net/bluetooth/hci_sock.c

   1 /*
   2    BlueZ - Bluetooth protocol stack for Linux
   3    Copyright (C) 2000-2001 Qualcomm Incorporated
   4
   5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License version 2 as
   9    published by the Free Software Foundation;
  10
  11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22    SOFTWARE IS DISCLAIMED.
  23 */
  24
  25 /* Bluetooth HCI sockets. */
  26
  27 #include <linux/export.h>
  28 #include <asm/unaligned.h>
  29
  30 #include <net/bluetooth/bluetooth.h>
  31 #include <net/bluetooth/hci_core.h>
  32 #include <net/bluetooth/hci_mon.h>
  33
  34 static atomic_t monitor_promisc = ATOMIC_INIT(0);
  35
  36 /* ----- HCI socket interface ----- */
  37
  38 static inline int hci_test_bit(int nr, void *addr)
  39 {
  40         return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
  41 }
  42
  43 /* Security filter */
  44 static struct hci_sec_filter hci_sec_filter = {
  45         /* Packet types */
  46         0x10,
  47         /* Events */
  48         { 0x1000d9fe, 0x0000b00c },
  49         /* Commands */
  50         {
  51                 { 0x0 },
  52                 /* OGF_LINK_CTL */
  53                 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
  54                 /* OGF_LINK_POLICY */
  55                 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
  56                 /* OGF_HOST_CTL */
  57                 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
  58                 /* OGF_INFO_PARAM */
  59                 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
  60                 /* OGF_STATUS_PARAM */
  61                 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
  62         }
  63 };
  64
  65 static struct bt_sock_list hci_sk_list = {
  66         .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
  67 };
  68
  69 /* Send frame to RAW socket */
  70 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
  71 {
  72         struct sock *sk;
  73         struct hlist_node *node;
  74         struct sk_buff *skb_copy = NULL;
  75
  76         BT_DBG("hdev %p len %d", hdev, skb->len);
  77
  78         read_lock(&hci_sk_list.lock);
  79
  80         sk_for_each(sk, node, &hci_sk_list.head) {
  81                 struct hci_filter *flt;
  82                 struct sk_buff *nskb;
  83
  84                 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
  85                         continue;
  86
  87                 /* Don't send frame to the socket it came from */
  88                 if (skb->sk == sk)
  89                         continue;
  90
  91                 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW)
  92                         continue;
  93
  94                 /* Apply filter */
  95                 flt = &hci_pi(sk)->filter;
  96
  97                 if (!test_bit((bt_cb(skb)->pkt_type == HCI_VENDOR_PKT) ?
  98                               0 : (bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS),
  99                               &flt->type_mask))
 100                         continue;
 101
 102                 if (bt_cb(skb)->pkt_type == HCI_EVENT_PKT) {
 103                         int evt = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
 104
 105                         if (!hci_test_bit(evt, &flt->event_mask))
 106                                 continue;
 107
 108                         if (flt->opcode &&
 109                             ((evt == HCI_EV_CMD_COMPLETE &&
 110                               flt->opcode !=
 111                               get_unaligned((__le16 *)(skb->data + 3))) ||
 112                              (evt == HCI_EV_CMD_STATUS &&
 113                               flt->opcode !=
 114                               get_unaligned((__le16 *)(skb->data + 4)))))
 115                                 continue;
 116                 }
 117
 118                 if (!skb_copy) {
 119                         /* Create a private copy with headroom */
 120                         skb_copy = __pskb_copy(skb, 1, GFP_ATOMIC);
 121                         if (!skb_copy)
 122                                 continue;
 123
 124                         /* Put type byte before the data */
 125                         memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1);
 126                 }
 127
 128                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 129                 if (!nskb)
 130                         continue;
 131
 132                 if (sock_queue_rcv_skb(sk, nskb))
 133                         kfree_skb(nskb);
 134         }
 135
 136         read_unlock(&hci_sk_list.lock);
 137
 138         kfree_skb(skb_copy);
 139 }
 140
 141 /* Send frame to control socket */
 142 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk)
 143 {
 144         struct sock *sk;
 145         struct hlist_node *node;
 146
 147         BT_DBG("len %d", skb->len);
 148
 149         read_lock(&hci_sk_list.lock);
 150
 151         sk_for_each(sk, node, &hci_sk_list.head) {
 152                 struct sk_buff *nskb;
 153
 154                 /* Skip the original socket */
 155                 if (sk == skip_sk)
 156                         continue;
 157
 158                 if (sk->sk_state != BT_BOUND)
 159                         continue;
 160
 161                 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
 162                         continue;
 163
 164                 nskb = skb_clone(skb, GFP_ATOMIC);
 165                 if (!nskb)
 166                         continue;
 167
 168                 if (sock_queue_rcv_skb(sk, nskb))
 169                         kfree_skb(nskb);
 170         }
 171
 172         read_unlock(&hci_sk_list.lock);
 173 }
 174
 175 /* Send frame to monitor socket */
 176 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
 177 {
 178         struct sock *sk;
 179         struct hlist_node *node;
 180         struct sk_buff *skb_copy = NULL;
 181         __le16 opcode;
 182
 183         if (!atomic_read(&monitor_promisc))
 184                 return;
 185
 186         BT_DBG("hdev %p len %d", hdev, skb->len);
 187
 188         switch (bt_cb(skb)->pkt_type) {
 189         case HCI_COMMAND_PKT:
 190                 opcode = __constant_cpu_to_le16(HCI_MON_COMMAND_PKT);
 191                 break;
 192         case HCI_EVENT_PKT:
 193                 opcode = __constant_cpu_to_le16(HCI_MON_EVENT_PKT);
 194                 break;
 195         case HCI_ACLDATA_PKT:
 196                 if (bt_cb(skb)->incoming)
 197                         opcode = __constant_cpu_to_le16(HCI_MON_ACL_RX_PKT);
 198                 else
 199                         opcode = __constant_cpu_to_le16(HCI_MON_ACL_TX_PKT);
 200                 break;
 201         case HCI_SCODATA_PKT:
 202                 if (bt_cb(skb)->incoming)
 203                         opcode = __constant_cpu_to_le16(HCI_MON_SCO_RX_PKT);
 204                 else
 205                         opcode = __constant_cpu_to_le16(HCI_MON_SCO_TX_PKT);
 206                 break;
 207         default:
 208                 return;
 209         }
 210
 211         read_lock(&hci_sk_list.lock);
 212
 213         sk_for_each(sk, node, &hci_sk_list.head) {
 214                 struct sk_buff *nskb;
 215
 216                 if (sk->sk_state != BT_BOUND)
 217                         continue;
 218
 219                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 220                         continue;
 221
 222                 if (!skb_copy) {
 223                         struct hci_mon_hdr *hdr;
 224
 225                         /* Create a private copy with headroom */
 226                         skb_copy = __pskb_copy(skb, HCI_MON_HDR_SIZE,
 227                                                GFP_ATOMIC);
 228                         if (!skb_copy)
 229                                 continue;
 230
 231                         /* Put header before the data */
 232                         hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE);
 233                         hdr->opcode = opcode;
 234                         hdr->index = cpu_to_le16(hdev->id);
 235                         hdr->len = cpu_to_le16(skb->len);
 236                 }
 237
 238                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 239                 if (!nskb)
 240                         continue;
 241
 242                 if (sock_queue_rcv_skb(sk, nskb))
 243                         kfree_skb(nskb);
 244         }
 245
 246         read_unlock(&hci_sk_list.lock);
 247
 248         kfree_skb(skb_copy);
 249 }
 250
 251 static void send_monitor_event(struct sk_buff *skb)
 252 {
 253         struct sock *sk;
 254         struct hlist_node *node;
 255
 256         BT_DBG("len %d", skb->len);
 257
 258         read_lock(&hci_sk_list.lock);
 259
 260         sk_for_each(sk, node, &hci_sk_list.head) {
 261                 struct sk_buff *nskb;
 262
 263                 if (sk->sk_state != BT_BOUND)
 264                         continue;
 265
 266                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 267                         continue;
 268
 269                 nskb = skb_clone(skb, GFP_ATOMIC);
 270                 if (!nskb)
 271                         continue;
 272
 273                 if (sock_queue_rcv_skb(sk, nskb))
 274                         kfree_skb(nskb);
 275         }
 276
 277         read_unlock(&hci_sk_list.lock);
 278 }
 279
 280 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
 281 {
 282         struct hci_mon_hdr *hdr;
 283         struct hci_mon_new_index *ni;
 284         struct sk_buff *skb;
 285         __le16 opcode;
 286
 287         switch (event) {
 288         case HCI_DEV_REG:
 289                 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
 290                 if (!skb)
 291                         return NULL;
 292
 293                 ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
 294                 ni->type = hdev->dev_type;
 295                 ni->bus = hdev->bus;
 296                 bacpy(&ni->bdaddr, &hdev->bdaddr);
 297                 memcpy(ni->name, hdev->name, 8);
 298
 299                 opcode = __constant_cpu_to_le16(HCI_MON_NEW_INDEX);
 300                 break;
 301
 302         case HCI_DEV_UNREG:
 303                 skb = bt_skb_alloc(0, GFP_ATOMIC);
 304                 if (!skb)
 305                         return NULL;
 306
 307                 opcode = __constant_cpu_to_le16(HCI_MON_DEL_INDEX);
 308                 break;
 309
 310         default:
 311                 return NULL;
 312         }
 313
 314         __net_timestamp(skb);
 315
 316         hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE);
 317         hdr->opcode = opcode;
 318         hdr->index = cpu_to_le16(hdev->id);
 319         hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
 320
 321         return skb;
 322 }
 323
 324 static void send_monitor_replay(struct sock *sk)
 325 {
 326         struct hci_dev *hdev;
 327
 328         read_lock(&hci_dev_list_lock);
 329
 330         list_for_each_entry(hdev, &hci_dev_list, list) {
 331                 struct sk_buff *skb;
 332
 333                 skb = create_monitor_event(hdev, HCI_DEV_REG);
 334                 if (!skb)
 335                         continue;
 336
 337                 if (sock_queue_rcv_skb(sk, skb))
 338                         kfree_skb(skb);
 339         }
 340
 341         read_unlock(&hci_dev_list_lock);
 342 }
 343
 344 /* Generate internal stack event */
 345 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
 346 {
 347         struct hci_event_hdr *hdr;
 348         struct hci_ev_stack_internal *ev;
 349         struct sk_buff *skb;
 350
 351         skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
 352         if (!skb)
 353                 return;
 354
 355         hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
 356         hdr->evt  = HCI_EV_STACK_INTERNAL;
 357         hdr->plen = sizeof(*ev) + dlen;
 358
 359         ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
 360         ev->type = type;
 361         memcpy(ev->data, data, dlen);
 362
 363         bt_cb(skb)->incoming = 1;
 364         __net_timestamp(skb);
 365
 366         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
 367         skb->dev = (void *) hdev;
 368         hci_send_to_sock(hdev, skb);
 369         kfree_skb(skb);
 370 }
 371
 372 void hci_sock_dev_event(struct hci_dev *hdev, int event)
 373 {
 374         struct hci_ev_si_device ev;
 375
 376         BT_DBG("hdev %s event %d", hdev->name, event);
 377
 378         /* Send event to monitor */
 379         if (atomic_read(&monitor_promisc)) {
 380                 struct sk_buff *skb;
 381
 382                 skb = create_monitor_event(hdev, event);
 383                 if (skb) {
 384                         send_monitor_event(skb);
 385                         kfree_skb(skb);
 386                 }
 387         }
 388
 389         /* Send event to sockets */
 390         ev.event  = event;
 391         ev.dev_id = hdev->id;
 392         hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
 393
 394         if (event == HCI_DEV_UNREG) {
 395                 struct sock *sk;
 396                 struct hlist_node *node;
 397
 398                 /* Detach sockets from device */
 399                 read_lock(&hci_sk_list.lock);
 400                 sk_for_each(sk, node, &hci_sk_list.head) {
 401                         bh_lock_sock_nested(sk);
 402                         if (hci_pi(sk)->hdev == hdev) {
 403                                 hci_pi(sk)->hdev = NULL;
 404                                 sk->sk_err = EPIPE;
 405                                 sk->sk_state = BT_OPEN;
 406                                 sk->sk_state_change(sk);
 407
 408                                 hci_dev_put(hdev);
 409                         }
 410                         bh_unlock_sock(sk);
 411                 }
 412                 read_unlock(&hci_sk_list.lock);
 413         }
 414 }
 415
 416 static int hci_sock_release(struct socket *sock)
 417 {
 418         struct sock *sk = sock->sk;
 419         struct hci_dev *hdev;
 420
 421         BT_DBG("sock %p sk %p", sock, sk);
 422
 423         if (!sk)
 424                 return 0;
 425
 426         hdev = hci_pi(sk)->hdev;
 427
 428         if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
 429                 atomic_dec(&monitor_promisc);
 430
 431         bt_sock_unlink(&hci_sk_list, sk);
 432
 433         if (hdev) {
 434                 atomic_dec(&hdev->promisc);
 435                 hci_dev_put(hdev);
 436         }
 437
 438         sock_orphan(sk);
 439
 440         skb_queue_purge(&sk->sk_receive_queue);
 441         skb_queue_purge(&sk->sk_write_queue);
 442
 443         sock_put(sk);
 444         return 0;
 445 }
 446
 447 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
 448 {
 449         bdaddr_t bdaddr;
 450         int err;
 451
 452         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 453                 return -EFAULT;
 454
 455         hci_dev_lock(hdev);
 456
 457         err = hci_blacklist_add(hdev, &bdaddr, 0);
 458
 459         hci_dev_unlock(hdev);
 460
 461         return err;
 462 }
 463
 464 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
 465 {
 466         bdaddr_t bdaddr;
 467         int err;
 468
 469         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 470                 return -EFAULT;
 471
 472         hci_dev_lock(hdev);
 473
 474         err = hci_blacklist_del(hdev, &bdaddr, 0);
 475
 476         hci_dev_unlock(hdev);
 477
 478         return err;
 479 }
 480
 481 /* Ioctls that require bound socket */
 482 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
 483                                 unsigned long arg)
 484 {
 485         struct hci_dev *hdev = hci_pi(sk)->hdev;
 486
 487         if (!hdev)
 488                 return -EBADFD;
 489
 490         switch (cmd) {
 491         case HCISETRAW:
 492                 if (!capable(CAP_NET_ADMIN))
 493                         return -EACCES;
 494
 495                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
 496                         return -EPERM;
 497
 498                 if (arg)
 499                         set_bit(HCI_RAW, &hdev->flags);
 500                 else
 501                         clear_bit(HCI_RAW, &hdev->flags);
 502
 503                 return 0;
 504
 505         case HCIGETCONNINFO:
 506                 return hci_get_conn_info(hdev, (void __user *) arg);
 507
 508         case HCIGETAUTHINFO:
 509                 return hci_get_auth_info(hdev, (void __user *) arg);
 510
 511         case HCIBLOCKADDR:
 512                 if (!capable(CAP_NET_ADMIN))
 513                         return -EACCES;
 514                 return hci_sock_blacklist_add(hdev, (void __user *) arg);
 515
 516         case HCIUNBLOCKADDR:
 517                 if (!capable(CAP_NET_ADMIN))
 518                         return -EACCES;
 519                 return hci_sock_blacklist_del(hdev, (void __user *) arg);
 520
 521         default:
 522                 if (hdev->ioctl)
 523                         return hdev->ioctl(hdev, cmd, arg);
 524                 return -EINVAL;
 525         }
 526 }
 527
 528 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 529                           unsigned long arg)
 530 {
 531         struct sock *sk = sock->sk;
 532         void __user *argp = (void __user *) arg;
 533         int err;
 534
 535         BT_DBG("cmd %x arg %lx", cmd, arg);
 536
 537         switch (cmd) {
 538         case HCIGETDEVLIST:
 539                 return hci_get_dev_list(argp);
 540
 541         case HCIGETDEVINFO:
 542                 return hci_get_dev_info(argp);
 543
 544         case HCIGETCONNLIST:
 545                 return hci_get_conn_list(argp);
 546
 547         case HCIDEVUP:
 548                 if (!capable(CAP_NET_ADMIN))
 549                         return -EACCES;
 550                 return hci_dev_open(arg);
 551
 552         case HCIDEVDOWN:
 553                 if (!capable(CAP_NET_ADMIN))
 554                         return -EACCES;
 555                 return hci_dev_close(arg);
 556
 557         case HCIDEVRESET:
 558                 if (!capable(CAP_NET_ADMIN))
 559                         return -EACCES;
 560                 return hci_dev_reset(arg);
 561
 562         case HCIDEVRESTAT:
 563                 if (!capable(CAP_NET_ADMIN))
 564                         return -EACCES;
 565                 return hci_dev_reset_stat(arg);
 566
 567         case HCISETSCAN:
 568         case HCISETAUTH:
 569         case HCISETENCRYPT:
 570         case HCISETPTYPE:
 571         case HCISETLINKPOL:
 572         case HCISETLINKMODE:
 573         case HCISETACLMTU:
 574         case HCISETSCOMTU:
 575                 if (!capable(CAP_NET_ADMIN))
 576                         return -EACCES;
 577                 return hci_dev_cmd(cmd, argp);
 578
 579         case HCIINQUIRY:
 580                 return hci_inquiry(argp);
 581
 582         default:
 583                 lock_sock(sk);
 584                 err = hci_sock_bound_ioctl(sk, cmd, arg);
 585                 release_sock(sk);
 586                 return err;
 587         }
 588 }
 589
 590 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
 591                          int addr_len)
 592 {
 593         struct sockaddr_hci haddr;
 594         struct sock *sk = sock->sk;
 595         struct hci_dev *hdev = NULL;
 596         int len, err = 0;
 597
 598         BT_DBG("sock %p sk %p", sock, sk);
 599
 600         if (!addr)
 601                 return -EINVAL;
 602
 603         memset(&haddr, 0, sizeof(haddr));
 604         len = min_t(unsigned int, sizeof(haddr), addr_len);
 605         memcpy(&haddr, addr, len);
 606
 607         if (haddr.hci_family != AF_BLUETOOTH)
 608                 return -EINVAL;
 609
 610         lock_sock(sk);
 611
 612         if (sk->sk_state == BT_BOUND) {
 613                 err = -EALREADY;
 614                 goto done;
 615         }
 616
 617         switch (haddr.hci_channel) {
 618         case HCI_CHANNEL_RAW:
 619                 if (hci_pi(sk)->hdev) {
 620                         err = -EALREADY;
 621                         goto done;
 622                 }
 623
 624                 if (haddr.hci_dev != HCI_DEV_NONE) {
 625                         hdev = hci_dev_get(haddr.hci_dev);
 626                         if (!hdev) {
 627                                 err = -ENODEV;
 628                                 goto done;
 629                         }
 630
 631                         atomic_inc(&hdev->promisc);
 632                 }
 633
 634                 hci_pi(sk)->hdev = hdev;
 635                 break;
 636
 637         case HCI_CHANNEL_CONTROL:
 638                 if (haddr.hci_dev != HCI_DEV_NONE) {
 639                         err = -EINVAL;
 640                         goto done;
 641                 }
 642
 643                 if (!capable(CAP_NET_ADMIN)) {
 644                         err = -EPERM;
 645                         goto done;
 646                 }
 647
 648                 break;
 649
 650         case HCI_CHANNEL_MONITOR:
 651                 if (haddr.hci_dev != HCI_DEV_NONE) {
 652                         err = -EINVAL;
 653                         goto done;
 654                 }
 655
 656                 if (!capable(CAP_NET_RAW)) {
 657                         err = -EPERM;
 658                         goto done;
 659                 }
 660
 661                 send_monitor_replay(sk);
 662
 663                 atomic_inc(&monitor_promisc);
 664                 break;
 665
 666         default:
 667                 err = -EINVAL;
 668                 goto done;
 669         }
 670
 671
 672         hci_pi(sk)->channel = haddr.hci_channel;
 673         sk->sk_state = BT_BOUND;
 674
 675 done:
 676         release_sock(sk);
 677         return err;
 678 }
 679
 680 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
 681                             int *addr_len, int peer)
 682 {
 683         struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
 684         struct sock *sk = sock->sk;
 685         struct hci_dev *hdev = hci_pi(sk)->hdev;
 686
 687         BT_DBG("sock %p sk %p", sock, sk);
 688
 689         if (!hdev)
 690                 return -EBADFD;
 691
 692         lock_sock(sk);
 693
 694         *addr_len = sizeof(*haddr);
 695         haddr->hci_family = AF_BLUETOOTH;
 696         haddr->hci_dev    = hdev->id;
 697         haddr->hci_channel= 0;
 698
 699         release_sock(sk);
 700         return 0;
 701 }
 702
 703 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
 704                           struct sk_buff *skb)
 705 {
 706         __u32 mask = hci_pi(sk)->cmsg_mask;
 707
 708         if (mask & HCI_CMSG_DIR) {
 709                 int incoming = bt_cb(skb)->incoming;
 710                 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
 711                          &incoming);
 712         }
 713
 714         if (mask & HCI_CMSG_TSTAMP) {
 715 #ifdef CONFIG_COMPAT
 716                 struct compat_timeval ctv;
 717 #endif
 718                 struct timeval tv;
 719                 void *data;
 720                 int len;
 721
 722                 skb_get_timestamp(skb, &tv);
 723
 724                 data = &tv;
 725                 len = sizeof(tv);
 726 #ifdef CONFIG_COMPAT
 727                 if (!COMPAT_USE_64BIT_TIME &&
 728                     (msg->msg_flags & MSG_CMSG_COMPAT)) {
 729                         ctv.tv_sec = tv.tv_sec;
 730                         ctv.tv_usec = tv.tv_usec;
 731                         data = &ctv;
 732                         len = sizeof(ctv);
 733                 }
 734 #endif
 735
 736                 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
 737         }
 738 }
 739
 740 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
 741                             struct msghdr *msg, size_t len, int flags)
 742 {
 743         int noblock = flags & MSG_DONTWAIT;
 744         struct sock *sk = sock->sk;
 745         struct sk_buff *skb;
 746         int copied, err;
 747
 748         BT_DBG("sock %p, sk %p", sock, sk);
 749
 750         if (flags & (MSG_OOB))
 751                 return -EOPNOTSUPP;
 752
 753         if (sk->sk_state == BT_CLOSED)
 754                 return 0;
 755
 756         skb = skb_recv_datagram(sk, flags, noblock, &err);
 757         if (!skb)
 758                 return err;
 759
 760         msg->msg_namelen = 0;
 761
 762         copied = skb->len;
 763         if (len < copied) {
 764                 msg->msg_flags |= MSG_TRUNC;
 765                 copied = len;
 766         }
 767
 768         skb_reset_transport_header(skb);
 769         err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
 770
 771         switch (hci_pi(sk)->channel) {
 772         case HCI_CHANNEL_RAW:
 773                 hci_sock_cmsg(sk, msg, skb);
 774                 break;
 775         case HCI_CHANNEL_CONTROL:
 776         case HCI_CHANNEL_MONITOR:
 777                 sock_recv_timestamp(msg, sk, skb);
 778                 break;
 779         }
 780
 781         skb_free_datagram(sk, skb);
 782
 783         return err ? : copied;
 784 }
 785
 786 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
 787                             struct msghdr *msg, size_t len)
 788 {
 789         struct sock *sk = sock->sk;
 790         struct hci_dev *hdev;
 791         struct sk_buff *skb;
 792         int err;
 793
 794         BT_DBG("sock %p sk %p", sock, sk);
 795
 796         if (msg->msg_flags & MSG_OOB)
 797                 return -EOPNOTSUPP;
 798
 799         if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
 800                 return -EINVAL;
 801
 802         if (len < 4 || len > HCI_MAX_FRAME_SIZE)
 803                 return -EINVAL;
 804
 805         lock_sock(sk);
 806
 807         switch (hci_pi(sk)->channel) {
 808         case HCI_CHANNEL_RAW:
 809                 break;
 810         case HCI_CHANNEL_CONTROL:
 811                 err = mgmt_control(sk, msg, len);
 812                 goto done;
 813         case HCI_CHANNEL_MONITOR:
 814                 err = -EOPNOTSUPP;
 815                 goto done;
 816         default:
 817                 err = -EINVAL;
 818                 goto done;
 819         }
 820
 821         hdev = hci_pi(sk)->hdev;
 822         if (!hdev) {
 823                 err = -EBADFD;
 824                 goto done;
 825         }
 826
 827         if (!test_bit(HCI_UP, &hdev->flags)) {
 828                 err = -ENETDOWN;
 829                 goto done;
 830         }
 831
 832         skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
 833         if (!skb)
 834                 goto done;
 835
 836         if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
 837                 err = -EFAULT;
 838                 goto drop;
 839         }
 840
 841         bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
 842         skb_pull(skb, 1);
 843         skb->dev = (void *) hdev;
 844
 845         if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
 846                 u16 opcode = get_unaligned_le16(skb->data);
 847                 u16 ogf = hci_opcode_ogf(opcode);
 848                 u16 ocf = hci_opcode_ocf(opcode);
 849
 850                 if (((ogf > HCI_SFLT_MAX_OGF) ||
 851                      !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
 852                                    &hci_sec_filter.ocf_mask[ogf])) &&
 853                     !capable(CAP_NET_RAW)) {
 854                         err = -EPERM;
 855                         goto drop;
 856                 }
 857
 858                 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) {
 859                         skb_queue_tail(&hdev->raw_q, skb);
 860                         queue_work(hdev->workqueue, &hdev->tx_work);
 861                 } else {
 862                         skb_queue_tail(&hdev->cmd_q, skb);
 863                         queue_work(hdev->workqueue, &hdev->cmd_work);
 864                 }
 865         } else {
 866                 if (!capable(CAP_NET_RAW)) {
 867                         err = -EPERM;
 868                         goto drop;
 869                 }
 870
 871                 skb_queue_tail(&hdev->raw_q, skb);
 872                 queue_work(hdev->workqueue, &hdev->tx_work);
 873         }
 874
 875         err = len;
 876
 877 done:
 878         release_sock(sk);
 879         return err;
 880
 881 drop:
 882         kfree_skb(skb);
 883         goto done;
 884 }
 885
 886 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
 887                                char __user *optval, unsigned int len)
 888 {
 889         struct hci_ufilter uf = { .opcode = 0 };
 890         struct sock *sk = sock->sk;
 891         int err = 0, opt = 0;
 892
 893         BT_DBG("sk %p, opt %d", sk, optname);
 894
 895         lock_sock(sk);
 896
 897         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
 898                 err = -EINVAL;
 899                 goto done;
 900         }
 901
 902         switch (optname) {
 903         case HCI_DATA_DIR:
 904                 if (get_user(opt, (int __user *)optval)) {
 905                         err = -EFAULT;
 906                         break;
 907                 }
 908
 909                 if (opt)
 910                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
 911                 else
 912                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
 913                 break;
 914
 915         case HCI_TIME_STAMP:
 916                 if (get_user(opt, (int __user *)optval)) {
 917                         err = -EFAULT;
 918                         break;
 919                 }
 920
 921                 if (opt)
 922                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
 923                 else
 924                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
 925                 break;
 926
 927         case HCI_FILTER:
 928                 {
 929                         struct hci_filter *f = &hci_pi(sk)->filter;
 930
 931                         uf.type_mask = f->type_mask;
 932                         uf.opcode    = f->opcode;
 933                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
 934                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
 935                 }
 936
 937                 len = min_t(unsigned int, len, sizeof(uf));
 938                 if (copy_from_user(&uf, optval, len)) {
 939                         err = -EFAULT;
 940                         break;
 941                 }
 942
 943                 if (!capable(CAP_NET_RAW)) {
 944                         uf.type_mask &= hci_sec_filter.type_mask;
 945                         uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
 946                         uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
 947                 }
 948
 949                 {
 950                         struct hci_filter *f = &hci_pi(sk)->filter;
 951
 952                         f->type_mask = uf.type_mask;
 953                         f->opcode    = uf.opcode;
 954                         *((u32 *) f->event_mask + 0) = uf.event_mask[0];
 955                         *((u32 *) f->event_mask + 1) = uf.event_mask[1];
 956                 }
 957                 break;
 958
 959         default:
 960                 err = -ENOPROTOOPT;
 961                 break;
 962         }
 963
 964 done:
 965         release_sock(sk);
 966         return err;
 967 }
 968
 969 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
 970                                char __user *optval, int __user *optlen)
 971 {
 972         struct hci_ufilter uf;
 973         struct sock *sk = sock->sk;
 974         int len, opt, err = 0;
 975
 976         BT_DBG("sk %p, opt %d", sk, optname);
 977
 978         if (get_user(len, optlen))
 979                 return -EFAULT;
 980
 981         lock_sock(sk);
 982
 983         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
 984                 err = -EINVAL;
 985                 goto done;
 986         }
 987
 988         switch (optname) {
 989         case HCI_DATA_DIR:
 990                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
 991                         opt = 1;
 992                 else
 993                         opt = 0;
 994
 995                 if (put_user(opt, optval))
 996                         err = -EFAULT;
 997                 break;
 998
 999         case HCI_TIME_STAMP:
1000                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1001                         opt = 1;
1002                 else
1003                         opt = 0;
1004
1005                 if (put_user(opt, optval))
1006                         err = -EFAULT;
1007                 break;
1008
1009         case HCI_FILTER:
1010                 {
1011                         struct hci_filter *f = &hci_pi(sk)->filter;
1012
1013                         memset(&uf, 0, sizeof(uf));
1014                         uf.type_mask = f->type_mask;
1015                         uf.opcode    = f->opcode;
1016                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1017                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1018                 }
1019
1020                 len = min_t(unsigned int, len, sizeof(uf));
1021                 if (copy_to_user(optval, &uf, len))
1022                         err = -EFAULT;
1023                 break;
1024
1025         default:
1026                 err = -ENOPROTOOPT;
1027                 break;
1028         }
1029
1030 done:
1031         release_sock(sk);
1032         return err;
1033 }
1034
1035 static const struct proto_ops hci_sock_ops = {
1036         .family         = PF_BLUETOOTH,
1037         .owner          = THIS_MODULE,
1038         .release        = hci_sock_release,
1039         .bind           = hci_sock_bind,
1040         .getname        = hci_sock_getname,
1041         .sendmsg        = hci_sock_sendmsg,
1042         .recvmsg        = hci_sock_recvmsg,
1043         .ioctl          = hci_sock_ioctl,
1044         .poll           = datagram_poll,
1045         .listen         = sock_no_listen,
1046         .shutdown       = sock_no_shutdown,
1047         .setsockopt     = hci_sock_setsockopt,
1048         .getsockopt     = hci_sock_getsockopt,
1049         .connect        = sock_no_connect,
1050         .socketpair     = sock_no_socketpair,
1051         .accept         = sock_no_accept,
1052         .mmap           = sock_no_mmap
1053 };
1054
1055 static struct proto hci_sk_proto = {
1056         .name           = "HCI",
1057         .owner          = THIS_MODULE,
1058         .obj_size       = sizeof(struct hci_pinfo)
1059 };
1060
1061 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1062                            int kern)
1063 {
1064         struct sock *sk;
1065
1066         BT_DBG("sock %p", sock);
1067
1068         if (sock->type != SOCK_RAW)
1069                 return -ESOCKTNOSUPPORT;
1070
1071         sock->ops = &hci_sock_ops;
1072
1073         sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto);
1074         if (!sk)
1075                 return -ENOMEM;
1076
1077         sock_init_data(sock, sk);
1078
1079         sock_reset_flag(sk, SOCK_ZAPPED);
1080
1081         sk->sk_protocol = protocol;
1082
1083         sock->state = SS_UNCONNECTED;
1084         sk->sk_state = BT_OPEN;
1085
1086         bt_sock_link(&hci_sk_list, sk);
1087         return 0;
1088 }
1089
1090 static const struct net_proto_family hci_sock_family_ops = {
1091         .family = PF_BLUETOOTH,
1092         .owner  = THIS_MODULE,
1093         .create = hci_sock_create,
1094 };
1095
1096 int __init hci_sock_init(void)
1097 {
1098         int err;
1099
1100         err = proto_register(&hci_sk_proto, 0);
1101         if (err < 0)
1102                 return err;
1103
1104         err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1105         if (err < 0)
1106                 goto error;
1107
1108         BT_INFO("HCI socket layer initialized");
1109
1110         return 0;
1111
1112 error:
1113         BT_ERR("HCI socket registration failed");
1114         proto_unregister(&hci_sk_proto);
1115         return err;
1116 }
1117
1118 void hci_sock_cleanup(void)
1119 {
1120         if (bt_sock_unregister(BTPROTO_HCI) < 0)
1121                 BT_ERR("HCI socket unregistration failed");
1122
1123         proto_unregister(&hci_sk_proto);
1124 }