net/bluetooth/hci_sock.c

   1 /*
   2    BlueZ - Bluetooth protocol stack for Linux
   3    Copyright (C) 2000-2001 Qualcomm Incorporated
   4
   5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License version 2 as
   9    published by the Free Software Foundation;
  10
  11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22    SOFTWARE IS DISCLAIMED.
  23 */
  24
  25 /* Bluetooth HCI sockets. */
  26
  27 #include <linux/export.h>
  28 #include <asm/unaligned.h>
  29
  30 #include <net/bluetooth/bluetooth.h>
  31 #include <net/bluetooth/hci_core.h>
  32 #include <net/bluetooth/hci_mon.h>
  33
  34 static atomic_t monitor_promisc = ATOMIC_INIT(0);
  35
  36 /* ----- HCI socket interface ----- */
  37
  38 static inline int hci_test_bit(int nr, void *addr)
  39 {
  40         return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
  41 }
  42
  43 /* Security filter */
  44 static struct hci_sec_filter hci_sec_filter = {
  45         /* Packet types */
  46         0x10,
  47         /* Events */
  48         { 0x1000d9fe, 0x0000b00c },
  49         /* Commands */
  50         {
  51                 { 0x0 },
  52                 /* OGF_LINK_CTL */
  53                 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
  54                 /* OGF_LINK_POLICY */
  55                 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
  56                 /* OGF_HOST_CTL */
  57                 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
  58                 /* OGF_INFO_PARAM */
  59                 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
  60                 /* OGF_STATUS_PARAM */
  61                 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
  62         }
  63 };
  64
  65 static struct bt_sock_list hci_sk_list = {
  66         .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
  67 };
  68
  69 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
  70 {
  71         struct hci_filter *flt;
  72         int flt_type, flt_event;
  73
  74         /* Apply filter */
  75         flt = &hci_pi(sk)->filter;
  76
  77         if (bt_cb(skb)->pkt_type == HCI_VENDOR_PKT)
  78                 flt_type = 0;
  79         else
  80                 flt_type = bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS;
  81
  82         if (!test_bit(flt_type, &flt->type_mask))
  83                 return true;
  84
  85         /* Extra filter for event packets only */
  86         if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT)
  87                 return false;
  88
  89         flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
  90
  91         if (!hci_test_bit(flt_event, &flt->event_mask))
  92                 return true;
  93
  94         /* Check filter only when opcode is set */
  95         if (!flt->opcode)
  96                 return false;
  97
  98         if (flt_event == HCI_EV_CMD_COMPLETE &&
  99             flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
 100                 return true;
 101
 102         if (flt_event == HCI_EV_CMD_STATUS &&
 103             flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
 104                 return true;
 105
 106         return false;
 107 }
 108
 109 /* Send frame to RAW socket */
 110 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
 111 {
 112         struct sock *sk;
 113         struct sk_buff *skb_copy = NULL;
 114
 115         BT_DBG("hdev %p len %d", hdev, skb->len);
 116
 117         read_lock(&hci_sk_list.lock);
 118
 119         sk_for_each(sk, &hci_sk_list.head) {
 120                 struct sk_buff *nskb;
 121
 122                 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
 123                         continue;
 124
 125                 /* Don't send frame to the socket it came from */
 126                 if (skb->sk == sk)
 127                         continue;
 128
 129                 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
 130                         if (is_filtered_packet(sk, skb))
 131                                 continue;
 132                 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 133                         if (!bt_cb(skb)->incoming)
 134                                 continue;
 135                         if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT &&
 136                             bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
 137                             bt_cb(skb)->pkt_type != HCI_SCODATA_PKT)
 138                                 continue;
 139                 } else {
 140                         /* Don't send frame to other channel types */
 141                         continue;
 142                 }
 143
 144                 if (!skb_copy) {
 145                         /* Create a private copy with headroom */
 146                         skb_copy = __pskb_copy(skb, 1, GFP_ATOMIC);
 147                         if (!skb_copy)
 148                                 continue;
 149
 150                         /* Put type byte before the data */
 151                         memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1);
 152                 }
 153
 154                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 155                 if (!nskb)
 156                         continue;
 157
 158                 if (sock_queue_rcv_skb(sk, nskb))
 159                         kfree_skb(nskb);
 160         }
 161
 162         read_unlock(&hci_sk_list.lock);
 163
 164         kfree_skb(skb_copy);
 165 }
 166
 167 /* Send frame to control socket */
 168 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk)
 169 {
 170         struct sock *sk;
 171
 172         BT_DBG("len %d", skb->len);
 173
 174         read_lock(&hci_sk_list.lock);
 175
 176         sk_for_each(sk, &hci_sk_list.head) {
 177                 struct sk_buff *nskb;
 178
 179                 /* Skip the original socket */
 180                 if (sk == skip_sk)
 181                         continue;
 182
 183                 if (sk->sk_state != BT_BOUND)
 184                         continue;
 185
 186                 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
 187                         continue;
 188
 189                 nskb = skb_clone(skb, GFP_ATOMIC);
 190                 if (!nskb)
 191                         continue;
 192
 193                 if (sock_queue_rcv_skb(sk, nskb))
 194                         kfree_skb(nskb);
 195         }
 196
 197         read_unlock(&hci_sk_list.lock);
 198 }
 199
 200 /* Send frame to monitor socket */
 201 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
 202 {
 203         struct sock *sk;
 204         struct sk_buff *skb_copy = NULL;
 205         __le16 opcode;
 206
 207         if (!atomic_read(&monitor_promisc))
 208                 return;
 209
 210         BT_DBG("hdev %p len %d", hdev, skb->len);
 211
 212         switch (bt_cb(skb)->pkt_type) {
 213         case HCI_COMMAND_PKT:
 214                 opcode = __constant_cpu_to_le16(HCI_MON_COMMAND_PKT);
 215                 break;
 216         case HCI_EVENT_PKT:
 217                 opcode = __constant_cpu_to_le16(HCI_MON_EVENT_PKT);
 218                 break;
 219         case HCI_ACLDATA_PKT:
 220                 if (bt_cb(skb)->incoming)
 221                         opcode = __constant_cpu_to_le16(HCI_MON_ACL_RX_PKT);
 222                 else
 223                         opcode = __constant_cpu_to_le16(HCI_MON_ACL_TX_PKT);
 224                 break;
 225         case HCI_SCODATA_PKT:
 226                 if (bt_cb(skb)->incoming)
 227                         opcode = __constant_cpu_to_le16(HCI_MON_SCO_RX_PKT);
 228                 else
 229                         opcode = __constant_cpu_to_le16(HCI_MON_SCO_TX_PKT);
 230                 break;
 231         default:
 232                 return;
 233         }
 234
 235         read_lock(&hci_sk_list.lock);
 236
 237         sk_for_each(sk, &hci_sk_list.head) {
 238                 struct sk_buff *nskb;
 239
 240                 if (sk->sk_state != BT_BOUND)
 241                         continue;
 242
 243                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 244                         continue;
 245
 246                 if (!skb_copy) {
 247                         struct hci_mon_hdr *hdr;
 248
 249                         /* Create a private copy with headroom */
 250                         skb_copy = __pskb_copy(skb, HCI_MON_HDR_SIZE,
 251                                                GFP_ATOMIC);
 252                         if (!skb_copy)
 253                                 continue;
 254
 255                         /* Put header before the data */
 256                         hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE);
 257                         hdr->opcode = opcode;
 258                         hdr->index = cpu_to_le16(hdev->id);
 259                         hdr->len = cpu_to_le16(skb->len);
 260                 }
 261
 262                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 263                 if (!nskb)
 264                         continue;
 265
 266                 if (sock_queue_rcv_skb(sk, nskb))
 267                         kfree_skb(nskb);
 268         }
 269
 270         read_unlock(&hci_sk_list.lock);
 271
 272         kfree_skb(skb_copy);
 273 }
 274
 275 static void send_monitor_event(struct sk_buff *skb)
 276 {
 277         struct sock *sk;
 278
 279         BT_DBG("len %d", skb->len);
 280
 281         read_lock(&hci_sk_list.lock);
 282
 283         sk_for_each(sk, &hci_sk_list.head) {
 284                 struct sk_buff *nskb;
 285
 286                 if (sk->sk_state != BT_BOUND)
 287                         continue;
 288
 289                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 290                         continue;
 291
 292                 nskb = skb_clone(skb, GFP_ATOMIC);
 293                 if (!nskb)
 294                         continue;
 295
 296                 if (sock_queue_rcv_skb(sk, nskb))
 297                         kfree_skb(nskb);
 298         }
 299
 300         read_unlock(&hci_sk_list.lock);
 301 }
 302
 303 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
 304 {
 305         struct hci_mon_hdr *hdr;
 306         struct hci_mon_new_index *ni;
 307         struct sk_buff *skb;
 308         __le16 opcode;
 309
 310         switch (event) {
 311         case HCI_DEV_REG:
 312                 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
 313                 if (!skb)
 314                         return NULL;
 315
 316                 ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
 317                 ni->type = hdev->dev_type;
 318                 ni->bus = hdev->bus;
 319                 bacpy(&ni->bdaddr, &hdev->bdaddr);
 320                 memcpy(ni->name, hdev->name, 8);
 321
 322                 opcode = __constant_cpu_to_le16(HCI_MON_NEW_INDEX);
 323                 break;
 324
 325         case HCI_DEV_UNREG:
 326                 skb = bt_skb_alloc(0, GFP_ATOMIC);
 327                 if (!skb)
 328                         return NULL;
 329
 330                 opcode = __constant_cpu_to_le16(HCI_MON_DEL_INDEX);
 331                 break;
 332
 333         default:
 334                 return NULL;
 335         }
 336
 337         __net_timestamp(skb);
 338
 339         hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE);
 340         hdr->opcode = opcode;
 341         hdr->index = cpu_to_le16(hdev->id);
 342         hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
 343
 344         return skb;
 345 }
 346
 347 static void send_monitor_replay(struct sock *sk)
 348 {
 349         struct hci_dev *hdev;
 350
 351         read_lock(&hci_dev_list_lock);
 352
 353         list_for_each_entry(hdev, &hci_dev_list, list) {
 354                 struct sk_buff *skb;
 355
 356                 skb = create_monitor_event(hdev, HCI_DEV_REG);
 357                 if (!skb)
 358                         continue;
 359
 360                 if (sock_queue_rcv_skb(sk, skb))
 361                         kfree_skb(skb);
 362         }
 363
 364         read_unlock(&hci_dev_list_lock);
 365 }
 366
 367 /* Generate internal stack event */
 368 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
 369 {
 370         struct hci_event_hdr *hdr;
 371         struct hci_ev_stack_internal *ev;
 372         struct sk_buff *skb;
 373
 374         skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
 375         if (!skb)
 376                 return;
 377
 378         hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
 379         hdr->evt  = HCI_EV_STACK_INTERNAL;
 380         hdr->plen = sizeof(*ev) + dlen;
 381
 382         ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
 383         ev->type = type;
 384         memcpy(ev->data, data, dlen);
 385
 386         bt_cb(skb)->incoming = 1;
 387         __net_timestamp(skb);
 388
 389         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
 390         hci_send_to_sock(hdev, skb);
 391         kfree_skb(skb);
 392 }
 393
 394 void hci_sock_dev_event(struct hci_dev *hdev, int event)
 395 {
 396         struct hci_ev_si_device ev;
 397
 398         BT_DBG("hdev %s event %d", hdev->name, event);
 399
 400         /* Send event to monitor */
 401         if (atomic_read(&monitor_promisc)) {
 402                 struct sk_buff *skb;
 403
 404                 skb = create_monitor_event(hdev, event);
 405                 if (skb) {
 406                         send_monitor_event(skb);
 407                         kfree_skb(skb);
 408                 }
 409         }
 410
 411         /* Send event to sockets */
 412         ev.event  = event;
 413         ev.dev_id = hdev->id;
 414         hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
 415
 416         if (event == HCI_DEV_UNREG) {
 417                 struct sock *sk;
 418
 419                 /* Detach sockets from device */
 420                 read_lock(&hci_sk_list.lock);
 421                 sk_for_each(sk, &hci_sk_list.head) {
 422                         bh_lock_sock_nested(sk);
 423                         if (hci_pi(sk)->hdev == hdev) {
 424                                 hci_pi(sk)->hdev = NULL;
 425                                 sk->sk_err = EPIPE;
 426                                 sk->sk_state = BT_OPEN;
 427                                 sk->sk_state_change(sk);
 428
 429                                 hci_dev_put(hdev);
 430                         }
 431                         bh_unlock_sock(sk);
 432                 }
 433                 read_unlock(&hci_sk_list.lock);
 434         }
 435 }
 436
 437 static int hci_sock_release(struct socket *sock)
 438 {
 439         struct sock *sk = sock->sk;
 440         struct hci_dev *hdev;
 441
 442         BT_DBG("sock %p sk %p", sock, sk);
 443
 444         if (!sk)
 445                 return 0;
 446
 447         hdev = hci_pi(sk)->hdev;
 448
 449         if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
 450                 atomic_dec(&monitor_promisc);
 451
 452         bt_sock_unlink(&hci_sk_list, sk);
 453
 454         if (hdev) {
 455                 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 456                         mgmt_index_added(hdev);
 457                         clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags);
 458                         hci_dev_close(hdev->id);
 459                 }
 460
 461                 atomic_dec(&hdev->promisc);
 462                 hci_dev_put(hdev);
 463         }
 464
 465         sock_orphan(sk);
 466
 467         skb_queue_purge(&sk->sk_receive_queue);
 468         skb_queue_purge(&sk->sk_write_queue);
 469
 470         sock_put(sk);
 471         return 0;
 472 }
 473
 474 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
 475 {
 476         bdaddr_t bdaddr;
 477         int err;
 478
 479         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 480                 return -EFAULT;
 481
 482         hci_dev_lock(hdev);
 483
 484         err = hci_blacklist_add(hdev, &bdaddr, BDADDR_BREDR);
 485
 486         hci_dev_unlock(hdev);
 487
 488         return err;
 489 }
 490
 491 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
 492 {
 493         bdaddr_t bdaddr;
 494         int err;
 495
 496         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 497                 return -EFAULT;
 498
 499         hci_dev_lock(hdev);
 500
 501         err = hci_blacklist_del(hdev, &bdaddr, BDADDR_BREDR);
 502
 503         hci_dev_unlock(hdev);
 504
 505         return err;
 506 }
 507
 508 /* Ioctls that require bound socket */
 509 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
 510                                 unsigned long arg)
 511 {
 512         struct hci_dev *hdev = hci_pi(sk)->hdev;
 513
 514         if (!hdev)
 515                 return -EBADFD;
 516
 517         if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
 518                 return -EBUSY;
 519
 520         if (hdev->dev_type != HCI_BREDR)
 521                 return -EOPNOTSUPP;
 522
 523         switch (cmd) {
 524         case HCISETRAW:
 525                 if (!capable(CAP_NET_ADMIN))
 526                         return -EPERM;
 527
 528                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
 529                         return -EPERM;
 530
 531                 if (arg)
 532                         set_bit(HCI_RAW, &hdev->flags);
 533                 else
 534                         clear_bit(HCI_RAW, &hdev->flags);
 535
 536                 return 0;
 537
 538         case HCIGETCONNINFO:
 539                 return hci_get_conn_info(hdev, (void __user *) arg);
 540
 541         case HCIGETAUTHINFO:
 542                 return hci_get_auth_info(hdev, (void __user *) arg);
 543
 544         case HCIBLOCKADDR:
 545                 if (!capable(CAP_NET_ADMIN))
 546                         return -EPERM;
 547                 return hci_sock_blacklist_add(hdev, (void __user *) arg);
 548
 549         case HCIUNBLOCKADDR:
 550                 if (!capable(CAP_NET_ADMIN))
 551                         return -EPERM;
 552                 return hci_sock_blacklist_del(hdev, (void __user *) arg);
 553         }
 554
 555         return -ENOIOCTLCMD;
 556 }
 557
 558 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 559                           unsigned long arg)
 560 {
 561         void __user *argp = (void __user *) arg;
 562         struct sock *sk = sock->sk;
 563         int err;
 564
 565         BT_DBG("cmd %x arg %lx", cmd, arg);
 566
 567         lock_sock(sk);
 568
 569         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
 570                 err = -EBADFD;
 571                 goto done;
 572         }
 573
 574         release_sock(sk);
 575
 576         switch (cmd) {
 577         case HCIGETDEVLIST:
 578                 return hci_get_dev_list(argp);
 579
 580         case HCIGETDEVINFO:
 581                 return hci_get_dev_info(argp);
 582
 583         case HCIGETCONNLIST:
 584                 return hci_get_conn_list(argp);
 585
 586         case HCIDEVUP:
 587                 if (!capable(CAP_NET_ADMIN))
 588                         return -EPERM;
 589                 return hci_dev_open(arg);
 590
 591         case HCIDEVDOWN:
 592                 if (!capable(CAP_NET_ADMIN))
 593                         return -EPERM;
 594                 return hci_dev_close(arg);
 595
 596         case HCIDEVRESET:
 597                 if (!capable(CAP_NET_ADMIN))
 598                         return -EPERM;
 599                 return hci_dev_reset(arg);
 600
 601         case HCIDEVRESTAT:
 602                 if (!capable(CAP_NET_ADMIN))
 603                         return -EPERM;
 604                 return hci_dev_reset_stat(arg);
 605
 606         case HCISETSCAN:
 607         case HCISETAUTH:
 608         case HCISETENCRYPT:
 609         case HCISETPTYPE:
 610         case HCISETLINKPOL:
 611         case HCISETLINKMODE:
 612         case HCISETACLMTU:
 613         case HCISETSCOMTU:
 614                 if (!capable(CAP_NET_ADMIN))
 615                         return -EPERM;
 616                 return hci_dev_cmd(cmd, argp);
 617
 618         case HCIINQUIRY:
 619                 return hci_inquiry(argp);
 620         }
 621
 622         lock_sock(sk);
 623
 624         err = hci_sock_bound_ioctl(sk, cmd, arg);
 625
 626 done:
 627         release_sock(sk);
 628         return err;
 629 }
 630
 631 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
 632                          int addr_len)
 633 {
 634         struct sockaddr_hci haddr;
 635         struct sock *sk = sock->sk;
 636         struct hci_dev *hdev = NULL;
 637         int len, err = 0;
 638
 639         BT_DBG("sock %p sk %p", sock, sk);
 640
 641         if (!addr)
 642                 return -EINVAL;
 643
 644         memset(&haddr, 0, sizeof(haddr));
 645         len = min_t(unsigned int, sizeof(haddr), addr_len);
 646         memcpy(&haddr, addr, len);
 647
 648         if (haddr.hci_family != AF_BLUETOOTH)
 649                 return -EINVAL;
 650
 651         lock_sock(sk);
 652
 653         if (sk->sk_state == BT_BOUND) {
 654                 err = -EALREADY;
 655                 goto done;
 656         }
 657
 658         switch (haddr.hci_channel) {
 659         case HCI_CHANNEL_RAW:
 660                 if (hci_pi(sk)->hdev) {
 661                         err = -EALREADY;
 662                         goto done;
 663                 }
 664
 665                 if (haddr.hci_dev != HCI_DEV_NONE) {
 666                         hdev = hci_dev_get(haddr.hci_dev);
 667                         if (!hdev) {
 668                                 err = -ENODEV;
 669                                 goto done;
 670                         }
 671
 672                         atomic_inc(&hdev->promisc);
 673                 }
 674
 675                 hci_pi(sk)->hdev = hdev;
 676                 break;
 677
 678         case HCI_CHANNEL_USER:
 679                 if (hci_pi(sk)->hdev) {
 680                         err = -EALREADY;
 681                         goto done;
 682                 }
 683
 684                 if (haddr.hci_dev == HCI_DEV_NONE) {
 685                         err = -EINVAL;
 686                         goto done;
 687                 }
 688
 689                 if (!capable(CAP_NET_ADMIN)) {
 690                         err = -EPERM;
 691                         goto done;
 692                 }
 693
 694                 hdev = hci_dev_get(haddr.hci_dev);
 695                 if (!hdev) {
 696                         err = -ENODEV;
 697                         goto done;
 698                 }
 699
 700                 if (test_bit(HCI_UP, &hdev->flags) ||
 701                     test_bit(HCI_INIT, &hdev->flags) ||
 702                     test_bit(HCI_SETUP, &hdev->dev_flags)) {
 703                         err = -EBUSY;
 704                         hci_dev_put(hdev);
 705                         goto done;
 706                 }
 707
 708                 if (test_and_set_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
 709                         err = -EUSERS;
 710                         hci_dev_put(hdev);
 711                         goto done;
 712                 }
 713
 714                 mgmt_index_removed(hdev);
 715
 716                 err = hci_dev_open(hdev->id);
 717                 if (err) {
 718                         clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags);
 719                         hci_dev_put(hdev);
 720                         goto done;
 721                 }
 722
 723                 atomic_inc(&hdev->promisc);
 724
 725                 hci_pi(sk)->hdev = hdev;
 726                 break;
 727
 728         case HCI_CHANNEL_CONTROL:
 729                 if (haddr.hci_dev != HCI_DEV_NONE) {
 730                         err = -EINVAL;
 731                         goto done;
 732                 }
 733
 734                 if (!capable(CAP_NET_ADMIN)) {
 735                         err = -EPERM;
 736                         goto done;
 737                 }
 738
 739                 break;
 740
 741         case HCI_CHANNEL_MONITOR:
 742                 if (haddr.hci_dev != HCI_DEV_NONE) {
 743                         err = -EINVAL;
 744                         goto done;
 745                 }
 746
 747                 if (!capable(CAP_NET_RAW)) {
 748                         err = -EPERM;
 749                         goto done;
 750                 }
 751
 752                 send_monitor_replay(sk);
 753
 754                 atomic_inc(&monitor_promisc);
 755                 break;
 756
 757         default:
 758                 err = -EINVAL;
 759                 goto done;
 760         }
 761
 762
 763         hci_pi(sk)->channel = haddr.hci_channel;
 764         sk->sk_state = BT_BOUND;
 765
 766 done:
 767         release_sock(sk);
 768         return err;
 769 }
 770
 771 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
 772                             int *addr_len, int peer)
 773 {
 774         struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
 775         struct sock *sk = sock->sk;
 776         struct hci_dev *hdev;
 777         int err = 0;
 778
 779         BT_DBG("sock %p sk %p", sock, sk);
 780
 781         if (peer)
 782                 return -EOPNOTSUPP;
 783
 784         lock_sock(sk);
 785
 786         hdev = hci_pi(sk)->hdev;
 787         if (!hdev) {
 788                 err = -EBADFD;
 789                 goto done;
 790         }
 791
 792         *addr_len = sizeof(*haddr);
 793         haddr->hci_family = AF_BLUETOOTH;
 794         haddr->hci_dev    = hdev->id;
 795         haddr->hci_channel= hci_pi(sk)->channel;
 796
 797 done:
 798         release_sock(sk);
 799         return err;
 800 }
 801
 802 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
 803                           struct sk_buff *skb)
 804 {
 805         __u32 mask = hci_pi(sk)->cmsg_mask;
 806
 807         if (mask & HCI_CMSG_DIR) {
 808                 int incoming = bt_cb(skb)->incoming;
 809                 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
 810                          &incoming);
 811         }
 812
 813         if (mask & HCI_CMSG_TSTAMP) {
 814 #ifdef CONFIG_COMPAT
 815                 struct compat_timeval ctv;
 816 #endif
 817                 struct timeval tv;
 818                 void *data;
 819                 int len;
 820
 821                 skb_get_timestamp(skb, &tv);
 822
 823                 data = &tv;
 824                 len = sizeof(tv);
 825 #ifdef CONFIG_COMPAT
 826                 if (!COMPAT_USE_64BIT_TIME &&
 827                     (msg->msg_flags & MSG_CMSG_COMPAT)) {
 828                         ctv.tv_sec = tv.tv_sec;
 829                         ctv.tv_usec = tv.tv_usec;
 830                         data = &ctv;
 831                         len = sizeof(ctv);
 832                 }
 833 #endif
 834
 835                 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
 836         }
 837 }
 838
 839 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
 840                             struct msghdr *msg, size_t len, int flags)
 841 {
 842         int noblock = flags & MSG_DONTWAIT;
 843         struct sock *sk = sock->sk;
 844         struct sk_buff *skb;
 845         int copied, err;
 846
 847         BT_DBG("sock %p, sk %p", sock, sk);
 848
 849         if (flags & (MSG_OOB))
 850                 return -EOPNOTSUPP;
 851
 852         if (sk->sk_state == BT_CLOSED)
 853                 return 0;
 854
 855         skb = skb_recv_datagram(sk, flags, noblock, &err);
 856         if (!skb)
 857                 return err;
 858
 859         copied = skb->len;
 860         if (len < copied) {
 861                 msg->msg_flags |= MSG_TRUNC;
 862                 copied = len;
 863         }
 864
 865         skb_reset_transport_header(skb);
 866         err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
 867
 868         switch (hci_pi(sk)->channel) {
 869         case HCI_CHANNEL_RAW:
 870                 hci_sock_cmsg(sk, msg, skb);
 871                 break;
 872         case HCI_CHANNEL_USER:
 873         case HCI_CHANNEL_CONTROL:
 874         case HCI_CHANNEL_MONITOR:
 875                 sock_recv_timestamp(msg, sk, skb);
 876                 break;
 877         }
 878
 879         skb_free_datagram(sk, skb);
 880
 881         return err ? : copied;
 882 }
 883
 884 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
 885                             struct msghdr *msg, size_t len)
 886 {
 887         struct sock *sk = sock->sk;
 888         struct hci_dev *hdev;
 889         struct sk_buff *skb;
 890         int err;
 891
 892         BT_DBG("sock %p sk %p", sock, sk);
 893
 894         if (msg->msg_flags & MSG_OOB)
 895                 return -EOPNOTSUPP;
 896
 897         if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
 898                 return -EINVAL;
 899
 900         if (len < 4 || len > HCI_MAX_FRAME_SIZE)
 901                 return -EINVAL;
 902
 903         lock_sock(sk);
 904
 905         switch (hci_pi(sk)->channel) {
 906         case HCI_CHANNEL_RAW:
 907         case HCI_CHANNEL_USER:
 908                 break;
 909         case HCI_CHANNEL_CONTROL:
 910                 err = mgmt_control(sk, msg, len);
 911                 goto done;
 912         case HCI_CHANNEL_MONITOR:
 913                 err = -EOPNOTSUPP;
 914                 goto done;
 915         default:
 916                 err = -EINVAL;
 917                 goto done;
 918         }
 919
 920         hdev = hci_pi(sk)->hdev;
 921         if (!hdev) {
 922                 err = -EBADFD;
 923                 goto done;
 924         }
 925
 926         if (!test_bit(HCI_UP, &hdev->flags)) {
 927                 err = -ENETDOWN;
 928                 goto done;
 929         }
 930
 931         skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
 932         if (!skb)
 933                 goto done;
 934
 935         if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
 936                 err = -EFAULT;
 937                 goto drop;
 938         }
 939
 940         bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
 941         skb_pull(skb, 1);
 942
 943         if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 944                 /* No permission check is needed for user channel
 945                  * since that gets enforced when binding the socket.
 946                  *
 947                  * However check that the packet type is valid.
 948                  */
 949                 if (bt_cb(skb)->pkt_type != HCI_COMMAND_PKT &&
 950                     bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
 951                     bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) {
 952                         err = -EINVAL;
 953                         goto drop;
 954                 }
 955
 956                 skb_queue_tail(&hdev->raw_q, skb);
 957                 queue_work(hdev->workqueue, &hdev->tx_work);
 958         } else if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
 959                 u16 opcode = get_unaligned_le16(skb->data);
 960                 u16 ogf = hci_opcode_ogf(opcode);
 961                 u16 ocf = hci_opcode_ocf(opcode);
 962
 963                 if (((ogf > HCI_SFLT_MAX_OGF) ||
 964                      !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
 965                                    &hci_sec_filter.ocf_mask[ogf])) &&
 966                     !capable(CAP_NET_RAW)) {
 967                         err = -EPERM;
 968                         goto drop;
 969                 }
 970
 971                 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) {
 972                         skb_queue_tail(&hdev->raw_q, skb);
 973                         queue_work(hdev->workqueue, &hdev->tx_work);
 974                 } else {
 975                         /* Stand-alone HCI commands must be flaged as
 976                          * single-command requests.
 977                          */
 978                         bt_cb(skb)->req.start = true;
 979
 980                         skb_queue_tail(&hdev->cmd_q, skb);
 981                         queue_work(hdev->workqueue, &hdev->cmd_work);
 982                 }
 983         } else {
 984                 if (!capable(CAP_NET_RAW)) {
 985                         err = -EPERM;
 986                         goto drop;
 987                 }
 988
 989                 skb_queue_tail(&hdev->raw_q, skb);
 990                 queue_work(hdev->workqueue, &hdev->tx_work);
 991         }
 992
 993         err = len;
 994
 995 done:
 996         release_sock(sk);
 997         return err;
 998
 999 drop:
1000         kfree_skb(skb);
1001         goto done;
1002 }
1003
1004 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
1005                                char __user *optval, unsigned int len)
1006 {
1007         struct hci_ufilter uf = { .opcode = 0 };
1008         struct sock *sk = sock->sk;
1009         int err = 0, opt = 0;
1010
1011         BT_DBG("sk %p, opt %d", sk, optname);
1012
1013         lock_sock(sk);
1014
1015         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1016                 err = -EBADFD;
1017                 goto done;
1018         }
1019
1020         switch (optname) {
1021         case HCI_DATA_DIR:
1022                 if (get_user(opt, (int __user *)optval)) {
1023                         err = -EFAULT;
1024                         break;
1025                 }
1026
1027                 if (opt)
1028                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1029                 else
1030                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1031                 break;
1032
1033         case HCI_TIME_STAMP:
1034                 if (get_user(opt, (int __user *)optval)) {
1035                         err = -EFAULT;
1036                         break;
1037                 }
1038
1039                 if (opt)
1040                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1041                 else
1042                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1043                 break;
1044
1045         case HCI_FILTER:
1046                 {
1047                         struct hci_filter *f = &hci_pi(sk)->filter;
1048
1049                         uf.type_mask = f->type_mask;
1050                         uf.opcode    = f->opcode;
1051                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1052                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1053                 }
1054
1055                 len = min_t(unsigned int, len, sizeof(uf));
1056                 if (copy_from_user(&uf, optval, len)) {
1057                         err = -EFAULT;
1058                         break;
1059                 }
1060
1061                 if (!capable(CAP_NET_RAW)) {
1062                         uf.type_mask &= hci_sec_filter.type_mask;
1063                         uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1064                         uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1065                 }
1066
1067                 {
1068                         struct hci_filter *f = &hci_pi(sk)->filter;
1069
1070                         f->type_mask = uf.type_mask;
1071                         f->opcode    = uf.opcode;
1072                         *((u32 *) f->event_mask + 0) = uf.event_mask[0];
1073                         *((u32 *) f->event_mask + 1) = uf.event_mask[1];
1074                 }
1075                 break;
1076
1077         default:
1078                 err = -ENOPROTOOPT;
1079                 break;
1080         }
1081
1082 done:
1083         release_sock(sk);
1084         return err;
1085 }
1086
1087 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1088                                char __user *optval, int __user *optlen)
1089 {
1090         struct hci_ufilter uf;
1091         struct sock *sk = sock->sk;
1092         int len, opt, err = 0;
1093
1094         BT_DBG("sk %p, opt %d", sk, optname);
1095
1096         if (get_user(len, optlen))
1097                 return -EFAULT;
1098
1099         lock_sock(sk);
1100
1101         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1102                 err = -EBADFD;
1103                 goto done;
1104         }
1105
1106         switch (optname) {
1107         case HCI_DATA_DIR:
1108                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1109                         opt = 1;
1110                 else
1111                         opt = 0;
1112
1113                 if (put_user(opt, optval))
1114                         err = -EFAULT;
1115                 break;
1116
1117         case HCI_TIME_STAMP:
1118                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1119                         opt = 1;
1120                 else
1121                         opt = 0;
1122
1123                 if (put_user(opt, optval))
1124                         err = -EFAULT;
1125                 break;
1126
1127         case HCI_FILTER:
1128                 {
1129                         struct hci_filter *f = &hci_pi(sk)->filter;
1130
1131                         memset(&uf, 0, sizeof(uf));
1132                         uf.type_mask = f->type_mask;
1133                         uf.opcode    = f->opcode;
1134                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1135                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1136                 }
1137
1138                 len = min_t(unsigned int, len, sizeof(uf));
1139                 if (copy_to_user(optval, &uf, len))
1140                         err = -EFAULT;
1141                 break;
1142
1143         default:
1144                 err = -ENOPROTOOPT;
1145                 break;
1146         }
1147
1148 done:
1149         release_sock(sk);
1150         return err;
1151 }
1152
1153 static const struct proto_ops hci_sock_ops = {
1154         .family         = PF_BLUETOOTH,
1155         .owner          = THIS_MODULE,
1156         .release        = hci_sock_release,
1157         .bind           = hci_sock_bind,
1158         .getname        = hci_sock_getname,
1159         .sendmsg        = hci_sock_sendmsg,
1160         .recvmsg        = hci_sock_recvmsg,
1161         .ioctl          = hci_sock_ioctl,
1162         .poll           = datagram_poll,
1163         .listen         = sock_no_listen,
1164         .shutdown       = sock_no_shutdown,
1165         .setsockopt     = hci_sock_setsockopt,
1166         .getsockopt     = hci_sock_getsockopt,
1167         .connect        = sock_no_connect,
1168         .socketpair     = sock_no_socketpair,
1169         .accept         = sock_no_accept,
1170         .mmap           = sock_no_mmap
1171 };
1172
1173 static struct proto hci_sk_proto = {
1174         .name           = "HCI",
1175         .owner          = THIS_MODULE,
1176         .obj_size       = sizeof(struct hci_pinfo)
1177 };
1178
1179 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1180                            int kern)
1181 {
1182         struct sock *sk;
1183
1184         BT_DBG("sock %p", sock);
1185
1186         if (sock->type != SOCK_RAW)
1187                 return -ESOCKTNOSUPPORT;
1188
1189         sock->ops = &hci_sock_ops;
1190
1191         sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto);
1192         if (!sk)
1193                 return -ENOMEM;
1194
1195         sock_init_data(sock, sk);
1196
1197         sock_reset_flag(sk, SOCK_ZAPPED);
1198
1199         sk->sk_protocol = protocol;
1200
1201         sock->state = SS_UNCONNECTED;
1202         sk->sk_state = BT_OPEN;
1203
1204         bt_sock_link(&hci_sk_list, sk);
1205         return 0;
1206 }
1207
1208 static const struct net_proto_family hci_sock_family_ops = {
1209         .family = PF_BLUETOOTH,
1210         .owner  = THIS_MODULE,
1211         .create = hci_sock_create,
1212 };
1213
1214 int __init hci_sock_init(void)
1215 {
1216         int err;
1217
1218         err = proto_register(&hci_sk_proto, 0);
1219         if (err < 0)
1220                 return err;
1221
1222         err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1223         if (err < 0) {
1224                 BT_ERR("HCI socket registration failed");
1225                 goto error;
1226         }
1227
1228         err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
1229         if (err < 0) {
1230                 BT_ERR("Failed to create HCI proc file");
1231                 bt_sock_unregister(BTPROTO_HCI);
1232                 goto error;
1233         }
1234
1235         BT_INFO("HCI socket layer initialized");
1236
1237         return 0;
1238
1239 error:
1240         proto_unregister(&hci_sk_proto);
1241         return err;
1242 }
1243
1244 void hci_sock_cleanup(void)
1245 {
1246         bt_procfs_cleanup(&init_net, "hci");
1247         bt_sock_unregister(BTPROTO_HCI);
1248         proto_unregister(&hci_sk_proto);
1249 }