2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI sockets. */
26 #include <linux/compat.h>
27 #include <linux/export.h>
28 #include <linux/utsname.h>
29 #include <linux/sched.h>
30 #include <asm/unaligned.h>
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/hci_mon.h>
35 #include <net/bluetooth/mgmt.h>
37 #include "mgmt_util.h"
39 static LIST_HEAD(mgmt_chan_list);
40 static DEFINE_MUTEX(mgmt_chan_list_lock);
42 static DEFINE_IDA(sock_cookie_ida);
44 static atomic_t monitor_promisc = ATOMIC_INIT(0);
46 /* ----- HCI socket interface ----- */
49 #define hci_pi(sk) ((struct hci_pinfo *) sk)
54 struct hci_filter filter;
56 unsigned short channel;
59 char comm[TASK_COMM_LEN];
63 static struct hci_dev *hci_hdev_from_sock(struct sock *sk)
65 struct hci_dev *hdev = hci_pi(sk)->hdev;
68 return ERR_PTR(-EBADFD);
69 if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
70 return ERR_PTR(-EPIPE);
74 void hci_sock_set_flag(struct sock *sk, int nr)
76 set_bit(nr, &hci_pi(sk)->flags);
79 void hci_sock_clear_flag(struct sock *sk, int nr)
81 clear_bit(nr, &hci_pi(sk)->flags);
84 int hci_sock_test_flag(struct sock *sk, int nr)
86 return test_bit(nr, &hci_pi(sk)->flags);
89 unsigned short hci_sock_get_channel(struct sock *sk)
91 return hci_pi(sk)->channel;
94 u32 hci_sock_get_cookie(struct sock *sk)
96 return hci_pi(sk)->cookie;
99 static bool hci_sock_gen_cookie(struct sock *sk)
101 int id = hci_pi(sk)->cookie;
104 id = ida_alloc_min(&sock_cookie_ida, 1, GFP_KERNEL);
108 hci_pi(sk)->cookie = id;
109 get_task_comm(hci_pi(sk)->comm, current);
116 static void hci_sock_free_cookie(struct sock *sk)
118 int id = hci_pi(sk)->cookie;
121 hci_pi(sk)->cookie = 0xffffffff;
122 ida_free(&sock_cookie_ida, id);
126 static inline int hci_test_bit(int nr, const void *addr)
128 return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
131 /* Security filter */
132 #define HCI_SFLT_MAX_OGF 5
134 struct hci_sec_filter {
137 __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
140 static const struct hci_sec_filter hci_sec_filter = {
144 { 0x1000d9fe, 0x0000b00c },
149 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
150 /* OGF_LINK_POLICY */
151 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
153 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
155 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
156 /* OGF_STATUS_PARAM */
157 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
161 static struct bt_sock_list hci_sk_list = {
162 .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
165 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
167 struct hci_filter *flt;
168 int flt_type, flt_event;
171 flt = &hci_pi(sk)->filter;
173 flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS;
175 if (!test_bit(flt_type, &flt->type_mask))
178 /* Extra filter for event packets only */
179 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT)
182 flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
184 if (!hci_test_bit(flt_event, &flt->event_mask))
187 /* Check filter only when opcode is set */
191 if (flt_event == HCI_EV_CMD_COMPLETE &&
192 flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
195 if (flt_event == HCI_EV_CMD_STATUS &&
196 flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
202 /* Send frame to RAW socket */
203 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
206 struct sk_buff *skb_copy = NULL;
208 BT_DBG("hdev %p len %d", hdev, skb->len);
210 read_lock(&hci_sk_list.lock);
212 sk_for_each(sk, &hci_sk_list.head) {
213 struct sk_buff *nskb;
215 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
218 /* Don't send frame to the socket it came from */
222 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
223 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
224 hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
225 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
226 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
227 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT)
229 if (is_filtered_packet(sk, skb))
231 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
232 if (!bt_cb(skb)->incoming)
234 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
235 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
236 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
237 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT)
240 /* Don't send frame to other channel types */
245 /* Create a private copy with headroom */
246 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
250 /* Put type byte before the data */
251 memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1);
254 nskb = skb_clone(skb_copy, GFP_ATOMIC);
258 if (sock_queue_rcv_skb(sk, nskb))
262 read_unlock(&hci_sk_list.lock);
267 static void hci_sock_copy_creds(struct sock *sk, struct sk_buff *skb)
269 struct scm_creds *creds;
271 if (!sk || WARN_ON(!skb))
274 creds = &bt_cb(skb)->creds;
276 /* Check if peer credentials is set */
277 if (!sk->sk_peer_pid) {
278 /* Check if parent peer credentials is set */
279 if (bt_sk(sk)->parent && bt_sk(sk)->parent->sk_peer_pid)
280 sk = bt_sk(sk)->parent;
285 /* Check if scm_creds already set */
286 if (creds->pid == pid_vnr(sk->sk_peer_pid))
289 memset(creds, 0, sizeof(*creds));
291 creds->pid = pid_vnr(sk->sk_peer_pid);
292 if (sk->sk_peer_cred) {
293 creds->uid = sk->sk_peer_cred->uid;
294 creds->gid = sk->sk_peer_cred->gid;
298 static struct sk_buff *hci_skb_clone(struct sk_buff *skb)
300 struct sk_buff *nskb;
305 nskb = skb_clone(skb, GFP_ATOMIC);
309 hci_sock_copy_creds(skb->sk, nskb);
314 /* Send frame to sockets with specific channel */
315 static void __hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
316 int flag, struct sock *skip_sk)
320 BT_DBG("channel %u len %d", channel, skb->len);
322 sk_for_each(sk, &hci_sk_list.head) {
323 struct sk_buff *nskb;
325 /* Ignore socket without the flag set */
326 if (!hci_sock_test_flag(sk, flag))
329 /* Skip the original socket */
333 if (sk->sk_state != BT_BOUND)
336 if (hci_pi(sk)->channel != channel)
339 nskb = hci_skb_clone(skb);
343 if (sock_queue_rcv_skb(sk, nskb))
349 void hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
350 int flag, struct sock *skip_sk)
352 read_lock(&hci_sk_list.lock);
353 __hci_send_to_channel(channel, skb, flag, skip_sk);
354 read_unlock(&hci_sk_list.lock);
357 /* Send frame to monitor socket */
358 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
360 struct sk_buff *skb_copy = NULL;
361 struct hci_mon_hdr *hdr;
364 if (!atomic_read(&monitor_promisc))
367 BT_DBG("hdev %p len %d", hdev, skb->len);
369 switch (hci_skb_pkt_type(skb)) {
370 case HCI_COMMAND_PKT:
371 opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
374 opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
376 case HCI_ACLDATA_PKT:
377 if (bt_cb(skb)->incoming)
378 opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
380 opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
382 case HCI_SCODATA_PKT:
383 if (bt_cb(skb)->incoming)
384 opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
386 opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
388 case HCI_ISODATA_PKT:
389 if (bt_cb(skb)->incoming)
390 opcode = cpu_to_le16(HCI_MON_ISO_RX_PKT);
392 opcode = cpu_to_le16(HCI_MON_ISO_TX_PKT);
395 opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG);
401 /* Create a private copy with headroom */
402 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true);
406 hci_sock_copy_creds(skb->sk, skb_copy);
408 /* Put header before the data */
409 hdr = skb_push(skb_copy, HCI_MON_HDR_SIZE);
410 hdr->opcode = opcode;
411 hdr->index = cpu_to_le16(hdev->id);
412 hdr->len = cpu_to_le16(skb->len);
414 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy,
415 HCI_SOCK_TRUSTED, NULL);
419 void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event,
420 void *data, u16 data_len, ktime_t tstamp,
421 int flag, struct sock *skip_sk)
427 index = cpu_to_le16(hdev->id);
429 index = cpu_to_le16(MGMT_INDEX_NONE);
431 read_lock(&hci_sk_list.lock);
433 sk_for_each(sk, &hci_sk_list.head) {
434 struct hci_mon_hdr *hdr;
437 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
440 /* Ignore socket without the flag set */
441 if (!hci_sock_test_flag(sk, flag))
444 /* Skip the original socket */
448 skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC);
452 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
453 put_unaligned_le16(event, skb_put(skb, 2));
456 skb_put_data(skb, data, data_len);
458 skb->tstamp = tstamp;
460 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
461 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT);
463 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
465 __hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
466 HCI_SOCK_TRUSTED, NULL);
470 read_unlock(&hci_sk_list.lock);
473 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
475 struct hci_mon_hdr *hdr;
476 struct hci_mon_new_index *ni;
477 struct hci_mon_index_info *ii;
483 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
487 ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
488 ni->type = 0x00; /* Old hdev->dev_type */
490 bacpy(&ni->bdaddr, &hdev->bdaddr);
491 memcpy_and_pad(ni->name, sizeof(ni->name), hdev->name,
492 strnlen(hdev->name, sizeof(ni->name)), '\0');
494 opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
498 skb = bt_skb_alloc(0, GFP_ATOMIC);
502 opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
506 if (hdev->manufacturer == 0xffff)
511 skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC);
515 ii = skb_put(skb, HCI_MON_INDEX_INFO_SIZE);
516 bacpy(&ii->bdaddr, &hdev->bdaddr);
517 ii->manufacturer = cpu_to_le16(hdev->manufacturer);
519 opcode = cpu_to_le16(HCI_MON_INDEX_INFO);
523 skb = bt_skb_alloc(0, GFP_ATOMIC);
527 opcode = cpu_to_le16(HCI_MON_OPEN_INDEX);
531 skb = bt_skb_alloc(0, GFP_ATOMIC);
535 opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX);
542 __net_timestamp(skb);
544 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
545 hdr->opcode = opcode;
546 hdr->index = cpu_to_le16(hdev->id);
547 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
552 static struct sk_buff *create_monitor_ctrl_open(struct sock *sk)
554 struct hci_mon_hdr *hdr;
560 /* No message needed when cookie is not present */
561 if (!hci_pi(sk)->cookie)
564 switch (hci_pi(sk)->channel) {
565 case HCI_CHANNEL_RAW:
567 ver[0] = BT_SUBSYS_VERSION;
568 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
570 case HCI_CHANNEL_USER:
572 ver[0] = BT_SUBSYS_VERSION;
573 put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
575 case HCI_CHANNEL_CONTROL:
577 mgmt_fill_version_info(ver);
580 /* No message for unsupported format */
584 skb = bt_skb_alloc(14 + TASK_COMM_LEN, GFP_ATOMIC);
588 hci_sock_copy_creds(sk, skb);
590 flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0;
592 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
593 put_unaligned_le16(format, skb_put(skb, 2));
594 skb_put_data(skb, ver, sizeof(ver));
595 put_unaligned_le32(flags, skb_put(skb, 4));
596 skb_put_u8(skb, TASK_COMM_LEN);
597 skb_put_data(skb, hci_pi(sk)->comm, TASK_COMM_LEN);
599 __net_timestamp(skb);
601 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
602 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN);
603 if (hci_pi(sk)->hdev)
604 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
606 hdr->index = cpu_to_le16(HCI_DEV_NONE);
607 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
612 static struct sk_buff *create_monitor_ctrl_close(struct sock *sk)
614 struct hci_mon_hdr *hdr;
617 /* No message needed when cookie is not present */
618 if (!hci_pi(sk)->cookie)
621 switch (hci_pi(sk)->channel) {
622 case HCI_CHANNEL_RAW:
623 case HCI_CHANNEL_USER:
624 case HCI_CHANNEL_CONTROL:
627 /* No message for unsupported format */
631 skb = bt_skb_alloc(4, GFP_ATOMIC);
635 hci_sock_copy_creds(sk, skb);
637 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
639 __net_timestamp(skb);
641 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
642 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE);
643 if (hci_pi(sk)->hdev)
644 hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
646 hdr->index = cpu_to_le16(HCI_DEV_NONE);
647 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
652 static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index,
656 struct hci_mon_hdr *hdr;
659 skb = bt_skb_alloc(6 + len, GFP_ATOMIC);
663 hci_sock_copy_creds(sk, skb);
665 put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
666 put_unaligned_le16(opcode, skb_put(skb, 2));
669 skb_put_data(skb, buf, len);
671 __net_timestamp(skb);
673 hdr = skb_push(skb, HCI_MON_HDR_SIZE);
674 hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND);
675 hdr->index = cpu_to_le16(index);
676 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
681 static void __printf(2, 3)
682 send_monitor_note(struct sock *sk, const char *fmt, ...)
685 struct hci_mon_hdr *hdr;
690 len = vsnprintf(NULL, 0, fmt, args);
693 skb = bt_skb_alloc(len + 1, GFP_ATOMIC);
697 hci_sock_copy_creds(sk, skb);
700 vsprintf(skb_put(skb, len), fmt, args);
701 *(u8 *)skb_put(skb, 1) = 0;
704 __net_timestamp(skb);
706 hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
707 hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE);
708 hdr->index = cpu_to_le16(HCI_DEV_NONE);
709 hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
711 if (sock_queue_rcv_skb(sk, skb))
715 static void send_monitor_replay(struct sock *sk)
717 struct hci_dev *hdev;
719 read_lock(&hci_dev_list_lock);
721 list_for_each_entry(hdev, &hci_dev_list, list) {
724 skb = create_monitor_event(hdev, HCI_DEV_REG);
728 if (sock_queue_rcv_skb(sk, skb))
731 if (!test_bit(HCI_RUNNING, &hdev->flags))
734 skb = create_monitor_event(hdev, HCI_DEV_OPEN);
738 if (sock_queue_rcv_skb(sk, skb))
741 if (test_bit(HCI_UP, &hdev->flags))
742 skb = create_monitor_event(hdev, HCI_DEV_UP);
743 else if (hci_dev_test_flag(hdev, HCI_SETUP))
744 skb = create_monitor_event(hdev, HCI_DEV_SETUP);
749 if (sock_queue_rcv_skb(sk, skb))
754 read_unlock(&hci_dev_list_lock);
757 static void send_monitor_control_replay(struct sock *mon_sk)
761 read_lock(&hci_sk_list.lock);
763 sk_for_each(sk, &hci_sk_list.head) {
766 skb = create_monitor_ctrl_open(sk);
770 if (sock_queue_rcv_skb(mon_sk, skb))
774 read_unlock(&hci_sk_list.lock);
777 /* Generate internal stack event */
778 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
780 struct hci_event_hdr *hdr;
781 struct hci_ev_stack_internal *ev;
784 skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
788 hdr = skb_put(skb, HCI_EVENT_HDR_SIZE);
789 hdr->evt = HCI_EV_STACK_INTERNAL;
790 hdr->plen = sizeof(*ev) + dlen;
792 ev = skb_put(skb, sizeof(*ev) + dlen);
794 memcpy(ev->data, data, dlen);
796 bt_cb(skb)->incoming = 1;
797 __net_timestamp(skb);
799 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
800 hci_send_to_sock(hdev, skb);
804 void hci_sock_dev_event(struct hci_dev *hdev, int event)
806 BT_DBG("hdev %s event %d", hdev->name, event);
808 if (atomic_read(&monitor_promisc)) {
811 /* Send event to monitor */
812 skb = create_monitor_event(hdev, event);
814 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
815 HCI_SOCK_TRUSTED, NULL);
820 if (event <= HCI_DEV_DOWN) {
821 struct hci_ev_si_device ev;
823 /* Send event to sockets */
825 ev.dev_id = hdev->id;
826 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
829 if (event == HCI_DEV_UNREG) {
832 /* Wake up sockets using this dead device */
833 read_lock(&hci_sk_list.lock);
834 sk_for_each(sk, &hci_sk_list.head) {
835 if (hci_pi(sk)->hdev == hdev) {
837 sk->sk_state_change(sk);
840 read_unlock(&hci_sk_list.lock);
844 static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel)
846 struct hci_mgmt_chan *c;
848 list_for_each_entry(c, &mgmt_chan_list, list) {
849 if (c->channel == channel)
856 static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel)
858 struct hci_mgmt_chan *c;
860 mutex_lock(&mgmt_chan_list_lock);
861 c = __hci_mgmt_chan_find(channel);
862 mutex_unlock(&mgmt_chan_list_lock);
867 int hci_mgmt_chan_register(struct hci_mgmt_chan *c)
869 if (c->channel < HCI_CHANNEL_CONTROL)
872 mutex_lock(&mgmt_chan_list_lock);
873 if (__hci_mgmt_chan_find(c->channel)) {
874 mutex_unlock(&mgmt_chan_list_lock);
878 list_add_tail(&c->list, &mgmt_chan_list);
880 mutex_unlock(&mgmt_chan_list_lock);
884 EXPORT_SYMBOL(hci_mgmt_chan_register);
886 void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c)
888 mutex_lock(&mgmt_chan_list_lock);
890 mutex_unlock(&mgmt_chan_list_lock);
892 EXPORT_SYMBOL(hci_mgmt_chan_unregister);
894 static int hci_sock_release(struct socket *sock)
896 struct sock *sk = sock->sk;
897 struct hci_dev *hdev;
900 BT_DBG("sock %p sk %p", sock, sk);
907 switch (hci_pi(sk)->channel) {
908 case HCI_CHANNEL_MONITOR:
909 atomic_dec(&monitor_promisc);
911 case HCI_CHANNEL_RAW:
912 case HCI_CHANNEL_USER:
913 case HCI_CHANNEL_CONTROL:
914 /* Send event to monitor */
915 skb = create_monitor_ctrl_close(sk);
917 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
918 HCI_SOCK_TRUSTED, NULL);
922 hci_sock_free_cookie(sk);
926 bt_sock_unlink(&hci_sk_list, sk);
928 hdev = hci_pi(sk)->hdev;
930 if (hci_pi(sk)->channel == HCI_CHANNEL_USER &&
931 !hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
932 /* When releasing a user channel exclusive access,
933 * call hci_dev_do_close directly instead of calling
934 * hci_dev_close to ensure the exclusive access will
935 * be released and the controller brought back down.
937 * The checking of HCI_AUTO_OFF is not needed in this
938 * case since it will have been cleared already when
939 * opening the user channel.
941 * Make sure to also check that we haven't already
942 * unregistered since all the cleanup will have already
943 * been complete and hdev will get released when we put
946 hci_dev_do_close(hdev);
947 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
948 mgmt_index_added(hdev);
951 atomic_dec(&hdev->promisc);
961 static int hci_sock_reject_list_add(struct hci_dev *hdev, void __user *arg)
966 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
971 err = hci_bdaddr_list_add(&hdev->reject_list, &bdaddr, BDADDR_BREDR);
973 hci_dev_unlock(hdev);
978 static int hci_sock_reject_list_del(struct hci_dev *hdev, void __user *arg)
983 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
988 err = hci_bdaddr_list_del(&hdev->reject_list, &bdaddr, BDADDR_BREDR);
990 hci_dev_unlock(hdev);
995 /* Ioctls that require bound socket */
996 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
999 struct hci_dev *hdev = hci_hdev_from_sock(sk);
1002 return PTR_ERR(hdev);
1004 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
1007 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1012 if (!capable(CAP_NET_ADMIN))
1016 case HCIGETCONNINFO:
1017 return hci_get_conn_info(hdev, (void __user *)arg);
1019 case HCIGETAUTHINFO:
1020 return hci_get_auth_info(hdev, (void __user *)arg);
1023 if (!capable(CAP_NET_ADMIN))
1025 return hci_sock_reject_list_add(hdev, (void __user *)arg);
1027 case HCIUNBLOCKADDR:
1028 if (!capable(CAP_NET_ADMIN))
1030 return hci_sock_reject_list_del(hdev, (void __user *)arg);
1033 return -ENOIOCTLCMD;
1036 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
1039 void __user *argp = (void __user *)arg;
1040 struct sock *sk = sock->sk;
1043 BT_DBG("cmd %x arg %lx", cmd, arg);
1045 /* Make sure the cmd is valid before doing anything */
1049 case HCIGETCONNLIST:
1059 case HCISETLINKMODE:
1064 case HCIGETCONNINFO:
1065 case HCIGETAUTHINFO:
1067 case HCIUNBLOCKADDR:
1070 return -ENOIOCTLCMD;
1075 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1080 /* When calling an ioctl on an unbound raw socket, then ensure
1081 * that the monitor gets informed. Ensure that the resulting event
1082 * is only send once by checking if the cookie exists or not. The
1083 * socket cookie will be only ever generated once for the lifetime
1084 * of a given socket.
1086 if (hci_sock_gen_cookie(sk)) {
1087 struct sk_buff *skb;
1089 /* Perform careful checks before setting the HCI_SOCK_TRUSTED
1090 * flag. Make sure that not only the current task but also
1091 * the socket opener has the required capability, since
1092 * privileged programs can be tricked into making ioctl calls
1093 * on HCI sockets, and the socket should not be marked as
1094 * trusted simply because the ioctl caller is privileged.
1096 if (sk_capable(sk, CAP_NET_ADMIN))
1097 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1099 /* Send event to monitor */
1100 skb = create_monitor_ctrl_open(sk);
1102 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1103 HCI_SOCK_TRUSTED, NULL);
1112 return hci_get_dev_list(argp);
1115 return hci_get_dev_info(argp);
1117 case HCIGETCONNLIST:
1118 return hci_get_conn_list(argp);
1121 if (!capable(CAP_NET_ADMIN))
1123 return hci_dev_open(arg);
1126 if (!capable(CAP_NET_ADMIN))
1128 return hci_dev_close(arg);
1131 if (!capable(CAP_NET_ADMIN))
1133 return hci_dev_reset(arg);
1136 if (!capable(CAP_NET_ADMIN))
1138 return hci_dev_reset_stat(arg);
1145 case HCISETLINKMODE:
1148 if (!capable(CAP_NET_ADMIN))
1150 return hci_dev_cmd(cmd, argp);
1153 return hci_inquiry(argp);
1158 err = hci_sock_bound_ioctl(sk, cmd, arg);
1165 #ifdef CONFIG_COMPAT
1166 static int hci_sock_compat_ioctl(struct socket *sock, unsigned int cmd,
1174 return hci_sock_ioctl(sock, cmd, arg);
1177 return hci_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
1181 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
1184 struct sockaddr_hci haddr;
1185 struct sock *sk = sock->sk;
1186 struct hci_dev *hdev = NULL;
1187 struct sk_buff *skb;
1190 BT_DBG("sock %p sk %p", sock, sk);
1195 memset(&haddr, 0, sizeof(haddr));
1196 len = min_t(unsigned int, sizeof(haddr), addr_len);
1197 memcpy(&haddr, addr, len);
1199 if (haddr.hci_family != AF_BLUETOOTH)
1204 /* Allow detaching from dead device and attaching to alive device, if
1205 * the caller wants to re-bind (instead of close) this socket in
1206 * response to hci_sock_dev_event(HCI_DEV_UNREG) notification.
1208 hdev = hci_pi(sk)->hdev;
1209 if (hdev && hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
1210 hci_pi(sk)->hdev = NULL;
1211 sk->sk_state = BT_OPEN;
1216 if (sk->sk_state == BT_BOUND) {
1221 switch (haddr.hci_channel) {
1222 case HCI_CHANNEL_RAW:
1223 if (hci_pi(sk)->hdev) {
1228 if (haddr.hci_dev != HCI_DEV_NONE) {
1229 hdev = hci_dev_get(haddr.hci_dev);
1235 atomic_inc(&hdev->promisc);
1238 hci_pi(sk)->channel = haddr.hci_channel;
1240 if (!hci_sock_gen_cookie(sk)) {
1241 /* In the case when a cookie has already been assigned,
1242 * then there has been already an ioctl issued against
1243 * an unbound socket and with that triggered an open
1244 * notification. Send a close notification first to
1245 * allow the state transition to bounded.
1247 skb = create_monitor_ctrl_close(sk);
1249 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1250 HCI_SOCK_TRUSTED, NULL);
1255 if (capable(CAP_NET_ADMIN))
1256 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1258 hci_pi(sk)->hdev = hdev;
1260 /* Send event to monitor */
1261 skb = create_monitor_ctrl_open(sk);
1263 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1264 HCI_SOCK_TRUSTED, NULL);
1269 case HCI_CHANNEL_USER:
1270 if (hci_pi(sk)->hdev) {
1275 if (haddr.hci_dev == HCI_DEV_NONE) {
1280 if (!capable(CAP_NET_ADMIN)) {
1285 hdev = hci_dev_get(haddr.hci_dev);
1291 if (test_bit(HCI_INIT, &hdev->flags) ||
1292 hci_dev_test_flag(hdev, HCI_SETUP) ||
1293 hci_dev_test_flag(hdev, HCI_CONFIG) ||
1294 (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) &&
1295 test_bit(HCI_UP, &hdev->flags))) {
1301 if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) {
1307 mgmt_index_removed(hdev);
1309 err = hci_dev_open(hdev->id);
1311 if (err == -EALREADY) {
1312 /* In case the transport is already up and
1313 * running, clear the error here.
1315 * This can happen when opening a user
1316 * channel and HCI_AUTO_OFF grace period
1321 hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
1322 mgmt_index_added(hdev);
1328 hci_pi(sk)->channel = haddr.hci_channel;
1330 if (!hci_sock_gen_cookie(sk)) {
1331 /* In the case when a cookie has already been assigned,
1332 * this socket will transition from a raw socket into
1333 * a user channel socket. For a clean transition, send
1334 * the close notification first.
1336 skb = create_monitor_ctrl_close(sk);
1338 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1339 HCI_SOCK_TRUSTED, NULL);
1344 /* The user channel is restricted to CAP_NET_ADMIN
1345 * capabilities and with that implicitly trusted.
1347 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1349 hci_pi(sk)->hdev = hdev;
1351 /* Send event to monitor */
1352 skb = create_monitor_ctrl_open(sk);
1354 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1355 HCI_SOCK_TRUSTED, NULL);
1359 atomic_inc(&hdev->promisc);
1362 case HCI_CHANNEL_MONITOR:
1363 if (haddr.hci_dev != HCI_DEV_NONE) {
1368 if (!capable(CAP_NET_RAW)) {
1373 hci_pi(sk)->channel = haddr.hci_channel;
1375 /* The monitor interface is restricted to CAP_NET_RAW
1376 * capabilities and with that implicitly trusted.
1378 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1380 send_monitor_note(sk, "Linux version %s (%s)",
1381 init_utsname()->release,
1382 init_utsname()->machine);
1383 send_monitor_note(sk, "Bluetooth subsystem version %u.%u",
1384 BT_SUBSYS_VERSION, BT_SUBSYS_REVISION);
1385 send_monitor_replay(sk);
1386 send_monitor_control_replay(sk);
1388 atomic_inc(&monitor_promisc);
1391 case HCI_CHANNEL_LOGGING:
1392 if (haddr.hci_dev != HCI_DEV_NONE) {
1397 if (!capable(CAP_NET_ADMIN)) {
1402 hci_pi(sk)->channel = haddr.hci_channel;
1406 if (!hci_mgmt_chan_find(haddr.hci_channel)) {
1411 if (haddr.hci_dev != HCI_DEV_NONE) {
1416 /* Users with CAP_NET_ADMIN capabilities are allowed
1417 * access to all management commands and events. For
1418 * untrusted users the interface is restricted and
1419 * also only untrusted events are sent.
1421 if (capable(CAP_NET_ADMIN))
1422 hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1424 hci_pi(sk)->channel = haddr.hci_channel;
1426 /* At the moment the index and unconfigured index events
1427 * are enabled unconditionally. Setting them on each
1428 * socket when binding keeps this functionality. They
1429 * however might be cleared later and then sending of these
1430 * events will be disabled, but that is then intentional.
1432 * This also enables generic events that are safe to be
1433 * received by untrusted users. Example for such events
1434 * are changes to settings, class of device, name etc.
1436 if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) {
1437 if (!hci_sock_gen_cookie(sk)) {
1438 /* In the case when a cookie has already been
1439 * assigned, this socket will transition from
1440 * a raw socket into a control socket. To
1441 * allow for a clean transition, send the
1442 * close notification first.
1444 skb = create_monitor_ctrl_close(sk);
1446 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1447 HCI_SOCK_TRUSTED, NULL);
1452 /* Send event to monitor */
1453 skb = create_monitor_ctrl_open(sk);
1455 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1456 HCI_SOCK_TRUSTED, NULL);
1460 hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS);
1461 hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
1462 hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS);
1463 hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS);
1464 hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1465 hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1470 /* Default MTU to HCI_MAX_FRAME_SIZE if not set */
1471 if (!hci_pi(sk)->mtu)
1472 hci_pi(sk)->mtu = HCI_MAX_FRAME_SIZE;
1474 sk->sk_state = BT_BOUND;
1481 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
1484 struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr;
1485 struct sock *sk = sock->sk;
1486 struct hci_dev *hdev;
1489 BT_DBG("sock %p sk %p", sock, sk);
1496 hdev = hci_hdev_from_sock(sk);
1498 err = PTR_ERR(hdev);
1502 haddr->hci_family = AF_BLUETOOTH;
1503 haddr->hci_dev = hdev->id;
1504 haddr->hci_channel= hci_pi(sk)->channel;
1505 err = sizeof(*haddr);
1512 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
1513 struct sk_buff *skb)
1515 __u8 mask = hci_pi(sk)->cmsg_mask;
1517 if (mask & HCI_CMSG_DIR) {
1518 int incoming = bt_cb(skb)->incoming;
1519 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
1523 if (mask & HCI_CMSG_TSTAMP) {
1524 #ifdef CONFIG_COMPAT
1525 struct old_timeval32 ctv;
1527 struct __kernel_old_timeval tv;
1531 skb_get_timestamp(skb, &tv);
1535 #ifdef CONFIG_COMPAT
1536 if (!COMPAT_USE_64BIT_TIME &&
1537 (msg->msg_flags & MSG_CMSG_COMPAT)) {
1538 ctv.tv_sec = tv.tv_sec;
1539 ctv.tv_usec = tv.tv_usec;
1545 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
1549 static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1550 size_t len, int flags)
1552 struct scm_cookie scm;
1553 struct sock *sk = sock->sk;
1554 struct sk_buff *skb;
1556 unsigned int skblen;
1558 BT_DBG("sock %p, sk %p", sock, sk);
1560 if (flags & MSG_OOB)
1563 if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING)
1566 if (sk->sk_state == BT_CLOSED)
1569 skb = skb_recv_datagram(sk, flags, &err);
1576 msg->msg_flags |= MSG_TRUNC;
1580 skb_reset_transport_header(skb);
1581 err = skb_copy_datagram_msg(skb, 0, msg, copied);
1583 switch (hci_pi(sk)->channel) {
1584 case HCI_CHANNEL_RAW:
1585 hci_sock_cmsg(sk, msg, skb);
1587 case HCI_CHANNEL_USER:
1588 case HCI_CHANNEL_MONITOR:
1589 sock_recv_timestamp(msg, sk, skb);
1592 if (hci_mgmt_chan_find(hci_pi(sk)->channel))
1593 sock_recv_timestamp(msg, sk, skb);
1597 memset(&scm, 0, sizeof(scm));
1598 scm.creds = bt_cb(skb)->creds;
1600 skb_free_datagram(sk, skb);
1602 if (flags & MSG_TRUNC)
1605 scm_recv(sock, msg, &scm, flags);
1607 return err ? : copied;
1610 static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk,
1611 struct sk_buff *skb)
1614 struct mgmt_hdr *hdr;
1615 u16 opcode, index, len;
1616 struct hci_dev *hdev = NULL;
1617 const struct hci_mgmt_handler *handler;
1618 bool var_len, no_hdev;
1621 BT_DBG("got %d bytes", skb->len);
1623 if (skb->len < sizeof(*hdr))
1626 hdr = (void *)skb->data;
1627 opcode = __le16_to_cpu(hdr->opcode);
1628 index = __le16_to_cpu(hdr->index);
1629 len = __le16_to_cpu(hdr->len);
1631 if (len != skb->len - sizeof(*hdr)) {
1636 if (chan->channel == HCI_CHANNEL_CONTROL) {
1637 struct sk_buff *cmd;
1639 /* Send event to monitor */
1640 cmd = create_monitor_ctrl_command(sk, index, opcode, len,
1641 skb->data + sizeof(*hdr));
1643 hci_send_to_channel(HCI_CHANNEL_MONITOR, cmd,
1644 HCI_SOCK_TRUSTED, NULL);
1649 if (opcode >= chan->handler_count ||
1650 chan->handlers[opcode].func == NULL) {
1651 BT_DBG("Unknown op %u", opcode);
1652 err = mgmt_cmd_status(sk, index, opcode,
1653 MGMT_STATUS_UNKNOWN_COMMAND);
1657 handler = &chan->handlers[opcode];
1659 if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) &&
1660 !(handler->flags & HCI_MGMT_UNTRUSTED)) {
1661 err = mgmt_cmd_status(sk, index, opcode,
1662 MGMT_STATUS_PERMISSION_DENIED);
1666 if (index != MGMT_INDEX_NONE) {
1667 hdev = hci_dev_get(index);
1669 err = mgmt_cmd_status(sk, index, opcode,
1670 MGMT_STATUS_INVALID_INDEX);
1674 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1675 hci_dev_test_flag(hdev, HCI_CONFIG) ||
1676 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1677 err = mgmt_cmd_status(sk, index, opcode,
1678 MGMT_STATUS_INVALID_INDEX);
1682 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1683 !(handler->flags & HCI_MGMT_UNCONFIGURED)) {
1684 err = mgmt_cmd_status(sk, index, opcode,
1685 MGMT_STATUS_INVALID_INDEX);
1690 if (!(handler->flags & HCI_MGMT_HDEV_OPTIONAL)) {
1691 no_hdev = (handler->flags & HCI_MGMT_NO_HDEV);
1692 if (no_hdev != !hdev) {
1693 err = mgmt_cmd_status(sk, index, opcode,
1694 MGMT_STATUS_INVALID_INDEX);
1699 var_len = (handler->flags & HCI_MGMT_VAR_LEN);
1700 if ((var_len && len < handler->data_len) ||
1701 (!var_len && len != handler->data_len)) {
1702 err = mgmt_cmd_status(sk, index, opcode,
1703 MGMT_STATUS_INVALID_PARAMS);
1707 if (hdev && chan->hdev_init)
1708 chan->hdev_init(sk, hdev);
1710 cp = skb->data + sizeof(*hdr);
1712 err = handler->func(sk, hdev, cp, len);
1725 static int hci_logging_frame(struct sock *sk, struct sk_buff *skb,
1728 struct hci_mon_hdr *hdr;
1729 struct hci_dev *hdev;
1733 /* The logging frame consists at minimum of the standard header,
1734 * the priority byte, the ident length byte and at least one string
1735 * terminator NUL byte. Anything shorter are invalid packets.
1737 if (skb->len < sizeof(*hdr) + 3)
1740 hdr = (void *)skb->data;
1742 if (__le16_to_cpu(hdr->len) != skb->len - sizeof(*hdr))
1745 if (__le16_to_cpu(hdr->opcode) == 0x0000) {
1746 __u8 priority = skb->data[sizeof(*hdr)];
1747 __u8 ident_len = skb->data[sizeof(*hdr) + 1];
1749 /* Only the priorities 0-7 are valid and with that any other
1750 * value results in an invalid packet.
1752 * The priority byte is followed by an ident length byte and
1753 * the NUL terminated ident string. Check that the ident
1754 * length is not overflowing the packet and also that the
1755 * ident string itself is NUL terminated. In case the ident
1756 * length is zero, the length value actually doubles as NUL
1757 * terminator identifier.
1759 * The message follows the ident string (if present) and
1760 * must be NUL terminated. Otherwise it is not a valid packet.
1762 if (priority > 7 || skb->data[skb->len - 1] != 0x00 ||
1763 ident_len > skb->len - sizeof(*hdr) - 3 ||
1764 skb->data[sizeof(*hdr) + ident_len + 1] != 0x00)
1770 index = __le16_to_cpu(hdr->index);
1772 if (index != MGMT_INDEX_NONE) {
1773 hdev = hci_dev_get(index);
1780 hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING);
1782 hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL);
1791 static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1794 struct sock *sk = sock->sk;
1795 struct hci_mgmt_chan *chan;
1796 struct hci_dev *hdev;
1797 struct sk_buff *skb;
1799 const unsigned int flags = msg->msg_flags;
1801 BT_DBG("sock %p sk %p", sock, sk);
1803 if (flags & MSG_OOB)
1806 if (flags & ~(MSG_DONTWAIT | MSG_NOSIGNAL | MSG_ERRQUEUE | MSG_CMSG_COMPAT))
1809 if (len < 4 || len > hci_pi(sk)->mtu)
1812 skb = bt_skb_sendmsg(sk, msg, len, len, 0, 0);
1814 return PTR_ERR(skb);
1818 switch (hci_pi(sk)->channel) {
1819 case HCI_CHANNEL_RAW:
1820 case HCI_CHANNEL_USER:
1822 case HCI_CHANNEL_MONITOR:
1825 case HCI_CHANNEL_LOGGING:
1826 err = hci_logging_frame(sk, skb, flags);
1829 mutex_lock(&mgmt_chan_list_lock);
1830 chan = __hci_mgmt_chan_find(hci_pi(sk)->channel);
1832 err = hci_mgmt_cmd(chan, sk, skb);
1836 mutex_unlock(&mgmt_chan_list_lock);
1840 hdev = hci_hdev_from_sock(sk);
1842 err = PTR_ERR(hdev);
1846 if (!test_bit(HCI_UP, &hdev->flags)) {
1851 hci_skb_pkt_type(skb) = skb->data[0];
1854 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
1855 /* No permission check is needed for user channel
1856 * since that gets enforced when binding the socket.
1858 * However check that the packet type is valid.
1860 if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
1861 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1862 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
1863 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) {
1868 skb_queue_tail(&hdev->raw_q, skb);
1869 queue_work(hdev->workqueue, &hdev->tx_work);
1870 } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) {
1871 u16 opcode = get_unaligned_le16(skb->data);
1872 u16 ogf = hci_opcode_ogf(opcode);
1873 u16 ocf = hci_opcode_ocf(opcode);
1875 if (((ogf > HCI_SFLT_MAX_OGF) ||
1876 !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
1877 &hci_sec_filter.ocf_mask[ogf])) &&
1878 !capable(CAP_NET_RAW)) {
1883 /* Since the opcode has already been extracted here, store
1884 * a copy of the value for later use by the drivers.
1886 hci_skb_opcode(skb) = opcode;
1889 skb_queue_tail(&hdev->raw_q, skb);
1890 queue_work(hdev->workqueue, &hdev->tx_work);
1892 /* Stand-alone HCI commands must be flagged as
1893 * single-command requests.
1895 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
1897 skb_queue_tail(&hdev->cmd_q, skb);
1898 queue_work(hdev->workqueue, &hdev->cmd_work);
1901 if (!capable(CAP_NET_RAW)) {
1906 if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1907 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
1908 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) {
1913 skb_queue_tail(&hdev->raw_q, skb);
1914 queue_work(hdev->workqueue, &hdev->tx_work);
1928 static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
1929 sockptr_t optval, unsigned int len)
1931 struct hci_ufilter uf = { .opcode = 0 };
1932 struct sock *sk = sock->sk;
1933 int err = 0, opt = 0;
1935 BT_DBG("sk %p, opt %d", sk, optname);
1939 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1946 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len);
1951 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1953 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1956 case HCI_TIME_STAMP:
1957 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len);
1962 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1964 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1969 struct hci_filter *f = &hci_pi(sk)->filter;
1971 uf.type_mask = f->type_mask;
1972 uf.opcode = f->opcode;
1973 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1974 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1977 err = bt_copy_from_sockptr(&uf, sizeof(uf), optval, len);
1981 if (!capable(CAP_NET_RAW)) {
1982 uf.type_mask &= hci_sec_filter.type_mask;
1983 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1984 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1988 struct hci_filter *f = &hci_pi(sk)->filter;
1990 f->type_mask = uf.type_mask;
1991 f->opcode = uf.opcode;
1992 *((u32 *) f->event_mask + 0) = uf.event_mask[0];
1993 *((u32 *) f->event_mask + 1) = uf.event_mask[1];
2007 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
2008 sockptr_t optval, unsigned int len)
2010 struct sock *sk = sock->sk;
2014 BT_DBG("sk %p, opt %d", sk, optname);
2016 if (level == SOL_HCI)
2017 return hci_sock_setsockopt_old(sock, level, optname, optval,
2020 if (level != SOL_BLUETOOTH)
2021 return -ENOPROTOOPT;
2028 switch (hci_pi(sk)->channel) {
2029 /* Don't allow changing MTU for channels that are meant for HCI
2032 case HCI_CHANNEL_RAW:
2033 case HCI_CHANNEL_USER:
2038 err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len);
2042 hci_pi(sk)->mtu = opt;
2055 static int hci_sock_getsockopt_old(struct socket *sock, int level, int optname,
2056 char __user *optval, int __user *optlen)
2058 struct hci_ufilter uf;
2059 struct sock *sk = sock->sk;
2060 int len, opt, err = 0;
2062 BT_DBG("sk %p, opt %d", sk, optname);
2064 if (get_user(len, optlen))
2069 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
2076 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
2081 if (put_user(opt, optval))
2085 case HCI_TIME_STAMP:
2086 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
2091 if (put_user(opt, optval))
2097 struct hci_filter *f = &hci_pi(sk)->filter;
2099 memset(&uf, 0, sizeof(uf));
2100 uf.type_mask = f->type_mask;
2101 uf.opcode = f->opcode;
2102 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
2103 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
2106 len = min_t(unsigned int, len, sizeof(uf));
2107 if (copy_to_user(optval, &uf, len))
2121 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
2122 char __user *optval, int __user *optlen)
2124 struct sock *sk = sock->sk;
2127 BT_DBG("sk %p, opt %d", sk, optname);
2129 if (level == SOL_HCI)
2130 return hci_sock_getsockopt_old(sock, level, optname, optval,
2133 if (level != SOL_BLUETOOTH)
2134 return -ENOPROTOOPT;
2141 if (put_user(hci_pi(sk)->mtu, (u16 __user *)optval))
2154 static void hci_sock_destruct(struct sock *sk)
2157 skb_queue_purge(&sk->sk_receive_queue);
2158 skb_queue_purge(&sk->sk_write_queue);
2161 static const struct proto_ops hci_sock_ops = {
2162 .family = PF_BLUETOOTH,
2163 .owner = THIS_MODULE,
2164 .release = hci_sock_release,
2165 .bind = hci_sock_bind,
2166 .getname = hci_sock_getname,
2167 .sendmsg = hci_sock_sendmsg,
2168 .recvmsg = hci_sock_recvmsg,
2169 .ioctl = hci_sock_ioctl,
2170 #ifdef CONFIG_COMPAT
2171 .compat_ioctl = hci_sock_compat_ioctl,
2173 .poll = datagram_poll,
2174 .listen = sock_no_listen,
2175 .shutdown = sock_no_shutdown,
2176 .setsockopt = hci_sock_setsockopt,
2177 .getsockopt = hci_sock_getsockopt,
2178 .connect = sock_no_connect,
2179 .socketpair = sock_no_socketpair,
2180 .accept = sock_no_accept,
2181 .mmap = sock_no_mmap
2184 static struct proto hci_sk_proto = {
2186 .owner = THIS_MODULE,
2187 .obj_size = sizeof(struct hci_pinfo)
2190 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
2195 BT_DBG("sock %p", sock);
2197 if (sock->type != SOCK_RAW)
2198 return -ESOCKTNOSUPPORT;
2200 sock->ops = &hci_sock_ops;
2202 sk = bt_sock_alloc(net, sock, &hci_sk_proto, protocol, GFP_ATOMIC,
2207 sock->state = SS_UNCONNECTED;
2208 sk->sk_destruct = hci_sock_destruct;
2210 bt_sock_link(&hci_sk_list, sk);
2214 static const struct net_proto_family hci_sock_family_ops = {
2215 .family = PF_BLUETOOTH,
2216 .owner = THIS_MODULE,
2217 .create = hci_sock_create,
2220 int __init hci_sock_init(void)
2224 BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr));
2226 err = proto_register(&hci_sk_proto, 0);
2230 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
2232 BT_ERR("HCI socket registration failed");
2236 err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
2238 BT_ERR("Failed to create HCI proc file");
2239 bt_sock_unregister(BTPROTO_HCI);
2243 BT_INFO("HCI socket layer initialized");
2248 proto_unregister(&hci_sk_proto);
2252 void hci_sock_cleanup(void)
2254 bt_procfs_cleanup(&init_net, "hci");
2255 bt_sock_unregister(BTPROTO_HCI);
2256 proto_unregister(&hci_sk_proto);
projects / linux.git / blob