| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 1 | /* | 
|  | 2 | BlueZ - Bluetooth protocol stack for Linux | 
|  | 3 | Copyright (C) 2000-2001 Qualcomm Incorporated | 
|  | 4 |  | 
|  | 5 | Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> | 
|  | 6 |  | 
|  | 7 | This program is free software; you can redistribute it and/or modify | 
|  | 8 | it under the terms of the GNU General Public License version 2 as | 
|  | 9 | published by the Free Software Foundation; | 
|  | 10 |  | 
|  | 11 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS | 
|  | 12 | OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | 
|  | 13 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. | 
|  | 14 | IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY | 
|  | 15 | CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES | 
|  | 16 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | 
|  | 17 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | 
|  | 18 | OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 
|  | 19 |  | 
|  | 20 | ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, | 
|  | 21 | COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS | 
|  | 22 | SOFTWARE IS DISCLAIMED. | 
|  | 23 | */ | 
|  | 24 |  | 
|  | 25 | /* Bluetooth HCI sockets. */ | 
|  | 26 |  | 
|  | 27 | #include <linux/export.h> | 
|  | 28 | #include <linux/utsname.h> | 
|  | 29 | #include <linux/sched.h> | 
|  | 30 | #include <asm/unaligned.h> | 
|  | 31 |  | 
|  | 32 | #include <net/bluetooth/bluetooth.h> | 
|  | 33 | #include <net/bluetooth/hci_core.h> | 
|  | 34 | #include <net/bluetooth/hci_mon.h> | 
|  | 35 | #include <net/bluetooth/mgmt.h> | 
|  | 36 |  | 
|  | 37 | #include "mgmt_util.h" | 
|  | 38 |  | 
|  | 39 | static LIST_HEAD(mgmt_chan_list); | 
|  | 40 | static DEFINE_MUTEX(mgmt_chan_list_lock); | 
|  | 41 |  | 
|  | 42 | static DEFINE_IDA(sock_cookie_ida); | 
|  | 43 |  | 
|  | 44 | static atomic_t monitor_promisc = ATOMIC_INIT(0); | 
|  | 45 |  | 
|  | 46 | /* ----- HCI socket interface ----- */ | 
|  | 47 |  | 
|  | 48 | /* Socket info */ | 
|  | 49 | #define hci_pi(sk) ((struct hci_pinfo *) sk) | 
|  | 50 |  | 
|  | 51 | struct hci_pinfo { | 
|  | 52 | struct bt_sock    bt; | 
|  | 53 | struct hci_dev    *hdev; | 
|  | 54 | struct hci_filter filter; | 
|  | 55 | __u32             cmsg_mask; | 
|  | 56 | unsigned short    channel; | 
|  | 57 | unsigned long     flags; | 
|  | 58 | __u32             cookie; | 
|  | 59 | char              comm[TASK_COMM_LEN]; | 
|  | 60 | }; | 
|  | 61 |  | 
|  | 62 | void hci_sock_set_flag(struct sock *sk, int nr) | 
|  | 63 | { | 
|  | 64 | set_bit(nr, &hci_pi(sk)->flags); | 
|  | 65 | } | 
|  | 66 |  | 
|  | 67 | void hci_sock_clear_flag(struct sock *sk, int nr) | 
|  | 68 | { | 
|  | 69 | clear_bit(nr, &hci_pi(sk)->flags); | 
|  | 70 | } | 
|  | 71 |  | 
|  | 72 | int hci_sock_test_flag(struct sock *sk, int nr) | 
|  | 73 | { | 
|  | 74 | return test_bit(nr, &hci_pi(sk)->flags); | 
|  | 75 | } | 
|  | 76 |  | 
|  | 77 | unsigned short hci_sock_get_channel(struct sock *sk) | 
|  | 78 | { | 
|  | 79 | return hci_pi(sk)->channel; | 
|  | 80 | } | 
|  | 81 |  | 
|  | 82 | u32 hci_sock_get_cookie(struct sock *sk) | 
|  | 83 | { | 
|  | 84 | return hci_pi(sk)->cookie; | 
|  | 85 | } | 
|  | 86 |  | 
|  | 87 | static bool hci_sock_gen_cookie(struct sock *sk) | 
|  | 88 | { | 
|  | 89 | int id = hci_pi(sk)->cookie; | 
|  | 90 |  | 
|  | 91 | if (!id) { | 
|  | 92 | id = ida_simple_get(&sock_cookie_ida, 1, 0, GFP_KERNEL); | 
|  | 93 | if (id < 0) | 
|  | 94 | id = 0xffffffff; | 
|  | 95 |  | 
|  | 96 | hci_pi(sk)->cookie = id; | 
|  | 97 | get_task_comm(hci_pi(sk)->comm, current); | 
|  | 98 | return true; | 
|  | 99 | } | 
|  | 100 |  | 
|  | 101 | return false; | 
|  | 102 | } | 
|  | 103 |  | 
|  | 104 | static void hci_sock_free_cookie(struct sock *sk) | 
|  | 105 | { | 
|  | 106 | int id = hci_pi(sk)->cookie; | 
|  | 107 |  | 
|  | 108 | if (id) { | 
|  | 109 | hci_pi(sk)->cookie = 0xffffffff; | 
|  | 110 | ida_simple_remove(&sock_cookie_ida, id); | 
|  | 111 | } | 
|  | 112 | } | 
|  | 113 |  | 
|  | 114 | static inline int hci_test_bit(int nr, const void *addr) | 
|  | 115 | { | 
|  | 116 | return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); | 
|  | 117 | } | 
|  | 118 |  | 
|  | 119 | /* Security filter */ | 
|  | 120 | #define HCI_SFLT_MAX_OGF  5 | 
|  | 121 |  | 
|  | 122 | struct hci_sec_filter { | 
|  | 123 | __u32 type_mask; | 
|  | 124 | __u32 event_mask[2]; | 
|  | 125 | __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4]; | 
|  | 126 | }; | 
|  | 127 |  | 
|  | 128 | static const struct hci_sec_filter hci_sec_filter = { | 
|  | 129 | /* Packet types */ | 
|  | 130 | 0x10, | 
|  | 131 | /* Events */ | 
|  | 132 | { 0x1000d9fe, 0x0000b00c }, | 
|  | 133 | /* Commands */ | 
|  | 134 | { | 
|  | 135 | { 0x0 }, | 
|  | 136 | /* OGF_LINK_CTL */ | 
|  | 137 | { 0xbe000006, 0x00000001, 0x00000000, 0x00 }, | 
|  | 138 | /* OGF_LINK_POLICY */ | 
|  | 139 | { 0x00005200, 0x00000000, 0x00000000, 0x00 }, | 
|  | 140 | /* OGF_HOST_CTL */ | 
|  | 141 | { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 }, | 
|  | 142 | /* OGF_INFO_PARAM */ | 
|  | 143 | { 0x000002be, 0x00000000, 0x00000000, 0x00 }, | 
|  | 144 | /* OGF_STATUS_PARAM */ | 
|  | 145 | { 0x000000ea, 0x00000000, 0x00000000, 0x00 } | 
|  | 146 | } | 
|  | 147 | }; | 
|  | 148 |  | 
|  | 149 | static struct bt_sock_list hci_sk_list = { | 
|  | 150 | .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock) | 
|  | 151 | }; | 
|  | 152 |  | 
|  | 153 | static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb) | 
|  | 154 | { | 
|  | 155 | struct hci_filter *flt; | 
|  | 156 | int flt_type, flt_event; | 
|  | 157 |  | 
|  | 158 | /* Apply filter */ | 
|  | 159 | flt = &hci_pi(sk)->filter; | 
|  | 160 |  | 
|  | 161 | flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS; | 
|  | 162 |  | 
|  | 163 | if (!test_bit(flt_type, &flt->type_mask)) | 
|  | 164 | return true; | 
|  | 165 |  | 
|  | 166 | /* Extra filter for event packets only */ | 
|  | 167 | if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT) | 
|  | 168 | return false; | 
|  | 169 |  | 
|  | 170 | flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS); | 
|  | 171 |  | 
|  | 172 | if (!hci_test_bit(flt_event, &flt->event_mask)) | 
|  | 173 | return true; | 
|  | 174 |  | 
|  | 175 | /* Check filter only when opcode is set */ | 
|  | 176 | if (!flt->opcode) | 
|  | 177 | return false; | 
|  | 178 |  | 
|  | 179 | if (flt_event == HCI_EV_CMD_COMPLETE && | 
|  | 180 | flt->opcode != get_unaligned((__le16 *)(skb->data + 3))) | 
|  | 181 | return true; | 
|  | 182 |  | 
|  | 183 | if (flt_event == HCI_EV_CMD_STATUS && | 
|  | 184 | flt->opcode != get_unaligned((__le16 *)(skb->data + 4))) | 
|  | 185 | return true; | 
|  | 186 |  | 
|  | 187 | return false; | 
|  | 188 | } | 
|  | 189 |  | 
|  | 190 | /* Send frame to RAW socket */ | 
|  | 191 | void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) | 
|  | 192 | { | 
|  | 193 | struct sock *sk; | 
|  | 194 | struct sk_buff *skb_copy = NULL; | 
|  | 195 |  | 
|  | 196 | BT_DBG("hdev %p len %d", hdev, skb->len); | 
|  | 197 |  | 
|  | 198 | read_lock(&hci_sk_list.lock); | 
|  | 199 |  | 
|  | 200 | sk_for_each(sk, &hci_sk_list.head) { | 
|  | 201 | struct sk_buff *nskb; | 
|  | 202 |  | 
|  | 203 | if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev) | 
|  | 204 | continue; | 
|  | 205 |  | 
|  | 206 | /* Don't send frame to the socket it came from */ | 
|  | 207 | if (skb->sk == sk) | 
|  | 208 | continue; | 
|  | 209 |  | 
|  | 210 | if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) { | 
|  | 211 | if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT && | 
|  | 212 | hci_skb_pkt_type(skb) != HCI_EVENT_PKT && | 
|  | 213 | hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && | 
|  | 214 | hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) | 
|  | 215 | continue; | 
|  | 216 | if (is_filtered_packet(sk, skb)) | 
|  | 217 | continue; | 
|  | 218 | } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { | 
|  | 219 | if (!bt_cb(skb)->incoming) | 
|  | 220 | continue; | 
|  | 221 | if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT && | 
|  | 222 | hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && | 
|  | 223 | hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) | 
|  | 224 | continue; | 
|  | 225 | } else { | 
|  | 226 | /* Don't send frame to other channel types */ | 
|  | 227 | continue; | 
|  | 228 | } | 
|  | 229 |  | 
|  | 230 | if (!skb_copy) { | 
|  | 231 | /* Create a private copy with headroom */ | 
|  | 232 | skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true); | 
|  | 233 | if (!skb_copy) | 
|  | 234 | continue; | 
|  | 235 |  | 
|  | 236 | /* Put type byte before the data */ | 
|  | 237 | memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1); | 
|  | 238 | } | 
|  | 239 |  | 
|  | 240 | nskb = skb_clone(skb_copy, GFP_ATOMIC); | 
|  | 241 | if (!nskb) | 
|  | 242 | continue; | 
|  | 243 |  | 
|  | 244 | if (sock_queue_rcv_skb(sk, nskb)) | 
|  | 245 | kfree_skb(nskb); | 
|  | 246 | } | 
|  | 247 |  | 
|  | 248 | read_unlock(&hci_sk_list.lock); | 
|  | 249 |  | 
|  | 250 | kfree_skb(skb_copy); | 
|  | 251 | } | 
|  | 252 |  | 
|  | 253 | /* Send frame to sockets with specific channel */ | 
|  | 254 | static void __hci_send_to_channel(unsigned short channel, struct sk_buff *skb, | 
|  | 255 | int flag, struct sock *skip_sk) | 
|  | 256 | { | 
|  | 257 | struct sock *sk; | 
|  | 258 |  | 
|  | 259 | BT_DBG("channel %u len %d", channel, skb->len); | 
|  | 260 |  | 
|  | 261 | sk_for_each(sk, &hci_sk_list.head) { | 
|  | 262 | struct sk_buff *nskb; | 
|  | 263 |  | 
|  | 264 | /* Ignore socket without the flag set */ | 
|  | 265 | if (!hci_sock_test_flag(sk, flag)) | 
|  | 266 | continue; | 
|  | 267 |  | 
|  | 268 | /* Skip the original socket */ | 
|  | 269 | if (sk == skip_sk) | 
|  | 270 | continue; | 
|  | 271 |  | 
|  | 272 | if (sk->sk_state != BT_BOUND) | 
|  | 273 | continue; | 
|  | 274 |  | 
|  | 275 | if (hci_pi(sk)->channel != channel) | 
|  | 276 | continue; | 
|  | 277 |  | 
|  | 278 | nskb = skb_clone(skb, GFP_ATOMIC); | 
|  | 279 | if (!nskb) | 
|  | 280 | continue; | 
|  | 281 |  | 
|  | 282 | if (sock_queue_rcv_skb(sk, nskb)) | 
|  | 283 | kfree_skb(nskb); | 
|  | 284 | } | 
|  | 285 |  | 
|  | 286 | } | 
|  | 287 |  | 
|  | 288 | void hci_send_to_channel(unsigned short channel, struct sk_buff *skb, | 
|  | 289 | int flag, struct sock *skip_sk) | 
|  | 290 | { | 
|  | 291 | read_lock(&hci_sk_list.lock); | 
|  | 292 | __hci_send_to_channel(channel, skb, flag, skip_sk); | 
|  | 293 | read_unlock(&hci_sk_list.lock); | 
|  | 294 | } | 
|  | 295 |  | 
|  | 296 | /* Send frame to monitor socket */ | 
|  | 297 | void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb) | 
|  | 298 | { | 
|  | 299 | struct sk_buff *skb_copy = NULL; | 
|  | 300 | struct hci_mon_hdr *hdr; | 
|  | 301 | __le16 opcode; | 
|  | 302 |  | 
|  | 303 | if (!atomic_read(&monitor_promisc)) | 
|  | 304 | return; | 
|  | 305 |  | 
|  | 306 | BT_DBG("hdev %p len %d", hdev, skb->len); | 
|  | 307 |  | 
|  | 308 | switch (hci_skb_pkt_type(skb)) { | 
|  | 309 | case HCI_COMMAND_PKT: | 
|  | 310 | opcode = cpu_to_le16(HCI_MON_COMMAND_PKT); | 
|  | 311 | break; | 
|  | 312 | case HCI_EVENT_PKT: | 
|  | 313 | opcode = cpu_to_le16(HCI_MON_EVENT_PKT); | 
|  | 314 | break; | 
|  | 315 | case HCI_ACLDATA_PKT: | 
|  | 316 | if (bt_cb(skb)->incoming) | 
|  | 317 | opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT); | 
|  | 318 | else | 
|  | 319 | opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT); | 
|  | 320 | break; | 
|  | 321 | case HCI_SCODATA_PKT: | 
|  | 322 | if (bt_cb(skb)->incoming) | 
|  | 323 | opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT); | 
|  | 324 | else | 
|  | 325 | opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT); | 
|  | 326 | break; | 
|  | 327 | case HCI_DIAG_PKT: | 
|  | 328 | opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG); | 
|  | 329 | break; | 
|  | 330 | default: | 
|  | 331 | return; | 
|  | 332 | } | 
|  | 333 |  | 
|  | 334 | /* Create a private copy with headroom */ | 
|  | 335 | skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true); | 
|  | 336 | if (!skb_copy) | 
|  | 337 | return; | 
|  | 338 |  | 
|  | 339 | /* Put header before the data */ | 
|  | 340 | hdr = skb_push(skb_copy, HCI_MON_HDR_SIZE); | 
|  | 341 | hdr->opcode = opcode; | 
|  | 342 | hdr->index = cpu_to_le16(hdev->id); | 
|  | 343 | hdr->len = cpu_to_le16(skb->len); | 
|  | 344 |  | 
|  | 345 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy, | 
|  | 346 | HCI_SOCK_TRUSTED, NULL); | 
|  | 347 | kfree_skb(skb_copy); | 
|  | 348 | } | 
|  | 349 |  | 
|  | 350 | void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event, | 
|  | 351 | void *data, u16 data_len, ktime_t tstamp, | 
|  | 352 | int flag, struct sock *skip_sk) | 
|  | 353 | { | 
|  | 354 | struct sock *sk; | 
|  | 355 | __le16 index; | 
|  | 356 |  | 
|  | 357 | if (hdev) | 
|  | 358 | index = cpu_to_le16(hdev->id); | 
|  | 359 | else | 
|  | 360 | index = cpu_to_le16(MGMT_INDEX_NONE); | 
|  | 361 |  | 
|  | 362 | read_lock(&hci_sk_list.lock); | 
|  | 363 |  | 
|  | 364 | sk_for_each(sk, &hci_sk_list.head) { | 
|  | 365 | struct hci_mon_hdr *hdr; | 
|  | 366 | struct sk_buff *skb; | 
|  | 367 |  | 
|  | 368 | if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL) | 
|  | 369 | continue; | 
|  | 370 |  | 
|  | 371 | /* Ignore socket without the flag set */ | 
|  | 372 | if (!hci_sock_test_flag(sk, flag)) | 
|  | 373 | continue; | 
|  | 374 |  | 
|  | 375 | /* Skip the original socket */ | 
|  | 376 | if (sk == skip_sk) | 
|  | 377 | continue; | 
|  | 378 |  | 
|  | 379 | skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC); | 
|  | 380 | if (!skb) | 
|  | 381 | continue; | 
|  | 382 |  | 
|  | 383 | put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); | 
|  | 384 | put_unaligned_le16(event, skb_put(skb, 2)); | 
|  | 385 |  | 
|  | 386 | if (data) | 
|  | 387 | skb_put_data(skb, data, data_len); | 
|  | 388 |  | 
|  | 389 | skb->tstamp = tstamp; | 
|  | 390 |  | 
|  | 391 | hdr = skb_push(skb, HCI_MON_HDR_SIZE); | 
|  | 392 | hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT); | 
|  | 393 | hdr->index = index; | 
|  | 394 | hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); | 
|  | 395 |  | 
|  | 396 | __hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, | 
|  | 397 | HCI_SOCK_TRUSTED, NULL); | 
|  | 398 | kfree_skb(skb); | 
|  | 399 | } | 
|  | 400 |  | 
|  | 401 | read_unlock(&hci_sk_list.lock); | 
|  | 402 | } | 
|  | 403 |  | 
|  | 404 | static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event) | 
|  | 405 | { | 
|  | 406 | struct hci_mon_hdr *hdr; | 
|  | 407 | struct hci_mon_new_index *ni; | 
|  | 408 | struct hci_mon_index_info *ii; | 
|  | 409 | struct sk_buff *skb; | 
|  | 410 | __le16 opcode; | 
|  | 411 |  | 
|  | 412 | switch (event) { | 
|  | 413 | case HCI_DEV_REG: | 
|  | 414 | skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC); | 
|  | 415 | if (!skb) | 
|  | 416 | return NULL; | 
|  | 417 |  | 
|  | 418 | ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE); | 
|  | 419 | ni->type = hdev->dev_type; | 
|  | 420 | ni->bus = hdev->bus; | 
|  | 421 | bacpy(&ni->bdaddr, &hdev->bdaddr); | 
|  | 422 | memcpy(ni->name, hdev->name, 8); | 
|  | 423 |  | 
|  | 424 | opcode = cpu_to_le16(HCI_MON_NEW_INDEX); | 
|  | 425 | break; | 
|  | 426 |  | 
|  | 427 | case HCI_DEV_UNREG: | 
|  | 428 | skb = bt_skb_alloc(0, GFP_ATOMIC); | 
|  | 429 | if (!skb) | 
|  | 430 | return NULL; | 
|  | 431 |  | 
|  | 432 | opcode = cpu_to_le16(HCI_MON_DEL_INDEX); | 
|  | 433 | break; | 
|  | 434 |  | 
|  | 435 | case HCI_DEV_SETUP: | 
|  | 436 | if (hdev->manufacturer == 0xffff) | 
|  | 437 | return NULL; | 
|  | 438 |  | 
|  | 439 | /* fall through */ | 
|  | 440 |  | 
|  | 441 | case HCI_DEV_UP: | 
|  | 442 | skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC); | 
|  | 443 | if (!skb) | 
|  | 444 | return NULL; | 
|  | 445 |  | 
|  | 446 | ii = skb_put(skb, HCI_MON_INDEX_INFO_SIZE); | 
|  | 447 | bacpy(&ii->bdaddr, &hdev->bdaddr); | 
|  | 448 | ii->manufacturer = cpu_to_le16(hdev->manufacturer); | 
|  | 449 |  | 
|  | 450 | opcode = cpu_to_le16(HCI_MON_INDEX_INFO); | 
|  | 451 | break; | 
|  | 452 |  | 
|  | 453 | case HCI_DEV_OPEN: | 
|  | 454 | skb = bt_skb_alloc(0, GFP_ATOMIC); | 
|  | 455 | if (!skb) | 
|  | 456 | return NULL; | 
|  | 457 |  | 
|  | 458 | opcode = cpu_to_le16(HCI_MON_OPEN_INDEX); | 
|  | 459 | break; | 
|  | 460 |  | 
|  | 461 | case HCI_DEV_CLOSE: | 
|  | 462 | skb = bt_skb_alloc(0, GFP_ATOMIC); | 
|  | 463 | if (!skb) | 
|  | 464 | return NULL; | 
|  | 465 |  | 
|  | 466 | opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX); | 
|  | 467 | break; | 
|  | 468 |  | 
|  | 469 | default: | 
|  | 470 | return NULL; | 
|  | 471 | } | 
|  | 472 |  | 
|  | 473 | __net_timestamp(skb); | 
|  | 474 |  | 
|  | 475 | hdr = skb_push(skb, HCI_MON_HDR_SIZE); | 
|  | 476 | hdr->opcode = opcode; | 
|  | 477 | hdr->index = cpu_to_le16(hdev->id); | 
|  | 478 | hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); | 
|  | 479 |  | 
|  | 480 | return skb; | 
|  | 481 | } | 
|  | 482 |  | 
|  | 483 | static struct sk_buff *create_monitor_ctrl_open(struct sock *sk) | 
|  | 484 | { | 
|  | 485 | struct hci_mon_hdr *hdr; | 
|  | 486 | struct sk_buff *skb; | 
|  | 487 | u16 format; | 
|  | 488 | u8 ver[3]; | 
|  | 489 | u32 flags; | 
|  | 490 |  | 
|  | 491 | /* No message needed when cookie is not present */ | 
|  | 492 | if (!hci_pi(sk)->cookie) | 
|  | 493 | return NULL; | 
|  | 494 |  | 
|  | 495 | switch (hci_pi(sk)->channel) { | 
|  | 496 | case HCI_CHANNEL_RAW: | 
|  | 497 | format = 0x0000; | 
|  | 498 | ver[0] = BT_SUBSYS_VERSION; | 
|  | 499 | put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1); | 
|  | 500 | break; | 
|  | 501 | case HCI_CHANNEL_USER: | 
|  | 502 | format = 0x0001; | 
|  | 503 | ver[0] = BT_SUBSYS_VERSION; | 
|  | 504 | put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1); | 
|  | 505 | break; | 
|  | 506 | case HCI_CHANNEL_CONTROL: | 
|  | 507 | format = 0x0002; | 
|  | 508 | mgmt_fill_version_info(ver); | 
|  | 509 | break; | 
|  | 510 | default: | 
|  | 511 | /* No message for unsupported format */ | 
|  | 512 | return NULL; | 
|  | 513 | } | 
|  | 514 |  | 
|  | 515 | skb = bt_skb_alloc(14 + TASK_COMM_LEN , GFP_ATOMIC); | 
|  | 516 | if (!skb) | 
|  | 517 | return NULL; | 
|  | 518 |  | 
|  | 519 | flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0; | 
|  | 520 |  | 
|  | 521 | put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); | 
|  | 522 | put_unaligned_le16(format, skb_put(skb, 2)); | 
|  | 523 | skb_put_data(skb, ver, sizeof(ver)); | 
|  | 524 | put_unaligned_le32(flags, skb_put(skb, 4)); | 
|  | 525 | skb_put_u8(skb, TASK_COMM_LEN); | 
|  | 526 | skb_put_data(skb, hci_pi(sk)->comm, TASK_COMM_LEN); | 
|  | 527 |  | 
|  | 528 | __net_timestamp(skb); | 
|  | 529 |  | 
|  | 530 | hdr = skb_push(skb, HCI_MON_HDR_SIZE); | 
|  | 531 | hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN); | 
|  | 532 | if (hci_pi(sk)->hdev) | 
|  | 533 | hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); | 
|  | 534 | else | 
|  | 535 | hdr->index = cpu_to_le16(HCI_DEV_NONE); | 
|  | 536 | hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); | 
|  | 537 |  | 
|  | 538 | return skb; | 
|  | 539 | } | 
|  | 540 |  | 
|  | 541 | static struct sk_buff *create_monitor_ctrl_close(struct sock *sk) | 
|  | 542 | { | 
|  | 543 | struct hci_mon_hdr *hdr; | 
|  | 544 | struct sk_buff *skb; | 
|  | 545 |  | 
|  | 546 | /* No message needed when cookie is not present */ | 
|  | 547 | if (!hci_pi(sk)->cookie) | 
|  | 548 | return NULL; | 
|  | 549 |  | 
|  | 550 | switch (hci_pi(sk)->channel) { | 
|  | 551 | case HCI_CHANNEL_RAW: | 
|  | 552 | case HCI_CHANNEL_USER: | 
|  | 553 | case HCI_CHANNEL_CONTROL: | 
|  | 554 | break; | 
|  | 555 | default: | 
|  | 556 | /* No message for unsupported format */ | 
|  | 557 | return NULL; | 
|  | 558 | } | 
|  | 559 |  | 
|  | 560 | skb = bt_skb_alloc(4, GFP_ATOMIC); | 
|  | 561 | if (!skb) | 
|  | 562 | return NULL; | 
|  | 563 |  | 
|  | 564 | put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); | 
|  | 565 |  | 
|  | 566 | __net_timestamp(skb); | 
|  | 567 |  | 
|  | 568 | hdr = skb_push(skb, HCI_MON_HDR_SIZE); | 
|  | 569 | hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE); | 
|  | 570 | if (hci_pi(sk)->hdev) | 
|  | 571 | hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); | 
|  | 572 | else | 
|  | 573 | hdr->index = cpu_to_le16(HCI_DEV_NONE); | 
|  | 574 | hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); | 
|  | 575 |  | 
|  | 576 | return skb; | 
|  | 577 | } | 
|  | 578 |  | 
|  | 579 | static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index, | 
|  | 580 | u16 opcode, u16 len, | 
|  | 581 | const void *buf) | 
|  | 582 | { | 
|  | 583 | struct hci_mon_hdr *hdr; | 
|  | 584 | struct sk_buff *skb; | 
|  | 585 |  | 
|  | 586 | skb = bt_skb_alloc(6 + len, GFP_ATOMIC); | 
|  | 587 | if (!skb) | 
|  | 588 | return NULL; | 
|  | 589 |  | 
|  | 590 | put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); | 
|  | 591 | put_unaligned_le16(opcode, skb_put(skb, 2)); | 
|  | 592 |  | 
|  | 593 | if (buf) | 
|  | 594 | skb_put_data(skb, buf, len); | 
|  | 595 |  | 
|  | 596 | __net_timestamp(skb); | 
|  | 597 |  | 
|  | 598 | hdr = skb_push(skb, HCI_MON_HDR_SIZE); | 
|  | 599 | hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND); | 
|  | 600 | hdr->index = cpu_to_le16(index); | 
|  | 601 | hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); | 
|  | 602 |  | 
|  | 603 | return skb; | 
|  | 604 | } | 
|  | 605 |  | 
|  | 606 | static void __printf(2, 3) | 
|  | 607 | send_monitor_note(struct sock *sk, const char *fmt, ...) | 
|  | 608 | { | 
|  | 609 | size_t len; | 
|  | 610 | struct hci_mon_hdr *hdr; | 
|  | 611 | struct sk_buff *skb; | 
|  | 612 | va_list args; | 
|  | 613 |  | 
|  | 614 | va_start(args, fmt); | 
|  | 615 | len = vsnprintf(NULL, 0, fmt, args); | 
|  | 616 | va_end(args); | 
|  | 617 |  | 
|  | 618 | skb = bt_skb_alloc(len + 1, GFP_ATOMIC); | 
|  | 619 | if (!skb) | 
|  | 620 | return; | 
|  | 621 |  | 
|  | 622 | va_start(args, fmt); | 
|  | 623 | vsprintf(skb_put(skb, len), fmt, args); | 
|  | 624 | *(u8 *)skb_put(skb, 1) = 0; | 
|  | 625 | va_end(args); | 
|  | 626 |  | 
|  | 627 | __net_timestamp(skb); | 
|  | 628 |  | 
|  | 629 | hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE); | 
|  | 630 | hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE); | 
|  | 631 | hdr->index = cpu_to_le16(HCI_DEV_NONE); | 
|  | 632 | hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); | 
|  | 633 |  | 
|  | 634 | if (sock_queue_rcv_skb(sk, skb)) | 
|  | 635 | kfree_skb(skb); | 
|  | 636 | } | 
|  | 637 |  | 
|  | 638 | static void send_monitor_replay(struct sock *sk) | 
|  | 639 | { | 
|  | 640 | struct hci_dev *hdev; | 
|  | 641 |  | 
|  | 642 | read_lock(&hci_dev_list_lock); | 
|  | 643 |  | 
|  | 644 | list_for_each_entry(hdev, &hci_dev_list, list) { | 
|  | 645 | struct sk_buff *skb; | 
|  | 646 |  | 
|  | 647 | skb = create_monitor_event(hdev, HCI_DEV_REG); | 
|  | 648 | if (!skb) | 
|  | 649 | continue; | 
|  | 650 |  | 
|  | 651 | if (sock_queue_rcv_skb(sk, skb)) | 
|  | 652 | kfree_skb(skb); | 
|  | 653 |  | 
|  | 654 | if (!test_bit(HCI_RUNNING, &hdev->flags)) | 
|  | 655 | continue; | 
|  | 656 |  | 
|  | 657 | skb = create_monitor_event(hdev, HCI_DEV_OPEN); | 
|  | 658 | if (!skb) | 
|  | 659 | continue; | 
|  | 660 |  | 
|  | 661 | if (sock_queue_rcv_skb(sk, skb)) | 
|  | 662 | kfree_skb(skb); | 
|  | 663 |  | 
|  | 664 | if (test_bit(HCI_UP, &hdev->flags)) | 
|  | 665 | skb = create_monitor_event(hdev, HCI_DEV_UP); | 
|  | 666 | else if (hci_dev_test_flag(hdev, HCI_SETUP)) | 
|  | 667 | skb = create_monitor_event(hdev, HCI_DEV_SETUP); | 
|  | 668 | else | 
|  | 669 | skb = NULL; | 
|  | 670 |  | 
|  | 671 | if (skb) { | 
|  | 672 | if (sock_queue_rcv_skb(sk, skb)) | 
|  | 673 | kfree_skb(skb); | 
|  | 674 | } | 
|  | 675 | } | 
|  | 676 |  | 
|  | 677 | read_unlock(&hci_dev_list_lock); | 
|  | 678 | } | 
|  | 679 |  | 
|  | 680 | static void send_monitor_control_replay(struct sock *mon_sk) | 
|  | 681 | { | 
|  | 682 | struct sock *sk; | 
|  | 683 |  | 
|  | 684 | read_lock(&hci_sk_list.lock); | 
|  | 685 |  | 
|  | 686 | sk_for_each(sk, &hci_sk_list.head) { | 
|  | 687 | struct sk_buff *skb; | 
|  | 688 |  | 
|  | 689 | skb = create_monitor_ctrl_open(sk); | 
|  | 690 | if (!skb) | 
|  | 691 | continue; | 
|  | 692 |  | 
|  | 693 | if (sock_queue_rcv_skb(mon_sk, skb)) | 
|  | 694 | kfree_skb(skb); | 
|  | 695 | } | 
|  | 696 |  | 
|  | 697 | read_unlock(&hci_sk_list.lock); | 
|  | 698 | } | 
|  | 699 |  | 
|  | 700 | /* Generate internal stack event */ | 
|  | 701 | static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data) | 
|  | 702 | { | 
|  | 703 | struct hci_event_hdr *hdr; | 
|  | 704 | struct hci_ev_stack_internal *ev; | 
|  | 705 | struct sk_buff *skb; | 
|  | 706 |  | 
|  | 707 | skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC); | 
|  | 708 | if (!skb) | 
|  | 709 | return; | 
|  | 710 |  | 
|  | 711 | hdr = skb_put(skb, HCI_EVENT_HDR_SIZE); | 
|  | 712 | hdr->evt  = HCI_EV_STACK_INTERNAL; | 
|  | 713 | hdr->plen = sizeof(*ev) + dlen; | 
|  | 714 |  | 
|  | 715 | ev = skb_put(skb, sizeof(*ev) + dlen); | 
|  | 716 | ev->type = type; | 
|  | 717 | memcpy(ev->data, data, dlen); | 
|  | 718 |  | 
|  | 719 | bt_cb(skb)->incoming = 1; | 
|  | 720 | __net_timestamp(skb); | 
|  | 721 |  | 
|  | 722 | hci_skb_pkt_type(skb) = HCI_EVENT_PKT; | 
|  | 723 | hci_send_to_sock(hdev, skb); | 
|  | 724 | kfree_skb(skb); | 
|  | 725 | } | 
|  | 726 |  | 
|  | 727 | void hci_sock_dev_event(struct hci_dev *hdev, int event) | 
|  | 728 | { | 
|  | 729 | BT_DBG("hdev %s event %d", hdev->name, event); | 
|  | 730 |  | 
|  | 731 | if (atomic_read(&monitor_promisc)) { | 
|  | 732 | struct sk_buff *skb; | 
|  | 733 |  | 
|  | 734 | /* Send event to monitor */ | 
|  | 735 | skb = create_monitor_event(hdev, event); | 
|  | 736 | if (skb) { | 
|  | 737 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, | 
|  | 738 | HCI_SOCK_TRUSTED, NULL); | 
|  | 739 | kfree_skb(skb); | 
|  | 740 | } | 
|  | 741 | } | 
|  | 742 |  | 
|  | 743 | if (event <= HCI_DEV_DOWN) { | 
|  | 744 | struct hci_ev_si_device ev; | 
|  | 745 |  | 
|  | 746 | /* Send event to sockets */ | 
|  | 747 | ev.event  = event; | 
|  | 748 | ev.dev_id = hdev->id; | 
|  | 749 | hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev); | 
|  | 750 | } | 
|  | 751 |  | 
|  | 752 | if (event == HCI_DEV_UNREG) { | 
|  | 753 | struct sock *sk; | 
|  | 754 |  | 
|  | 755 | /* Detach sockets from device */ | 
|  | 756 | read_lock(&hci_sk_list.lock); | 
|  | 757 | sk_for_each(sk, &hci_sk_list.head) { | 
|  | 758 | bh_lock_sock_nested(sk); | 
|  | 759 | if (hci_pi(sk)->hdev == hdev) { | 
|  | 760 | hci_pi(sk)->hdev = NULL; | 
|  | 761 | sk->sk_err = EPIPE; | 
|  | 762 | sk->sk_state = BT_OPEN; | 
|  | 763 | sk->sk_state_change(sk); | 
|  | 764 |  | 
|  | 765 | hci_dev_put(hdev); | 
|  | 766 | } | 
|  | 767 | bh_unlock_sock(sk); | 
|  | 768 | } | 
|  | 769 | read_unlock(&hci_sk_list.lock); | 
|  | 770 | } | 
|  | 771 | } | 
|  | 772 |  | 
|  | 773 | static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel) | 
|  | 774 | { | 
|  | 775 | struct hci_mgmt_chan *c; | 
|  | 776 |  | 
|  | 777 | list_for_each_entry(c, &mgmt_chan_list, list) { | 
|  | 778 | if (c->channel == channel) | 
|  | 779 | return c; | 
|  | 780 | } | 
|  | 781 |  | 
|  | 782 | return NULL; | 
|  | 783 | } | 
|  | 784 |  | 
|  | 785 | static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel) | 
|  | 786 | { | 
|  | 787 | struct hci_mgmt_chan *c; | 
|  | 788 |  | 
|  | 789 | mutex_lock(&mgmt_chan_list_lock); | 
|  | 790 | c = __hci_mgmt_chan_find(channel); | 
|  | 791 | mutex_unlock(&mgmt_chan_list_lock); | 
|  | 792 |  | 
|  | 793 | return c; | 
|  | 794 | } | 
|  | 795 |  | 
|  | 796 | int hci_mgmt_chan_register(struct hci_mgmt_chan *c) | 
|  | 797 | { | 
|  | 798 | if (c->channel < HCI_CHANNEL_CONTROL) | 
|  | 799 | return -EINVAL; | 
|  | 800 |  | 
|  | 801 | mutex_lock(&mgmt_chan_list_lock); | 
|  | 802 | if (__hci_mgmt_chan_find(c->channel)) { | 
|  | 803 | mutex_unlock(&mgmt_chan_list_lock); | 
|  | 804 | return -EALREADY; | 
|  | 805 | } | 
|  | 806 |  | 
|  | 807 | list_add_tail(&c->list, &mgmt_chan_list); | 
|  | 808 |  | 
|  | 809 | mutex_unlock(&mgmt_chan_list_lock); | 
|  | 810 |  | 
|  | 811 | return 0; | 
|  | 812 | } | 
|  | 813 | EXPORT_SYMBOL(hci_mgmt_chan_register); | 
|  | 814 |  | 
|  | 815 | void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c) | 
|  | 816 | { | 
|  | 817 | mutex_lock(&mgmt_chan_list_lock); | 
|  | 818 | list_del(&c->list); | 
|  | 819 | mutex_unlock(&mgmt_chan_list_lock); | 
|  | 820 | } | 
|  | 821 | EXPORT_SYMBOL(hci_mgmt_chan_unregister); | 
|  | 822 |  | 
|  | 823 | static int hci_sock_release(struct socket *sock) | 
|  | 824 | { | 
|  | 825 | struct sock *sk = sock->sk; | 
|  | 826 | struct hci_dev *hdev; | 
|  | 827 | struct sk_buff *skb; | 
|  | 828 |  | 
|  | 829 | BT_DBG("sock %p sk %p", sock, sk); | 
|  | 830 |  | 
|  | 831 | if (!sk) | 
|  | 832 | return 0; | 
|  | 833 |  | 
|  | 834 | switch (hci_pi(sk)->channel) { | 
|  | 835 | case HCI_CHANNEL_MONITOR: | 
|  | 836 | atomic_dec(&monitor_promisc); | 
|  | 837 | break; | 
|  | 838 | case HCI_CHANNEL_RAW: | 
|  | 839 | case HCI_CHANNEL_USER: | 
|  | 840 | case HCI_CHANNEL_CONTROL: | 
|  | 841 | /* Send event to monitor */ | 
|  | 842 | skb = create_monitor_ctrl_close(sk); | 
|  | 843 | if (skb) { | 
|  | 844 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, | 
|  | 845 | HCI_SOCK_TRUSTED, NULL); | 
|  | 846 | kfree_skb(skb); | 
|  | 847 | } | 
|  | 848 |  | 
|  | 849 | hci_sock_free_cookie(sk); | 
|  | 850 | break; | 
|  | 851 | } | 
|  | 852 |  | 
|  | 853 | bt_sock_unlink(&hci_sk_list, sk); | 
|  | 854 |  | 
|  | 855 | hdev = hci_pi(sk)->hdev; | 
|  | 856 | if (hdev) { | 
|  | 857 | if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { | 
|  | 858 | /* When releasing a user channel exclusive access, | 
|  | 859 | * call hci_dev_do_close directly instead of calling | 
|  | 860 | * hci_dev_close to ensure the exclusive access will | 
|  | 861 | * be released and the controller brought back down. | 
|  | 862 | * | 
|  | 863 | * The checking of HCI_AUTO_OFF is not needed in this | 
|  | 864 | * case since it will have been cleared already when | 
|  | 865 | * opening the user channel. | 
|  | 866 | */ | 
|  | 867 | hci_dev_do_close(hdev); | 
|  | 868 | hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); | 
|  | 869 | mgmt_index_added(hdev); | 
|  | 870 | } | 
|  | 871 |  | 
|  | 872 | atomic_dec(&hdev->promisc); | 
|  | 873 | hci_dev_put(hdev); | 
|  | 874 | } | 
|  | 875 |  | 
|  | 876 | sock_orphan(sk); | 
|  | 877 |  | 
|  | 878 | skb_queue_purge(&sk->sk_receive_queue); | 
|  | 879 | skb_queue_purge(&sk->sk_write_queue); | 
|  | 880 |  | 
|  | 881 | sock_put(sk); | 
|  | 882 | return 0; | 
|  | 883 | } | 
|  | 884 |  | 
|  | 885 | static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg) | 
|  | 886 | { | 
|  | 887 | bdaddr_t bdaddr; | 
|  | 888 | int err; | 
|  | 889 |  | 
|  | 890 | if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) | 
|  | 891 | return -EFAULT; | 
|  | 892 |  | 
|  | 893 | hci_dev_lock(hdev); | 
|  | 894 |  | 
|  | 895 | err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR); | 
|  | 896 |  | 
|  | 897 | hci_dev_unlock(hdev); | 
|  | 898 |  | 
|  | 899 | return err; | 
|  | 900 | } | 
|  | 901 |  | 
|  | 902 | static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg) | 
|  | 903 | { | 
|  | 904 | bdaddr_t bdaddr; | 
|  | 905 | int err; | 
|  | 906 |  | 
|  | 907 | if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) | 
|  | 908 | return -EFAULT; | 
|  | 909 |  | 
|  | 910 | hci_dev_lock(hdev); | 
|  | 911 |  | 
|  | 912 | err = hci_bdaddr_list_del(&hdev->blacklist, &bdaddr, BDADDR_BREDR); | 
|  | 913 |  | 
|  | 914 | hci_dev_unlock(hdev); | 
|  | 915 |  | 
|  | 916 | return err; | 
|  | 917 | } | 
|  | 918 |  | 
|  | 919 | /* Ioctls that require bound socket */ | 
|  | 920 | static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, | 
|  | 921 | unsigned long arg) | 
|  | 922 | { | 
|  | 923 | struct hci_dev *hdev = hci_pi(sk)->hdev; | 
|  | 924 |  | 
|  | 925 | if (!hdev) | 
|  | 926 | return -EBADFD; | 
|  | 927 |  | 
|  | 928 | if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) | 
|  | 929 | return -EBUSY; | 
|  | 930 |  | 
|  | 931 | if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) | 
|  | 932 | return -EOPNOTSUPP; | 
|  | 933 |  | 
|  | 934 | if (hdev->dev_type != HCI_PRIMARY) | 
|  | 935 | return -EOPNOTSUPP; | 
|  | 936 |  | 
|  | 937 | switch (cmd) { | 
|  | 938 | case HCISETRAW: | 
|  | 939 | if (!capable(CAP_NET_ADMIN)) | 
|  | 940 | return -EPERM; | 
|  | 941 | return -EOPNOTSUPP; | 
|  | 942 |  | 
|  | 943 | case HCIGETCONNINFO: | 
|  | 944 | return hci_get_conn_info(hdev, (void __user *)arg); | 
|  | 945 |  | 
|  | 946 | case HCIGETAUTHINFO: | 
|  | 947 | return hci_get_auth_info(hdev, (void __user *)arg); | 
|  | 948 |  | 
|  | 949 | case HCIBLOCKADDR: | 
|  | 950 | if (!capable(CAP_NET_ADMIN)) | 
|  | 951 | return -EPERM; | 
|  | 952 | return hci_sock_blacklist_add(hdev, (void __user *)arg); | 
|  | 953 |  | 
|  | 954 | case HCIUNBLOCKADDR: | 
|  | 955 | if (!capable(CAP_NET_ADMIN)) | 
|  | 956 | return -EPERM; | 
|  | 957 | return hci_sock_blacklist_del(hdev, (void __user *)arg); | 
|  | 958 | } | 
|  | 959 |  | 
|  | 960 | return -ENOIOCTLCMD; | 
|  | 961 | } | 
|  | 962 |  | 
|  | 963 | static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, | 
|  | 964 | unsigned long arg) | 
|  | 965 | { | 
|  | 966 | void __user *argp = (void __user *)arg; | 
|  | 967 | struct sock *sk = sock->sk; | 
|  | 968 | int err; | 
|  | 969 |  | 
|  | 970 | BT_DBG("cmd %x arg %lx", cmd, arg); | 
|  | 971 |  | 
|  | 972 | lock_sock(sk); | 
|  | 973 |  | 
|  | 974 | if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { | 
|  | 975 | err = -EBADFD; | 
|  | 976 | goto done; | 
|  | 977 | } | 
|  | 978 |  | 
|  | 979 | /* When calling an ioctl on an unbound raw socket, then ensure | 
|  | 980 | * that the monitor gets informed. Ensure that the resulting event | 
|  | 981 | * is only send once by checking if the cookie exists or not. The | 
|  | 982 | * socket cookie will be only ever generated once for the lifetime | 
|  | 983 | * of a given socket. | 
|  | 984 | */ | 
|  | 985 | if (hci_sock_gen_cookie(sk)) { | 
|  | 986 | struct sk_buff *skb; | 
|  | 987 |  | 
|  | 988 | if (capable(CAP_NET_ADMIN)) | 
|  | 989 | hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); | 
|  | 990 |  | 
|  | 991 | /* Send event to monitor */ | 
|  | 992 | skb = create_monitor_ctrl_open(sk); | 
|  | 993 | if (skb) { | 
|  | 994 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, | 
|  | 995 | HCI_SOCK_TRUSTED, NULL); | 
|  | 996 | kfree_skb(skb); | 
|  | 997 | } | 
|  | 998 | } | 
|  | 999 |  | 
|  | 1000 | release_sock(sk); | 
|  | 1001 |  | 
|  | 1002 | switch (cmd) { | 
|  | 1003 | case HCIGETDEVLIST: | 
|  | 1004 | return hci_get_dev_list(argp); | 
|  | 1005 |  | 
|  | 1006 | case HCIGETDEVINFO: | 
|  | 1007 | return hci_get_dev_info(argp); | 
|  | 1008 |  | 
|  | 1009 | case HCIGETCONNLIST: | 
|  | 1010 | return hci_get_conn_list(argp); | 
|  | 1011 |  | 
|  | 1012 | case HCIDEVUP: | 
|  | 1013 | if (!capable(CAP_NET_ADMIN)) | 
|  | 1014 | return -EPERM; | 
|  | 1015 | return hci_dev_open(arg); | 
|  | 1016 |  | 
|  | 1017 | case HCIDEVDOWN: | 
|  | 1018 | if (!capable(CAP_NET_ADMIN)) | 
|  | 1019 | return -EPERM; | 
|  | 1020 | return hci_dev_close(arg); | 
|  | 1021 |  | 
|  | 1022 | case HCIDEVRESET: | 
|  | 1023 | if (!capable(CAP_NET_ADMIN)) | 
|  | 1024 | return -EPERM; | 
|  | 1025 | return hci_dev_reset(arg); | 
|  | 1026 |  | 
|  | 1027 | case HCIDEVRESTAT: | 
|  | 1028 | if (!capable(CAP_NET_ADMIN)) | 
|  | 1029 | return -EPERM; | 
|  | 1030 | return hci_dev_reset_stat(arg); | 
|  | 1031 |  | 
|  | 1032 | case HCISETSCAN: | 
|  | 1033 | case HCISETAUTH: | 
|  | 1034 | case HCISETENCRYPT: | 
|  | 1035 | case HCISETPTYPE: | 
|  | 1036 | case HCISETLINKPOL: | 
|  | 1037 | case HCISETLINKMODE: | 
|  | 1038 | case HCISETACLMTU: | 
|  | 1039 | case HCISETSCOMTU: | 
|  | 1040 | if (!capable(CAP_NET_ADMIN)) | 
|  | 1041 | return -EPERM; | 
|  | 1042 | return hci_dev_cmd(cmd, argp); | 
|  | 1043 |  | 
|  | 1044 | case HCIINQUIRY: | 
|  | 1045 | return hci_inquiry(argp); | 
|  | 1046 | } | 
|  | 1047 |  | 
|  | 1048 | lock_sock(sk); | 
|  | 1049 |  | 
|  | 1050 | err = hci_sock_bound_ioctl(sk, cmd, arg); | 
|  | 1051 |  | 
|  | 1052 | done: | 
|  | 1053 | release_sock(sk); | 
|  | 1054 | return err; | 
|  | 1055 | } | 
|  | 1056 |  | 
|  | 1057 | static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, | 
|  | 1058 | int addr_len) | 
|  | 1059 | { | 
|  | 1060 | struct sockaddr_hci haddr; | 
|  | 1061 | struct sock *sk = sock->sk; | 
|  | 1062 | struct hci_dev *hdev = NULL; | 
|  | 1063 | struct sk_buff *skb; | 
|  | 1064 | int len, err = 0; | 
|  | 1065 |  | 
|  | 1066 | BT_DBG("sock %p sk %p", sock, sk); | 
|  | 1067 |  | 
|  | 1068 | if (!addr) | 
|  | 1069 | return -EINVAL; | 
|  | 1070 |  | 
|  | 1071 | memset(&haddr, 0, sizeof(haddr)); | 
|  | 1072 | len = min_t(unsigned int, sizeof(haddr), addr_len); | 
|  | 1073 | memcpy(&haddr, addr, len); | 
|  | 1074 |  | 
|  | 1075 | if (haddr.hci_family != AF_BLUETOOTH) | 
|  | 1076 | return -EINVAL; | 
|  | 1077 |  | 
|  | 1078 | lock_sock(sk); | 
|  | 1079 |  | 
|  | 1080 | if (sk->sk_state == BT_BOUND) { | 
|  | 1081 | err = -EALREADY; | 
|  | 1082 | goto done; | 
|  | 1083 | } | 
|  | 1084 |  | 
|  | 1085 | switch (haddr.hci_channel) { | 
|  | 1086 | case HCI_CHANNEL_RAW: | 
|  | 1087 | if (hci_pi(sk)->hdev) { | 
|  | 1088 | err = -EALREADY; | 
|  | 1089 | goto done; | 
|  | 1090 | } | 
|  | 1091 |  | 
|  | 1092 | if (haddr.hci_dev != HCI_DEV_NONE) { | 
|  | 1093 | hdev = hci_dev_get(haddr.hci_dev); | 
|  | 1094 | if (!hdev) { | 
|  | 1095 | err = -ENODEV; | 
|  | 1096 | goto done; | 
|  | 1097 | } | 
|  | 1098 |  | 
|  | 1099 | atomic_inc(&hdev->promisc); | 
|  | 1100 | } | 
|  | 1101 |  | 
|  | 1102 | hci_pi(sk)->channel = haddr.hci_channel; | 
|  | 1103 |  | 
|  | 1104 | if (!hci_sock_gen_cookie(sk)) { | 
|  | 1105 | /* In the case when a cookie has already been assigned, | 
|  | 1106 | * then there has been already an ioctl issued against | 
|  | 1107 | * an unbound socket and with that triggerd an open | 
|  | 1108 | * notification. Send a close notification first to | 
|  | 1109 | * allow the state transition to bounded. | 
|  | 1110 | */ | 
|  | 1111 | skb = create_monitor_ctrl_close(sk); | 
|  | 1112 | if (skb) { | 
|  | 1113 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, | 
|  | 1114 | HCI_SOCK_TRUSTED, NULL); | 
|  | 1115 | kfree_skb(skb); | 
|  | 1116 | } | 
|  | 1117 | } | 
|  | 1118 |  | 
|  | 1119 | if (capable(CAP_NET_ADMIN)) | 
|  | 1120 | hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); | 
|  | 1121 |  | 
|  | 1122 | hci_pi(sk)->hdev = hdev; | 
|  | 1123 |  | 
|  | 1124 | /* Send event to monitor */ | 
|  | 1125 | skb = create_monitor_ctrl_open(sk); | 
|  | 1126 | if (skb) { | 
|  | 1127 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, | 
|  | 1128 | HCI_SOCK_TRUSTED, NULL); | 
|  | 1129 | kfree_skb(skb); | 
|  | 1130 | } | 
|  | 1131 | break; | 
|  | 1132 |  | 
|  | 1133 | case HCI_CHANNEL_USER: | 
|  | 1134 | if (hci_pi(sk)->hdev) { | 
|  | 1135 | err = -EALREADY; | 
|  | 1136 | goto done; | 
|  | 1137 | } | 
|  | 1138 |  | 
|  | 1139 | if (haddr.hci_dev == HCI_DEV_NONE) { | 
|  | 1140 | err = -EINVAL; | 
|  | 1141 | goto done; | 
|  | 1142 | } | 
|  | 1143 |  | 
|  | 1144 | if (!capable(CAP_NET_ADMIN)) { | 
|  | 1145 | err = -EPERM; | 
|  | 1146 | goto done; | 
|  | 1147 | } | 
|  | 1148 |  | 
|  | 1149 | hdev = hci_dev_get(haddr.hci_dev); | 
|  | 1150 | if (!hdev) { | 
|  | 1151 | err = -ENODEV; | 
|  | 1152 | goto done; | 
|  | 1153 | } | 
|  | 1154 |  | 
|  | 1155 | if (test_bit(HCI_INIT, &hdev->flags) || | 
|  | 1156 | hci_dev_test_flag(hdev, HCI_SETUP) || | 
|  | 1157 | hci_dev_test_flag(hdev, HCI_CONFIG) || | 
|  | 1158 | (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) && | 
|  | 1159 | test_bit(HCI_UP, &hdev->flags))) { | 
|  | 1160 | err = -EBUSY; | 
|  | 1161 | hci_dev_put(hdev); | 
|  | 1162 | goto done; | 
|  | 1163 | } | 
|  | 1164 |  | 
|  | 1165 | if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) { | 
|  | 1166 | err = -EUSERS; | 
|  | 1167 | hci_dev_put(hdev); | 
|  | 1168 | goto done; | 
|  | 1169 | } | 
|  | 1170 |  | 
|  | 1171 | mgmt_index_removed(hdev); | 
|  | 1172 |  | 
|  | 1173 | err = hci_dev_open(hdev->id); | 
|  | 1174 | if (err) { | 
|  | 1175 | if (err == -EALREADY) { | 
|  | 1176 | /* In case the transport is already up and | 
|  | 1177 | * running, clear the error here. | 
|  | 1178 | * | 
|  | 1179 | * This can happen when opening a user | 
|  | 1180 | * channel and HCI_AUTO_OFF grace period | 
|  | 1181 | * is still active. | 
|  | 1182 | */ | 
|  | 1183 | err = 0; | 
|  | 1184 | } else { | 
|  | 1185 | hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); | 
|  | 1186 | mgmt_index_added(hdev); | 
|  | 1187 | hci_dev_put(hdev); | 
|  | 1188 | goto done; | 
|  | 1189 | } | 
|  | 1190 | } | 
|  | 1191 |  | 
|  | 1192 | hci_pi(sk)->channel = haddr.hci_channel; | 
|  | 1193 |  | 
|  | 1194 | if (!hci_sock_gen_cookie(sk)) { | 
|  | 1195 | /* In the case when a cookie has already been assigned, | 
|  | 1196 | * this socket will transition from a raw socket into | 
|  | 1197 | * a user channel socket. For a clean transition, send | 
|  | 1198 | * the close notification first. | 
|  | 1199 | */ | 
|  | 1200 | skb = create_monitor_ctrl_close(sk); | 
|  | 1201 | if (skb) { | 
|  | 1202 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, | 
|  | 1203 | HCI_SOCK_TRUSTED, NULL); | 
|  | 1204 | kfree_skb(skb); | 
|  | 1205 | } | 
|  | 1206 | } | 
|  | 1207 |  | 
|  | 1208 | /* The user channel is restricted to CAP_NET_ADMIN | 
|  | 1209 | * capabilities and with that implicitly trusted. | 
|  | 1210 | */ | 
|  | 1211 | hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); | 
|  | 1212 |  | 
|  | 1213 | hci_pi(sk)->hdev = hdev; | 
|  | 1214 |  | 
|  | 1215 | /* Send event to monitor */ | 
|  | 1216 | skb = create_monitor_ctrl_open(sk); | 
|  | 1217 | if (skb) { | 
|  | 1218 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, | 
|  | 1219 | HCI_SOCK_TRUSTED, NULL); | 
|  | 1220 | kfree_skb(skb); | 
|  | 1221 | } | 
|  | 1222 |  | 
|  | 1223 | atomic_inc(&hdev->promisc); | 
|  | 1224 | break; | 
|  | 1225 |  | 
|  | 1226 | case HCI_CHANNEL_MONITOR: | 
|  | 1227 | if (haddr.hci_dev != HCI_DEV_NONE) { | 
|  | 1228 | err = -EINVAL; | 
|  | 1229 | goto done; | 
|  | 1230 | } | 
|  | 1231 |  | 
|  | 1232 | if (!capable(CAP_NET_RAW)) { | 
|  | 1233 | err = -EPERM; | 
|  | 1234 | goto done; | 
|  | 1235 | } | 
|  | 1236 |  | 
|  | 1237 | hci_pi(sk)->channel = haddr.hci_channel; | 
|  | 1238 |  | 
|  | 1239 | /* The monitor interface is restricted to CAP_NET_RAW | 
|  | 1240 | * capabilities and with that implicitly trusted. | 
|  | 1241 | */ | 
|  | 1242 | hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); | 
|  | 1243 |  | 
|  | 1244 | send_monitor_note(sk, "Linux version %s (%s)", | 
|  | 1245 | init_utsname()->release, | 
|  | 1246 | init_utsname()->machine); | 
|  | 1247 | send_monitor_note(sk, "Bluetooth subsystem version %u.%u", | 
|  | 1248 | BT_SUBSYS_VERSION, BT_SUBSYS_REVISION); | 
|  | 1249 | send_monitor_replay(sk); | 
|  | 1250 | send_monitor_control_replay(sk); | 
|  | 1251 |  | 
|  | 1252 | atomic_inc(&monitor_promisc); | 
|  | 1253 | break; | 
|  | 1254 |  | 
|  | 1255 | case HCI_CHANNEL_LOGGING: | 
|  | 1256 | if (haddr.hci_dev != HCI_DEV_NONE) { | 
|  | 1257 | err = -EINVAL; | 
|  | 1258 | goto done; | 
|  | 1259 | } | 
|  | 1260 |  | 
|  | 1261 | if (!capable(CAP_NET_ADMIN)) { | 
|  | 1262 | err = -EPERM; | 
|  | 1263 | goto done; | 
|  | 1264 | } | 
|  | 1265 |  | 
|  | 1266 | hci_pi(sk)->channel = haddr.hci_channel; | 
|  | 1267 | break; | 
|  | 1268 |  | 
|  | 1269 | default: | 
|  | 1270 | if (!hci_mgmt_chan_find(haddr.hci_channel)) { | 
|  | 1271 | err = -EINVAL; | 
|  | 1272 | goto done; | 
|  | 1273 | } | 
|  | 1274 |  | 
|  | 1275 | if (haddr.hci_dev != HCI_DEV_NONE) { | 
|  | 1276 | err = -EINVAL; | 
|  | 1277 | goto done; | 
|  | 1278 | } | 
|  | 1279 |  | 
|  | 1280 | /* Users with CAP_NET_ADMIN capabilities are allowed | 
|  | 1281 | * access to all management commands and events. For | 
|  | 1282 | * untrusted users the interface is restricted and | 
|  | 1283 | * also only untrusted events are sent. | 
|  | 1284 | */ | 
|  | 1285 | if (capable(CAP_NET_ADMIN)) | 
|  | 1286 | hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); | 
|  | 1287 |  | 
|  | 1288 | hci_pi(sk)->channel = haddr.hci_channel; | 
|  | 1289 |  | 
|  | 1290 | /* At the moment the index and unconfigured index events | 
|  | 1291 | * are enabled unconditionally. Setting them on each | 
|  | 1292 | * socket when binding keeps this functionality. They | 
|  | 1293 | * however might be cleared later and then sending of these | 
|  | 1294 | * events will be disabled, but that is then intentional. | 
|  | 1295 | * | 
|  | 1296 | * This also enables generic events that are safe to be | 
|  | 1297 | * received by untrusted users. Example for such events | 
|  | 1298 | * are changes to settings, class of device, name etc. | 
|  | 1299 | */ | 
|  | 1300 | if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) { | 
|  | 1301 | if (!hci_sock_gen_cookie(sk)) { | 
|  | 1302 | /* In the case when a cookie has already been | 
|  | 1303 | * assigned, this socket will transtion from | 
|  | 1304 | * a raw socket into a control socket. To | 
|  | 1305 | * allow for a clean transtion, send the | 
|  | 1306 | * close notification first. | 
|  | 1307 | */ | 
|  | 1308 | skb = create_monitor_ctrl_close(sk); | 
|  | 1309 | if (skb) { | 
|  | 1310 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, | 
|  | 1311 | HCI_SOCK_TRUSTED, NULL); | 
|  | 1312 | kfree_skb(skb); | 
|  | 1313 | } | 
|  | 1314 | } | 
|  | 1315 |  | 
|  | 1316 | /* Send event to monitor */ | 
|  | 1317 | skb = create_monitor_ctrl_open(sk); | 
|  | 1318 | if (skb) { | 
|  | 1319 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, | 
|  | 1320 | HCI_SOCK_TRUSTED, NULL); | 
|  | 1321 | kfree_skb(skb); | 
|  | 1322 | } | 
|  | 1323 |  | 
|  | 1324 | hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS); | 
|  | 1325 | hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS); | 
|  | 1326 | hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS); | 
|  | 1327 | hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS); | 
|  | 1328 | hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS); | 
|  | 1329 | hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS); | 
|  | 1330 | } | 
|  | 1331 | break; | 
|  | 1332 | } | 
|  | 1333 |  | 
|  | 1334 | sk->sk_state = BT_BOUND; | 
|  | 1335 |  | 
|  | 1336 | done: | 
|  | 1337 | release_sock(sk); | 
|  | 1338 | return err; | 
|  | 1339 | } | 
|  | 1340 |  | 
|  | 1341 | static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, | 
|  | 1342 | int peer) | 
|  | 1343 | { | 
|  | 1344 | struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr; | 
|  | 1345 | struct sock *sk = sock->sk; | 
|  | 1346 | struct hci_dev *hdev; | 
|  | 1347 | int err = 0; | 
|  | 1348 |  | 
|  | 1349 | BT_DBG("sock %p sk %p", sock, sk); | 
|  | 1350 |  | 
|  | 1351 | if (peer) | 
|  | 1352 | return -EOPNOTSUPP; | 
|  | 1353 |  | 
|  | 1354 | lock_sock(sk); | 
|  | 1355 |  | 
|  | 1356 | hdev = hci_pi(sk)->hdev; | 
|  | 1357 | if (!hdev) { | 
|  | 1358 | err = -EBADFD; | 
|  | 1359 | goto done; | 
|  | 1360 | } | 
|  | 1361 |  | 
|  | 1362 | haddr->hci_family = AF_BLUETOOTH; | 
|  | 1363 | haddr->hci_dev    = hdev->id; | 
|  | 1364 | haddr->hci_channel= hci_pi(sk)->channel; | 
|  | 1365 | err = sizeof(*haddr); | 
|  | 1366 |  | 
|  | 1367 | done: | 
|  | 1368 | release_sock(sk); | 
|  | 1369 | return err; | 
|  | 1370 | } | 
|  | 1371 |  | 
|  | 1372 | static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, | 
|  | 1373 | struct sk_buff *skb) | 
|  | 1374 | { | 
|  | 1375 | __u32 mask = hci_pi(sk)->cmsg_mask; | 
|  | 1376 |  | 
|  | 1377 | if (mask & HCI_CMSG_DIR) { | 
|  | 1378 | int incoming = bt_cb(skb)->incoming; | 
|  | 1379 | put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming), | 
|  | 1380 | &incoming); | 
|  | 1381 | } | 
|  | 1382 |  | 
|  | 1383 | if (mask & HCI_CMSG_TSTAMP) { | 
|  | 1384 | #ifdef CONFIG_COMPAT | 
|  | 1385 | struct compat_timeval ctv; | 
|  | 1386 | #endif | 
|  | 1387 | struct timeval tv; | 
|  | 1388 | void *data; | 
|  | 1389 | int len; | 
|  | 1390 |  | 
|  | 1391 | skb_get_timestamp(skb, &tv); | 
|  | 1392 |  | 
|  | 1393 | data = &tv; | 
|  | 1394 | len = sizeof(tv); | 
|  | 1395 | #ifdef CONFIG_COMPAT | 
|  | 1396 | if (!COMPAT_USE_64BIT_TIME && | 
|  | 1397 | (msg->msg_flags & MSG_CMSG_COMPAT)) { | 
|  | 1398 | ctv.tv_sec = tv.tv_sec; | 
|  | 1399 | ctv.tv_usec = tv.tv_usec; | 
|  | 1400 | data = &ctv; | 
|  | 1401 | len = sizeof(ctv); | 
|  | 1402 | } | 
|  | 1403 | #endif | 
|  | 1404 |  | 
|  | 1405 | put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data); | 
|  | 1406 | } | 
|  | 1407 | } | 
|  | 1408 |  | 
|  | 1409 | static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg, | 
|  | 1410 | size_t len, int flags) | 
|  | 1411 | { | 
|  | 1412 | int noblock = flags & MSG_DONTWAIT; | 
|  | 1413 | struct sock *sk = sock->sk; | 
|  | 1414 | struct sk_buff *skb; | 
|  | 1415 | int copied, err; | 
|  | 1416 | unsigned int skblen; | 
|  | 1417 |  | 
|  | 1418 | BT_DBG("sock %p, sk %p", sock, sk); | 
|  | 1419 |  | 
|  | 1420 | if (flags & MSG_OOB) | 
|  | 1421 | return -EOPNOTSUPP; | 
|  | 1422 |  | 
|  | 1423 | if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING) | 
|  | 1424 | return -EOPNOTSUPP; | 
|  | 1425 |  | 
|  | 1426 | if (sk->sk_state == BT_CLOSED) | 
|  | 1427 | return 0; | 
|  | 1428 |  | 
|  | 1429 | skb = skb_recv_datagram(sk, flags, noblock, &err); | 
|  | 1430 | if (!skb) | 
|  | 1431 | return err; | 
|  | 1432 |  | 
|  | 1433 | skblen = skb->len; | 
|  | 1434 | copied = skb->len; | 
|  | 1435 | if (len < copied) { | 
|  | 1436 | msg->msg_flags |= MSG_TRUNC; | 
|  | 1437 | copied = len; | 
|  | 1438 | } | 
|  | 1439 |  | 
|  | 1440 | skb_reset_transport_header(skb); | 
|  | 1441 | err = skb_copy_datagram_msg(skb, 0, msg, copied); | 
|  | 1442 |  | 
|  | 1443 | switch (hci_pi(sk)->channel) { | 
|  | 1444 | case HCI_CHANNEL_RAW: | 
|  | 1445 | hci_sock_cmsg(sk, msg, skb); | 
|  | 1446 | break; | 
|  | 1447 | case HCI_CHANNEL_USER: | 
|  | 1448 | case HCI_CHANNEL_MONITOR: | 
|  | 1449 | sock_recv_timestamp(msg, sk, skb); | 
|  | 1450 | break; | 
|  | 1451 | default: | 
|  | 1452 | if (hci_mgmt_chan_find(hci_pi(sk)->channel)) | 
|  | 1453 | sock_recv_timestamp(msg, sk, skb); | 
|  | 1454 | break; | 
|  | 1455 | } | 
|  | 1456 |  | 
|  | 1457 | skb_free_datagram(sk, skb); | 
|  | 1458 |  | 
|  | 1459 | if (flags & MSG_TRUNC) | 
|  | 1460 | copied = skblen; | 
|  | 1461 |  | 
|  | 1462 | return err ? : copied; | 
|  | 1463 | } | 
|  | 1464 |  | 
|  | 1465 | static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk, | 
|  | 1466 | struct msghdr *msg, size_t msglen) | 
|  | 1467 | { | 
|  | 1468 | void *buf; | 
|  | 1469 | u8 *cp; | 
|  | 1470 | struct mgmt_hdr *hdr; | 
|  | 1471 | u16 opcode, index, len; | 
|  | 1472 | struct hci_dev *hdev = NULL; | 
|  | 1473 | const struct hci_mgmt_handler *handler; | 
|  | 1474 | bool var_len, no_hdev; | 
|  | 1475 | int err; | 
|  | 1476 |  | 
|  | 1477 | BT_DBG("got %zu bytes", msglen); | 
|  | 1478 |  | 
|  | 1479 | if (msglen < sizeof(*hdr)) | 
|  | 1480 | return -EINVAL; | 
|  | 1481 |  | 
|  | 1482 | buf = kmalloc(msglen, GFP_KERNEL); | 
|  | 1483 | if (!buf) | 
|  | 1484 | return -ENOMEM; | 
|  | 1485 |  | 
|  | 1486 | if (memcpy_from_msg(buf, msg, msglen)) { | 
|  | 1487 | err = -EFAULT; | 
|  | 1488 | goto done; | 
|  | 1489 | } | 
|  | 1490 |  | 
|  | 1491 | hdr = buf; | 
|  | 1492 | opcode = __le16_to_cpu(hdr->opcode); | 
|  | 1493 | index = __le16_to_cpu(hdr->index); | 
|  | 1494 | len = __le16_to_cpu(hdr->len); | 
|  | 1495 |  | 
|  | 1496 | if (len != msglen - sizeof(*hdr)) { | 
|  | 1497 | err = -EINVAL; | 
|  | 1498 | goto done; | 
|  | 1499 | } | 
|  | 1500 |  | 
|  | 1501 | if (chan->channel == HCI_CHANNEL_CONTROL) { | 
|  | 1502 | struct sk_buff *skb; | 
|  | 1503 |  | 
|  | 1504 | /* Send event to monitor */ | 
|  | 1505 | skb = create_monitor_ctrl_command(sk, index, opcode, len, | 
|  | 1506 | buf + sizeof(*hdr)); | 
|  | 1507 | if (skb) { | 
|  | 1508 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, | 
|  | 1509 | HCI_SOCK_TRUSTED, NULL); | 
|  | 1510 | kfree_skb(skb); | 
|  | 1511 | } | 
|  | 1512 | } | 
|  | 1513 |  | 
|  | 1514 | if (opcode >= chan->handler_count || | 
|  | 1515 | chan->handlers[opcode].func == NULL) { | 
|  | 1516 | BT_DBG("Unknown op %u", opcode); | 
|  | 1517 | err = mgmt_cmd_status(sk, index, opcode, | 
|  | 1518 | MGMT_STATUS_UNKNOWN_COMMAND); | 
|  | 1519 | goto done; | 
|  | 1520 | } | 
|  | 1521 |  | 
|  | 1522 | handler = &chan->handlers[opcode]; | 
|  | 1523 |  | 
|  | 1524 | if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) && | 
|  | 1525 | !(handler->flags & HCI_MGMT_UNTRUSTED)) { | 
|  | 1526 | err = mgmt_cmd_status(sk, index, opcode, | 
|  | 1527 | MGMT_STATUS_PERMISSION_DENIED); | 
|  | 1528 | goto done; | 
|  | 1529 | } | 
|  | 1530 |  | 
|  | 1531 | if (index != MGMT_INDEX_NONE) { | 
|  | 1532 | hdev = hci_dev_get(index); | 
|  | 1533 | if (!hdev) { | 
|  | 1534 | err = mgmt_cmd_status(sk, index, opcode, | 
|  | 1535 | MGMT_STATUS_INVALID_INDEX); | 
|  | 1536 | goto done; | 
|  | 1537 | } | 
|  | 1538 |  | 
|  | 1539 | if (hci_dev_test_flag(hdev, HCI_SETUP) || | 
|  | 1540 | hci_dev_test_flag(hdev, HCI_CONFIG) || | 
|  | 1541 | hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { | 
|  | 1542 | err = mgmt_cmd_status(sk, index, opcode, | 
|  | 1543 | MGMT_STATUS_INVALID_INDEX); | 
|  | 1544 | goto done; | 
|  | 1545 | } | 
|  | 1546 |  | 
|  | 1547 | if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) && | 
|  | 1548 | !(handler->flags & HCI_MGMT_UNCONFIGURED)) { | 
|  | 1549 | err = mgmt_cmd_status(sk, index, opcode, | 
|  | 1550 | MGMT_STATUS_INVALID_INDEX); | 
|  | 1551 | goto done; | 
|  | 1552 | } | 
|  | 1553 | } | 
|  | 1554 |  | 
|  | 1555 | no_hdev = (handler->flags & HCI_MGMT_NO_HDEV); | 
|  | 1556 | if (no_hdev != !hdev) { | 
|  | 1557 | err = mgmt_cmd_status(sk, index, opcode, | 
|  | 1558 | MGMT_STATUS_INVALID_INDEX); | 
|  | 1559 | goto done; | 
|  | 1560 | } | 
|  | 1561 |  | 
|  | 1562 | var_len = (handler->flags & HCI_MGMT_VAR_LEN); | 
|  | 1563 | if ((var_len && len < handler->data_len) || | 
|  | 1564 | (!var_len && len != handler->data_len)) { | 
|  | 1565 | err = mgmt_cmd_status(sk, index, opcode, | 
|  | 1566 | MGMT_STATUS_INVALID_PARAMS); | 
|  | 1567 | goto done; | 
|  | 1568 | } | 
|  | 1569 |  | 
|  | 1570 | if (hdev && chan->hdev_init) | 
|  | 1571 | chan->hdev_init(sk, hdev); | 
|  | 1572 |  | 
|  | 1573 | cp = buf + sizeof(*hdr); | 
|  | 1574 |  | 
|  | 1575 | err = handler->func(sk, hdev, cp, len); | 
|  | 1576 | if (err < 0) | 
|  | 1577 | goto done; | 
|  | 1578 |  | 
|  | 1579 | err = msglen; | 
|  | 1580 |  | 
|  | 1581 | done: | 
|  | 1582 | if (hdev) | 
|  | 1583 | hci_dev_put(hdev); | 
|  | 1584 |  | 
|  | 1585 | kfree(buf); | 
|  | 1586 | return err; | 
|  | 1587 | } | 
|  | 1588 |  | 
|  | 1589 | static int hci_logging_frame(struct sock *sk, struct msghdr *msg, int len) | 
|  | 1590 | { | 
|  | 1591 | struct hci_mon_hdr *hdr; | 
|  | 1592 | struct sk_buff *skb; | 
|  | 1593 | struct hci_dev *hdev; | 
|  | 1594 | u16 index; | 
|  | 1595 | int err; | 
|  | 1596 |  | 
|  | 1597 | /* The logging frame consists at minimum of the standard header, | 
|  | 1598 | * the priority byte, the ident length byte and at least one string | 
|  | 1599 | * terminator NUL byte. Anything shorter are invalid packets. | 
|  | 1600 | */ | 
|  | 1601 | if (len < sizeof(*hdr) + 3) | 
|  | 1602 | return -EINVAL; | 
|  | 1603 |  | 
|  | 1604 | skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); | 
|  | 1605 | if (!skb) | 
|  | 1606 | return err; | 
|  | 1607 |  | 
|  | 1608 | if (memcpy_from_msg(skb_put(skb, len), msg, len)) { | 
|  | 1609 | err = -EFAULT; | 
|  | 1610 | goto drop; | 
|  | 1611 | } | 
|  | 1612 |  | 
|  | 1613 | hdr = (void *)skb->data; | 
|  | 1614 |  | 
|  | 1615 | if (__le16_to_cpu(hdr->len) != len - sizeof(*hdr)) { | 
|  | 1616 | err = -EINVAL; | 
|  | 1617 | goto drop; | 
|  | 1618 | } | 
|  | 1619 |  | 
|  | 1620 | if (__le16_to_cpu(hdr->opcode) == 0x0000) { | 
|  | 1621 | __u8 priority = skb->data[sizeof(*hdr)]; | 
|  | 1622 | __u8 ident_len = skb->data[sizeof(*hdr) + 1]; | 
|  | 1623 |  | 
|  | 1624 | /* Only the priorities 0-7 are valid and with that any other | 
|  | 1625 | * value results in an invalid packet. | 
|  | 1626 | * | 
|  | 1627 | * The priority byte is followed by an ident length byte and | 
|  | 1628 | * the NUL terminated ident string. Check that the ident | 
|  | 1629 | * length is not overflowing the packet and also that the | 
|  | 1630 | * ident string itself is NUL terminated. In case the ident | 
|  | 1631 | * length is zero, the length value actually doubles as NUL | 
|  | 1632 | * terminator identifier. | 
|  | 1633 | * | 
|  | 1634 | * The message follows the ident string (if present) and | 
|  | 1635 | * must be NUL terminated. Otherwise it is not a valid packet. | 
|  | 1636 | */ | 
|  | 1637 | if (priority > 7 || skb->data[len - 1] != 0x00 || | 
|  | 1638 | ident_len > len - sizeof(*hdr) - 3 || | 
|  | 1639 | skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) { | 
|  | 1640 | err = -EINVAL; | 
|  | 1641 | goto drop; | 
|  | 1642 | } | 
|  | 1643 | } else { | 
|  | 1644 | err = -EINVAL; | 
|  | 1645 | goto drop; | 
|  | 1646 | } | 
|  | 1647 |  | 
|  | 1648 | index = __le16_to_cpu(hdr->index); | 
|  | 1649 |  | 
|  | 1650 | if (index != MGMT_INDEX_NONE) { | 
|  | 1651 | hdev = hci_dev_get(index); | 
|  | 1652 | if (!hdev) { | 
|  | 1653 | err = -ENODEV; | 
|  | 1654 | goto drop; | 
|  | 1655 | } | 
|  | 1656 | } else { | 
|  | 1657 | hdev = NULL; | 
|  | 1658 | } | 
|  | 1659 |  | 
|  | 1660 | hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING); | 
|  | 1661 |  | 
|  | 1662 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL); | 
|  | 1663 | err = len; | 
|  | 1664 |  | 
|  | 1665 | if (hdev) | 
|  | 1666 | hci_dev_put(hdev); | 
|  | 1667 |  | 
|  | 1668 | drop: | 
|  | 1669 | kfree_skb(skb); | 
|  | 1670 | return err; | 
|  | 1671 | } | 
|  | 1672 |  | 
|  | 1673 | static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg, | 
|  | 1674 | size_t len) | 
|  | 1675 | { | 
|  | 1676 | struct sock *sk = sock->sk; | 
|  | 1677 | struct hci_mgmt_chan *chan; | 
|  | 1678 | struct hci_dev *hdev; | 
|  | 1679 | struct sk_buff *skb; | 
|  | 1680 | int err; | 
|  | 1681 |  | 
|  | 1682 | BT_DBG("sock %p sk %p", sock, sk); | 
|  | 1683 |  | 
|  | 1684 | if (msg->msg_flags & MSG_OOB) | 
|  | 1685 | return -EOPNOTSUPP; | 
|  | 1686 |  | 
|  | 1687 | if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE| | 
|  | 1688 | MSG_CMSG_COMPAT)) | 
|  | 1689 | return -EINVAL; | 
|  | 1690 |  | 
|  | 1691 | if (len < 4 || len > HCI_MAX_FRAME_SIZE) | 
|  | 1692 | return -EINVAL; | 
|  | 1693 |  | 
|  | 1694 | lock_sock(sk); | 
|  | 1695 |  | 
|  | 1696 | switch (hci_pi(sk)->channel) { | 
|  | 1697 | case HCI_CHANNEL_RAW: | 
|  | 1698 | case HCI_CHANNEL_USER: | 
|  | 1699 | break; | 
|  | 1700 | case HCI_CHANNEL_MONITOR: | 
|  | 1701 | err = -EOPNOTSUPP; | 
|  | 1702 | goto done; | 
|  | 1703 | case HCI_CHANNEL_LOGGING: | 
|  | 1704 | err = hci_logging_frame(sk, msg, len); | 
|  | 1705 | goto done; | 
|  | 1706 | default: | 
|  | 1707 | mutex_lock(&mgmt_chan_list_lock); | 
|  | 1708 | chan = __hci_mgmt_chan_find(hci_pi(sk)->channel); | 
|  | 1709 | if (chan) | 
|  | 1710 | err = hci_mgmt_cmd(chan, sk, msg, len); | 
|  | 1711 | else | 
|  | 1712 | err = -EINVAL; | 
|  | 1713 |  | 
|  | 1714 | mutex_unlock(&mgmt_chan_list_lock); | 
|  | 1715 | goto done; | 
|  | 1716 | } | 
|  | 1717 |  | 
|  | 1718 | hdev = hci_pi(sk)->hdev; | 
|  | 1719 | if (!hdev) { | 
|  | 1720 | err = -EBADFD; | 
|  | 1721 | goto done; | 
|  | 1722 | } | 
|  | 1723 |  | 
|  | 1724 | if (!test_bit(HCI_UP, &hdev->flags)) { | 
|  | 1725 | err = -ENETDOWN; | 
|  | 1726 | goto done; | 
|  | 1727 | } | 
|  | 1728 |  | 
|  | 1729 | skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); | 
|  | 1730 | if (!skb) | 
|  | 1731 | goto done; | 
|  | 1732 |  | 
|  | 1733 | if (memcpy_from_msg(skb_put(skb, len), msg, len)) { | 
|  | 1734 | err = -EFAULT; | 
|  | 1735 | goto drop; | 
|  | 1736 | } | 
|  | 1737 |  | 
|  | 1738 | hci_skb_pkt_type(skb) = skb->data[0]; | 
|  | 1739 | skb_pull(skb, 1); | 
|  | 1740 |  | 
|  | 1741 | if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { | 
|  | 1742 | /* No permission check is needed for user channel | 
|  | 1743 | * since that gets enforced when binding the socket. | 
|  | 1744 | * | 
|  | 1745 | * However check that the packet type is valid. | 
|  | 1746 | */ | 
|  | 1747 | if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT && | 
|  | 1748 | hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && | 
|  | 1749 | hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) { | 
|  | 1750 | err = -EINVAL; | 
|  | 1751 | goto drop; | 
|  | 1752 | } | 
|  | 1753 |  | 
|  | 1754 | skb_queue_tail(&hdev->raw_q, skb); | 
|  | 1755 | queue_work(hdev->workqueue, &hdev->tx_work); | 
|  | 1756 | } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) { | 
|  | 1757 | u16 opcode = get_unaligned_le16(skb->data); | 
|  | 1758 | u16 ogf = hci_opcode_ogf(opcode); | 
|  | 1759 | u16 ocf = hci_opcode_ocf(opcode); | 
|  | 1760 |  | 
|  | 1761 | if (((ogf > HCI_SFLT_MAX_OGF) || | 
|  | 1762 | !hci_test_bit(ocf & HCI_FLT_OCF_BITS, | 
|  | 1763 | &hci_sec_filter.ocf_mask[ogf])) && | 
|  | 1764 | !capable(CAP_NET_RAW)) { | 
|  | 1765 | err = -EPERM; | 
|  | 1766 | goto drop; | 
|  | 1767 | } | 
|  | 1768 |  | 
|  | 1769 | /* Since the opcode has already been extracted here, store | 
|  | 1770 | * a copy of the value for later use by the drivers. | 
|  | 1771 | */ | 
|  | 1772 | hci_skb_opcode(skb) = opcode; | 
|  | 1773 |  | 
|  | 1774 | if (ogf == 0x3f) { | 
|  | 1775 | skb_queue_tail(&hdev->raw_q, skb); | 
|  | 1776 | queue_work(hdev->workqueue, &hdev->tx_work); | 
|  | 1777 | } else { | 
|  | 1778 | /* Stand-alone HCI commands must be flagged as | 
|  | 1779 | * single-command requests. | 
|  | 1780 | */ | 
|  | 1781 | bt_cb(skb)->hci.req_flags |= HCI_REQ_START; | 
|  | 1782 |  | 
|  | 1783 | skb_queue_tail(&hdev->cmd_q, skb); | 
|  | 1784 | queue_work(hdev->workqueue, &hdev->cmd_work); | 
|  | 1785 | } | 
|  | 1786 | } else { | 
|  | 1787 | if (!capable(CAP_NET_RAW)) { | 
|  | 1788 | err = -EPERM; | 
|  | 1789 | goto drop; | 
|  | 1790 | } | 
|  | 1791 |  | 
|  | 1792 | if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && | 
|  | 1793 | hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) { | 
|  | 1794 | err = -EINVAL; | 
|  | 1795 | goto drop; | 
|  | 1796 | } | 
|  | 1797 |  | 
|  | 1798 | skb_queue_tail(&hdev->raw_q, skb); | 
|  | 1799 | queue_work(hdev->workqueue, &hdev->tx_work); | 
|  | 1800 | } | 
|  | 1801 |  | 
|  | 1802 | err = len; | 
|  | 1803 |  | 
|  | 1804 | done: | 
|  | 1805 | release_sock(sk); | 
|  | 1806 | return err; | 
|  | 1807 |  | 
|  | 1808 | drop: | 
|  | 1809 | kfree_skb(skb); | 
|  | 1810 | goto done; | 
|  | 1811 | } | 
|  | 1812 |  | 
|  | 1813 | static int hci_sock_setsockopt(struct socket *sock, int level, int optname, | 
|  | 1814 | char __user *optval, unsigned int len) | 
|  | 1815 | { | 
|  | 1816 | struct hci_ufilter uf = { .opcode = 0 }; | 
|  | 1817 | struct sock *sk = sock->sk; | 
|  | 1818 | int err = 0, opt = 0; | 
|  | 1819 |  | 
|  | 1820 | BT_DBG("sk %p, opt %d", sk, optname); | 
|  | 1821 |  | 
|  | 1822 | if (level != SOL_HCI) | 
|  | 1823 | return -ENOPROTOOPT; | 
|  | 1824 |  | 
|  | 1825 | lock_sock(sk); | 
|  | 1826 |  | 
|  | 1827 | if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { | 
|  | 1828 | err = -EBADFD; | 
|  | 1829 | goto done; | 
|  | 1830 | } | 
|  | 1831 |  | 
|  | 1832 | switch (optname) { | 
|  | 1833 | case HCI_DATA_DIR: | 
|  | 1834 | if (get_user(opt, (int __user *)optval)) { | 
|  | 1835 | err = -EFAULT; | 
|  | 1836 | break; | 
|  | 1837 | } | 
|  | 1838 |  | 
|  | 1839 | if (opt) | 
|  | 1840 | hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; | 
|  | 1841 | else | 
|  | 1842 | hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR; | 
|  | 1843 | break; | 
|  | 1844 |  | 
|  | 1845 | case HCI_TIME_STAMP: | 
|  | 1846 | if (get_user(opt, (int __user *)optval)) { | 
|  | 1847 | err = -EFAULT; | 
|  | 1848 | break; | 
|  | 1849 | } | 
|  | 1850 |  | 
|  | 1851 | if (opt) | 
|  | 1852 | hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; | 
|  | 1853 | else | 
|  | 1854 | hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP; | 
|  | 1855 | break; | 
|  | 1856 |  | 
|  | 1857 | case HCI_FILTER: | 
|  | 1858 | { | 
|  | 1859 | struct hci_filter *f = &hci_pi(sk)->filter; | 
|  | 1860 |  | 
|  | 1861 | uf.type_mask = f->type_mask; | 
|  | 1862 | uf.opcode    = f->opcode; | 
|  | 1863 | uf.event_mask[0] = *((u32 *) f->event_mask + 0); | 
|  | 1864 | uf.event_mask[1] = *((u32 *) f->event_mask + 1); | 
|  | 1865 | } | 
|  | 1866 |  | 
|  | 1867 | len = min_t(unsigned int, len, sizeof(uf)); | 
|  | 1868 | if (copy_from_user(&uf, optval, len)) { | 
|  | 1869 | err = -EFAULT; | 
|  | 1870 | break; | 
|  | 1871 | } | 
|  | 1872 |  | 
|  | 1873 | if (!capable(CAP_NET_RAW)) { | 
|  | 1874 | uf.type_mask &= hci_sec_filter.type_mask; | 
|  | 1875 | uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0); | 
|  | 1876 | uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1); | 
|  | 1877 | } | 
|  | 1878 |  | 
|  | 1879 | { | 
|  | 1880 | struct hci_filter *f = &hci_pi(sk)->filter; | 
|  | 1881 |  | 
|  | 1882 | f->type_mask = uf.type_mask; | 
|  | 1883 | f->opcode    = uf.opcode; | 
|  | 1884 | *((u32 *) f->event_mask + 0) = uf.event_mask[0]; | 
|  | 1885 | *((u32 *) f->event_mask + 1) = uf.event_mask[1]; | 
|  | 1886 | } | 
|  | 1887 | break; | 
|  | 1888 |  | 
|  | 1889 | default: | 
|  | 1890 | err = -ENOPROTOOPT; | 
|  | 1891 | break; | 
|  | 1892 | } | 
|  | 1893 |  | 
|  | 1894 | done: | 
|  | 1895 | release_sock(sk); | 
|  | 1896 | return err; | 
|  | 1897 | } | 
|  | 1898 |  | 
|  | 1899 | static int hci_sock_getsockopt(struct socket *sock, int level, int optname, | 
|  | 1900 | char __user *optval, int __user *optlen) | 
|  | 1901 | { | 
|  | 1902 | struct hci_ufilter uf; | 
|  | 1903 | struct sock *sk = sock->sk; | 
|  | 1904 | int len, opt, err = 0; | 
|  | 1905 |  | 
|  | 1906 | BT_DBG("sk %p, opt %d", sk, optname); | 
|  | 1907 |  | 
|  | 1908 | if (level != SOL_HCI) | 
|  | 1909 | return -ENOPROTOOPT; | 
|  | 1910 |  | 
|  | 1911 | if (get_user(len, optlen)) | 
|  | 1912 | return -EFAULT; | 
|  | 1913 |  | 
|  | 1914 | lock_sock(sk); | 
|  | 1915 |  | 
|  | 1916 | if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { | 
|  | 1917 | err = -EBADFD; | 
|  | 1918 | goto done; | 
|  | 1919 | } | 
|  | 1920 |  | 
|  | 1921 | switch (optname) { | 
|  | 1922 | case HCI_DATA_DIR: | 
|  | 1923 | if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR) | 
|  | 1924 | opt = 1; | 
|  | 1925 | else | 
|  | 1926 | opt = 0; | 
|  | 1927 |  | 
|  | 1928 | if (put_user(opt, optval)) | 
|  | 1929 | err = -EFAULT; | 
|  | 1930 | break; | 
|  | 1931 |  | 
|  | 1932 | case HCI_TIME_STAMP: | 
|  | 1933 | if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP) | 
|  | 1934 | opt = 1; | 
|  | 1935 | else | 
|  | 1936 | opt = 0; | 
|  | 1937 |  | 
|  | 1938 | if (put_user(opt, optval)) | 
|  | 1939 | err = -EFAULT; | 
|  | 1940 | break; | 
|  | 1941 |  | 
|  | 1942 | case HCI_FILTER: | 
|  | 1943 | { | 
|  | 1944 | struct hci_filter *f = &hci_pi(sk)->filter; | 
|  | 1945 |  | 
|  | 1946 | memset(&uf, 0, sizeof(uf)); | 
|  | 1947 | uf.type_mask = f->type_mask; | 
|  | 1948 | uf.opcode    = f->opcode; | 
|  | 1949 | uf.event_mask[0] = *((u32 *) f->event_mask + 0); | 
|  | 1950 | uf.event_mask[1] = *((u32 *) f->event_mask + 1); | 
|  | 1951 | } | 
|  | 1952 |  | 
|  | 1953 | len = min_t(unsigned int, len, sizeof(uf)); | 
|  | 1954 | if (copy_to_user(optval, &uf, len)) | 
|  | 1955 | err = -EFAULT; | 
|  | 1956 | break; | 
|  | 1957 |  | 
|  | 1958 | default: | 
|  | 1959 | err = -ENOPROTOOPT; | 
|  | 1960 | break; | 
|  | 1961 | } | 
|  | 1962 |  | 
|  | 1963 | done: | 
|  | 1964 | release_sock(sk); | 
|  | 1965 | return err; | 
|  | 1966 | } | 
|  | 1967 |  | 
|  | 1968 | static const struct proto_ops hci_sock_ops = { | 
|  | 1969 | .family		= PF_BLUETOOTH, | 
|  | 1970 | .owner		= THIS_MODULE, | 
|  | 1971 | .release	= hci_sock_release, | 
|  | 1972 | .bind		= hci_sock_bind, | 
|  | 1973 | .getname	= hci_sock_getname, | 
|  | 1974 | .sendmsg	= hci_sock_sendmsg, | 
|  | 1975 | .recvmsg	= hci_sock_recvmsg, | 
|  | 1976 | .ioctl		= hci_sock_ioctl, | 
|  | 1977 | .poll		= datagram_poll, | 
|  | 1978 | .listen		= sock_no_listen, | 
|  | 1979 | .shutdown	= sock_no_shutdown, | 
|  | 1980 | .setsockopt	= hci_sock_setsockopt, | 
|  | 1981 | .getsockopt	= hci_sock_getsockopt, | 
|  | 1982 | .connect	= sock_no_connect, | 
|  | 1983 | .socketpair	= sock_no_socketpair, | 
|  | 1984 | .accept		= sock_no_accept, | 
|  | 1985 | .mmap		= sock_no_mmap | 
|  | 1986 | }; | 
|  | 1987 |  | 
|  | 1988 | static struct proto hci_sk_proto = { | 
|  | 1989 | .name		= "HCI", | 
|  | 1990 | .owner		= THIS_MODULE, | 
|  | 1991 | .obj_size	= sizeof(struct hci_pinfo) | 
|  | 1992 | }; | 
|  | 1993 |  | 
|  | 1994 | static int hci_sock_create(struct net *net, struct socket *sock, int protocol, | 
|  | 1995 | int kern) | 
|  | 1996 | { | 
|  | 1997 | struct sock *sk; | 
|  | 1998 |  | 
|  | 1999 | BT_DBG("sock %p", sock); | 
|  | 2000 |  | 
|  | 2001 | if (sock->type != SOCK_RAW) | 
|  | 2002 | return -ESOCKTNOSUPPORT; | 
|  | 2003 |  | 
|  | 2004 | sock->ops = &hci_sock_ops; | 
|  | 2005 |  | 
|  | 2006 | sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern); | 
|  | 2007 | if (!sk) | 
|  | 2008 | return -ENOMEM; | 
|  | 2009 |  | 
|  | 2010 | sock_init_data(sock, sk); | 
|  | 2011 |  | 
|  | 2012 | sock_reset_flag(sk, SOCK_ZAPPED); | 
|  | 2013 |  | 
|  | 2014 | sk->sk_protocol = protocol; | 
|  | 2015 |  | 
|  | 2016 | sock->state = SS_UNCONNECTED; | 
|  | 2017 | sk->sk_state = BT_OPEN; | 
|  | 2018 |  | 
|  | 2019 | bt_sock_link(&hci_sk_list, sk); | 
|  | 2020 | return 0; | 
|  | 2021 | } | 
|  | 2022 |  | 
|  | 2023 | static const struct net_proto_family hci_sock_family_ops = { | 
|  | 2024 | .family	= PF_BLUETOOTH, | 
|  | 2025 | .owner	= THIS_MODULE, | 
|  | 2026 | .create	= hci_sock_create, | 
|  | 2027 | }; | 
|  | 2028 |  | 
|  | 2029 | int __init hci_sock_init(void) | 
|  | 2030 | { | 
|  | 2031 | int err; | 
|  | 2032 |  | 
|  | 2033 | BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr)); | 
|  | 2034 |  | 
|  | 2035 | err = proto_register(&hci_sk_proto, 0); | 
|  | 2036 | if (err < 0) | 
|  | 2037 | return err; | 
|  | 2038 |  | 
|  | 2039 | err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops); | 
|  | 2040 | if (err < 0) { | 
|  | 2041 | BT_ERR("HCI socket registration failed"); | 
|  | 2042 | goto error; | 
|  | 2043 | } | 
|  | 2044 |  | 
|  | 2045 | err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL); | 
|  | 2046 | if (err < 0) { | 
|  | 2047 | BT_ERR("Failed to create HCI proc file"); | 
|  | 2048 | bt_sock_unregister(BTPROTO_HCI); | 
|  | 2049 | goto error; | 
|  | 2050 | } | 
|  | 2051 |  | 
|  | 2052 | BT_INFO("HCI socket layer initialized"); | 
|  | 2053 |  | 
|  | 2054 | return 0; | 
|  | 2055 |  | 
|  | 2056 | error: | 
|  | 2057 | proto_unregister(&hci_sk_proto); | 
|  | 2058 | return err; | 
|  | 2059 | } | 
|  | 2060 |  | 
|  | 2061 | void hci_sock_cleanup(void) | 
|  | 2062 | { | 
|  | 2063 | bt_procfs_cleanup(&init_net, "hci"); | 
|  | 2064 | bt_sock_unregister(BTPROTO_HCI); | 
|  | 2065 | proto_unregister(&hci_sk_proto); | 
|  | 2066 | } |