488                         return -EPERM;
 489
 490                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
 491                         return -EPERM;
 492
 493                 if (arg)
 494                         set_bit(HCI_RAW, &hdev->flags);
 495                 else
 496                         clear_bit(HCI_RAW, &hdev->flags);
 497
 498                 return 0;
 499
 500         case HCIGETCONNINFO:
 501                 return hci_get_conn_info(hdev, (void __user *) arg);
 502
 503         case HCIGETAUTHINFO:
 504                 return hci_get_auth_info(hdev, (void __user *) arg);
 505
 506         case HCIBLOCKADDR:
 507                 if (!capable(CAP_NET_ADMIN))
 508                         return -EPERM;
 509                 return hci_sock_blacklist_add(hdev, (void __user *) arg);
 510
 511         case HCIUNBLOCKADDR:
 512                 if (!capable(CAP_NET_ADMIN))
 513                         return -EPERM;
 514                 return hci_sock_blacklist_del(hdev, (void __user *) arg);
 515
 516         default:
 517                 if (hdev->ioctl)
 518                         return hdev->ioctl(hdev, cmd, arg);
 519                 return -EINVAL;
 520         }
 521 }
 522
 523 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 524                           unsigned long arg)
 525 {
 526         struct sock *sk = sock->sk;
 527         void __user *argp = (void __user *) arg;
 528         int err;
 529
 530         BT_DBG("cmd %x arg %lx", cmd, arg);
 531
 532         switch (cmd) {
 533         case HCIGETDEVLIST:
 534                 return hci_get_dev_list(argp);
 535
 536         case HCIGETDEVINFO:
 537                 return hci_get_dev_info(argp);
 538
 539         case HCIGETCONNLIST:
 540                 return hci_get_conn_list(argp);
 541
 542         case HCIDEVUP:
 543                 if (!capable(CAP_NET_ADMIN))
 544                         return -EPERM;
 545                 return hci_dev_open(arg);
 546
 547         case HCIDEVDOWN:
 548                 if (!capable(CAP_NET_ADMIN))
 549                         return -EPERM;
 550                 return hci_dev_close(arg);
 551
 552         case HCIDEVRESET:
 553                 if (!capable(CAP_NET_ADMIN))
 554                         return -EPERM;
 555                 return hci_dev_reset(arg);
 556
 557         case HCIDEVRESTAT:
 558                 if (!capable(CAP_NET_ADMIN))
 559                         return -EPERM;
 560                 return hci_dev_reset_stat(arg);
 561
 562         case HCISETSCAN:
 563         case HCISETAUTH:
 564         case HCISETENCRYPT:
 565         case HCISETPTYPE:
 566         case HCISETLINKPOL:
 567         case HCISETLINKMODE:
 568         case HCISETACLMTU:
 569         case HCISETSCOMTU:
 570                 if (!capable(CAP_NET_ADMIN))
 571                         return -EPERM;
 572                 return hci_dev_cmd(cmd, argp);
 573
 574         case HCIINQUIRY:
 575                 return hci_inquiry(argp);
 576
 577         default:
 578                 lock_sock(sk);
 579                 err = hci_sock_bound_ioctl(sk, cmd, arg);
 580                 release_sock(sk);
 581                 return err;
 582         }
 583 }
 584
 585 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
 586                          int addr_len)
 587 {
 588         struct sockaddr_hci haddr;
 589         struct sock *sk = sock->sk;
 590         struct hci_dev *hdev = NULL;
 591         int len, err = 0;
 592
 593         BT_DBG("sock %p sk %p", sock, sk);
 594
 595         if (!addr)
 596                 return -EINVAL;
 597
 598         memset(&haddr, 0, sizeof(haddr));
 599         len = min_t(unsigned int, sizeof(haddr), addr_len);
 600         memcpy(&haddr, addr, len);
 601
 602         if (haddr.hci_family != AF_BLUETOOTH)
 603                 return -EINVAL;
 604
 605         lock_sock(sk);
 606
 607         if (sk->sk_state == BT_BOUND) {
 608                 err = -EALREADY;
 609                 goto done;
 610         }
 611
 612         switch (haddr.hci_channel) {
 613         case HCI_CHANNEL_RAW:
 614                 if (hci_pi(sk)->hdev) {
 615                         err = -EALREADY;
 616                         goto done;
 617                 }
 618
 619                 if (haddr.hci_dev != HCI_DEV_NONE) {
 620                         hdev = hci_dev_get(haddr.hci_dev);
 621                         if (!hdev) {
 622                                 err = -ENODEV;
 623                                 goto done;
 624                         }
 625
 626                         atomic_inc(&hdev->promisc);
 627                 }
 628
 629                 hci_pi(sk)->hdev = hdev;
 630                 break;
 631
 632         case HCI_CHANNEL_CONTROL:
 633                 if (haddr.hci_dev != HCI_DEV_NONE) {
 634                         err = -EINVAL;
 635                         goto done;
 636                 }
 637
 638                 if (!capable(CAP_NET_ADMIN)) {
 639                         err = -EPERM;
 640                         goto done;
 641                 }
 642
 643                 break;
 644
 645         case HCI_CHANNEL_MONITOR:
 646                 if (haddr.hci_dev != HCI_DEV_NONE) {
 647                         err = -EINVAL;
 648                         goto done;
 649                 }
 650
 651                 if (!capable(CAP_NET_RAW)) {
 652                         err = -EPERM;
 653                         goto done;
 654                 }
 655
 656                 send_monitor_replay(sk);
 657
 658                 atomic_inc(&monitor_promisc);
 659                 break;
 660
 661         default:
 662                 err = -EINVAL;
 663                 goto done;
 664         }
 665
 666
 667         hci_pi(sk)->channel = haddr.hci_channel;
 668         sk->sk_state = BT_BOUND;
 669
 670 done:
 671         release_sock(sk);
 672         return err;
 673 }
 674
 675 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
 676                             int *addr_len, int peer)
 677 {
 678         struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
 679         struct sock *sk = sock->sk;
 680         struct hci_dev *hdev = hci_pi(sk)->hdev;
 681
 682         BT_DBG("sock %p sk %p", sock, sk);
 683
 684         if (!hdev)
 685                 return -EBADFD;
 686
 687         lock_sock(sk);
 688
 689         *addr_len = sizeof(*haddr);
 690         haddr->hci_family = AF_BLUETOOTH;
 691         haddr->hci_dev    = hdev->id;
 692         haddr->hci_channel= 0;
 693
 694         release_sock(sk);
 695         return 0;
 696 }
 697
 698 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
 699                           struct sk_buff *skb)
 700 {
 701         __u32 mask = hci_pi(sk)->cmsg_mask;
 702
 703         if (mask & HCI_CMSG_DIR) {
 704                 int incoming = bt_cb(skb)->incoming;
 705                 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
 706                          &incoming);
 707         }
 708
 709         if (mask & HCI_CMSG_TSTAMP) {
 710 #ifdef CONFIG_COMPAT
 711                 struct compat_timeval ctv;
 712 #endif
 713                 struct timeval tv;
 714                 void *data;
 715                 int len;
 716
 717                 skb_get_timestamp(skb, &tv);
 718
 719                 data = &tv;
 720                 len = sizeof(tv);
 721 #ifdef CONFIG_COMPAT
 722                 if (!COMPAT_USE_64BIT_TIME &&
 723                     (msg->msg_flags & MSG_CMSG_COMPAT)) {
 724                         ctv.tv_sec = tv.tv_sec;
 725                         ctv.tv_usec = tv.tv_usec;
 726                         data = &ctv;
 727                         len = sizeof(ctv);
 728                 }
 729 #endif
 730
 731                 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
 732         }
 733 }
 734
 735 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
 736                             struct msghdr *msg, size_t len, int flags)
 737 {
 738         int noblock = flags & MSG_DONTWAIT;
 739         struct sock *sk = sock->sk;
 740         struct sk_buff *skb;
 741         int copied, err;
 742
 743         BT_DBG("sock %p, sk %p", sock, sk);
 744
 745         if (flags & (MSG_OOB))
 746                 return -EOPNOTSUPP;
 747
 748         if (sk->sk_state == BT_CLOSED)
 749                 return 0;
 750
 751         skb = skb_recv_datagram(sk, flags, noblock, &err);
 752         if (!skb)
 753                 return err;
 754
 755         msg->msg_namelen = 0;
 756
 757         copied = skb->len;
 758         if (len < copied) {
 759                 msg->msg_flags |= MSG_TRUNC;
 760                 copied = len;
 761         }
 762
 763         skb_reset_transport_header(skb);
 764         err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
 765
 766         switch (hci_pi(sk)->channel) {
 767         case HCI_CHANNEL_RAW:
 768                 hci_sock_cmsg(sk, msg, skb);
 769                 break;
 770         case HCI_CHANNEL_CONTROL:
 771         case HCI_CHANNEL_MONITOR:
 772                 sock_recv_timestamp(msg, sk, skb);
 773                 break;
 774         }
 775
 776         skb_free_datagram(sk, skb);
 777
 778         return err ? : copied;
 779 }
 780
 781 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
 782                             struct msghdr *msg, size_t len)
 783 {
 784         struct sock *sk = sock->sk;
 785         struct hci_dev *hdev;
 786         struct sk_buff *skb;
 787         int err;
 788
 789         BT_DBG("sock %p sk %p", sock, sk);
 790
 791         if (msg->msg_flags & MSG_OOB)
 792                 return -EOPNOTSUPP;
 793
 794         if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
 795                 return -EINVAL;
 796
 797         if (len < 4 || len > HCI_MAX_FRAME_SIZE)
 798                 return -EINVAL;
 799
 800         lock_sock(sk);
 801
 802         switch (hci_pi(sk)->channel) {
 803         case HCI_CHANNEL_RAW:
 804                 break;
 805         case HCI_CHANNEL_CONTROL:
 806                 err = mgmt_control(sk, msg, len);
 807                 goto done;
 808         case HCI_CHANNEL_MONITOR:
 809                 err = -EOPNOTSUPP;
 810                 goto done;
 811         default:
 812                 err = -EINVAL;
 813                 goto done;
 814         }
 815
 816         hdev = hci_pi(sk)->hdev;
 817         if (!hdev) {
 818                 err = -EBADFD;
 819                 goto done;
 820         }
 821
 822         if (!test_bit(HCI_UP, &hdev->flags)) {
 823                 err = -ENETDOWN;
 824                 goto done;
 825         }
 826
 827         skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
 828         if (!skb)
 829                 goto done;
 830
 831         if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
 832                 err = -EFAULT;
 833                 goto drop;
 834         }
 835
 836         bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
 837         skb_pull(skb, 1);
 838         skb->dev = (void *) hdev;
 839
 840         if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
 841                 u16 opcode = get_unaligned_le16(skb->data);
 842                 u16 ogf = hci_opcode_ogf(opcode);
 843                 u16 ocf = hci_opcode_ocf(opcode);
 844
 845                 if (((ogf > HCI_SFLT_MAX_OGF) ||
 846                      !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
 847                                    &hci_sec_filter.ocf_mask[ogf])) &&
 848                     !capable(CAP_NET_RAW)) {
 849                         err = -EPERM;
 850                         goto drop;
 851                 }
 852
 853                 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) {
 854                         skb_queue_tail(&hdev->raw_q, skb);
 855                         queue_work(hdev->workqueue, &hdev->tx_work);
 856                 } else {
 857                         /* Stand-alone HCI commands must be flaged as
 858                          * single-command requests.
 859                          */
 860                         bt_cb(skb)->req.start = true;
 861
 862                         skb_queue_tail(&hdev->cmd_q, skb);
 863                         queue_work(hdev->workqueue, &hdev->cmd_work);
 864                 }
 865         } else {
 866                 if (!capable(CAP_NET_RAW)) {
 867                         err = -EPERM;
 868                         goto drop;
 869                 }
 870
 871                 skb_queue_tail(&hdev->raw_q, skb);
 872                 queue_work(hdev->workqueue, &hdev->tx_work);
 873         }
 874
 875         err = len;
 876
 877 done:
 878         release_sock(sk);
 879         return err;
 880
 881 drop:
 882         kfree_skb(skb);
 883         goto done;
 884 }
 885
 886 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
 887                                char __user *optval, unsigned int len)
 888 {
 889         struct hci_ufilter uf = { .opcode = 0 };
 890         struct sock *sk = sock->sk;
 891         int err = 0, opt = 0;
 892
 893         BT_DBG("sk %p, opt %d", sk, optname);
 894
 895         lock_sock(sk);
 896
 897         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
 898                 err = -EINVAL;
 899                 goto done;
 900         }
 901
 902         switch (optname) {
 903         case HCI_DATA_DIR:
 904                 if (get_user(opt, (int __user *)optval)) {
 905                         err = -EFAULT;
 906                         break;
 907                 }
 908
 909                 if (opt)
 910                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
 911                 else
 912                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
 913                 break;
 914
 915         case HCI_TIME_STAMP:
 916                 if (get_user(opt, (int __user *)optval)) {
 917                         err = -EFAULT;
 918                         break;
 919                 }
 920
 921                 if (opt)
 922                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
 923                 else
 924                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
 925                 break;
 926
 927         case HCI_FILTER:
 928                 {
 929                         struct hci_filter *f = &hci_pi(sk)->filter;
 930
 931                         uf.type_mask = f->type_mask;
 932                         uf.opcode    = f->opcode;
 933                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
 934                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
 935                 }
 936
 937                 len = min_t(unsigned int, len, sizeof(uf));
 938                 if (copy_from_user(&uf, optval, len)) {
 939                         err = -EFAULT;
 940                         break;
 941                 }
 942
 943                 if (!capable(CAP_NET_RAW)) {
 944                         uf.type_mask &= hci_sec_filter.type_mask;
 945                         uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
 946                         uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
 947                 }
 948
 949                 {
 950                         struct hci_filter *f = &hci_pi(sk)->filter;
 951
 952                         f->type_mask = uf.type_mask;
 953                         f->opcode    = uf.opcode;
 954                         *((u32 *) f->event_mask + 0) = uf.event_mask[0];
 955                         *((u32 *) f->event_mask + 1) = uf.event_mask[1];
 956                 }
 957                 break;
 958
 959         default:
 960                 err = -ENOPROTOOPT;
 961                 break;
 962         }
 963
 964 done:
 965         release_sock(sk);
 966         return err;
 967 }
 968
 969 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
 970                                char __user *optval, int __user *optlen)
 971 {
 972         struct hci_ufilter uf;
 973         struct sock *sk = sock->sk;
 974         int len, opt, err = 0;
 975
 976         BT_DBG("sk %p, opt %d", sk, optname);
 977
 978         if (get_user(len, optlen))
 979                 return -EFAULT;
 980
 981         lock_sock(sk);
 982
 983         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
 984                 err = -EINVAL;
 985                 goto done;
 986         }
 987
 988         switch (optname) {
 989         case HCI_DATA_DIR:
 990                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
 991                         opt = 1;
 992                 else
 993                         opt = 0;
 994
 995                 if (put_user(opt, optval))
 996                         err = -EFAULT;
 997                 break;
 998
 999         case HCI_TIME_STAMP:
1000                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1001                         opt = 1;
1002                 else
1003                         opt = 0;
1004
1005                 if (put_user(opt, optval))
1006                         err = -EFAULT;
1007                 break;
1008
1009         case HCI_FILTER:
1010                 {
1011                         struct hci_filter *f = &hci_pi(sk)->filter;
1012
1013                         memset(&uf, 0, sizeof(uf));
1014                         uf.type_mask = f->type_mask;
1015                         uf.opcode    = f->opcode;
1016                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1017                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1018                 }
1019
1020                 len = min_t(unsigned int, len, sizeof(uf));
1021                 if (copy_to_user(optval, &uf, len))
1022                         err = -EFAULT;
1023                 break;
1024
1025         default:
1026                 err = -ENOPROTOOPT;
1027                 break;
1028         }
1029
1030 done:
1031         release_sock(sk);
1032         return err;
1033 }
1034
1035 static const struct proto_ops hci_sock_ops = {
1036         .family         = PF_BLUETOOTH,
1037         .owner          = THIS_MODULE,
1038         .release        = hci_sock_release,
1039         .bind           = hci_sock_bind,
1040         .getname        = hci_sock_getname,
1041         .sendmsg        = hci_sock_sendmsg,
1042         .recvmsg        = hci_sock_recvmsg,
1043         .ioctl          = hci_sock_ioctl,
1044         .poll           = datagram_poll,
1045         .listen         = sock_no_listen,
1046         .shutdown       = sock_no_shutdown,
1047         .setsockopt     = hci_sock_setsockopt,
1048         .getsockopt     = hci_sock_getsockopt,
1049         .connect        = sock_no_connect,
1050         .socketpair     = sock_no_socketpair,
1051         .accept         = sock_no_accept,
1052         .mmap           = sock_no_mmap
1053 };
1054
1055 static struct proto hci_sk_proto = {
1056         .name           = "HCI",
1057         .owner          = THIS_MODULE,
1058         .obj_size       = sizeof(struct hci_pinfo)
1059 };
1060
1061 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1062                            int kern)
1063 {
1064         struct sock *sk;
1065
1066         BT_DBG("sock %p", sock);
1067
1068         if (sock->type != SOCK_RAW)
1069                 return -ESOCKTNOSUPPORT;
1070
1071         sock->ops = &hci_sock_ops;
1072
1073         sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto);
1074         if (!sk)
1075                 return -ENOMEM;
1076
1077         sock_init_data(sock, sk);
1078
1079         sock_reset_flag(sk, SOCK_ZAPPED);
1080
1081         sk->sk_protocol = protocol;
1082
1083         sock->state = SS_UNCONNECTED;
1084         sk->sk_state = BT_OPEN;
1085
1086         bt_sock_link(&hci_sk_list, sk);
1087         return 0;
1088 }
1089
1090 static const struct net_proto_family hci_sock_family_ops = {
1091         .family = PF_BLUETOOTH,
1092         .owner  = THIS_MODULE,
1093         .create = hci_sock_create,
1094 };
1095
1096 int __init hci_sock_init(void)
1097 {
1098         int err;
1099
1100         err = proto_register(&hci_sk_proto, 0);
1101         if (err < 0)
1102                 return err;
1103
1104         err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1105         if (err < 0) {
1106                 BT_ERR("HCI socket registration failed");
1107                 goto error;
1108         }
1109
1110         err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
1111         if (err < 0) {
1112                 BT_ERR("Failed to create HCI proc file");
1113                 bt_sock_unregister(BTPROTO_HCI);
1114                 goto error;
1115         }
1116
1117         BT_INFO("HCI socket layer initialized");
1118
1119         return 0;
1120
1121 error:
1122         proto_unregister(&hci_sk_proto);
1123         return err;
1124 }
1125
1126 void hci_sock_cleanup(void)
1127 {
1128         bt_procfs_cleanup(&init_net, "hci");
1129         bt_sock_unregister(BTPROTO_HCI);
1130         proto_unregister(&hci_sk_proto);
1131 }