1/* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23*/ 24 25/* Bluetooth HCI sockets. */ 26 27#include <linux/module.h> 28 29#include <linux/types.h> 30#include <linux/capability.h> 31#include <linux/errno.h> 32#include <linux/kernel.h> 33#include <linux/slab.h> 34#include <linux/poll.h> 35#include <linux/fcntl.h> 36#include <linux/init.h> 37#include <linux/skbuff.h> 38#include <linux/workqueue.h> 39#include <linux/interrupt.h> 40#include <linux/socket.h> 41#include <linux/ioctl.h> 42#include <net/sock.h> 43 44#include <asm/system.h> 45#include <asm/uaccess.h> 46#include <asm/unaligned.h> 47 48#include <net/bluetooth/bluetooth.h> 49#include <net/bluetooth/hci_core.h> 50 51#ifndef CONFIG_BT_HCI_SOCK_DEBUG 52#undef BT_DBG 53#define BT_DBG(D...) 54#endif 55 56/* ----- HCI socket interface ----- */ 57 58static inline int hci_test_bit(int nr, void *addr) 59{ 60 return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); 61} 62 63/* Security filter */ 64static struct hci_sec_filter hci_sec_filter = { 65 /* Packet types */ 66 0x10, 67 /* Events */ 68 { 0x1000d9fe, 0x0000b00c }, 69 /* Commands */ 70 { 71 { 0x0 }, 72 /* OGF_LINK_CTL */ 73 { 0xbe000006, 0x00000001, 0x000000, 0x00 }, 74 /* OGF_LINK_POLICY */ 75 { 0x00005200, 0x00000000, 0x000000, 0x00 }, 76 /* OGF_HOST_CTL */ 77 { 0xaab00200, 0x2b402aaa, 0x020154, 0x00 }, 78 /* OGF_INFO_PARAM */ 79 { 0x000002be, 0x00000000, 0x000000, 0x00 }, 80 /* OGF_STATUS_PARAM */ 81 { 0x000000ea, 0x00000000, 0x000000, 0x00 } 82 } 83}; 84 85static struct bt_sock_list hci_sk_list = { 86 .lock = RW_LOCK_UNLOCKED 87}; 88 89/* Send frame to RAW socket */ 90void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) 91{ 92 struct sock *sk; 93 struct hlist_node *node; 94 95 BT_DBG("hdev %p len %d", hdev, skb->len); 96 97 read_lock(&hci_sk_list.lock); 98 sk_for_each(sk, node, &hci_sk_list.head) { 99 struct hci_filter *flt; 100 struct sk_buff *nskb; 101 102 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev) 103 continue; 104 105 /* Don't send frame to the socket it came from */ 106 if (skb->sk == sk) 107 continue; 108 109 /* Apply filter */ 110 flt = &hci_pi(sk)->filter; 111 112 if (!test_bit((bt_cb(skb)->pkt_type == HCI_VENDOR_PKT) ? 113 0 : (bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS), &flt->type_mask)) 114 continue; 115 116 if (bt_cb(skb)->pkt_type == HCI_EVENT_PKT) { 117 register int evt = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS); 118 119 if (!hci_test_bit(evt, &flt->event_mask)) 120 continue; 121 122 if (flt->opcode && 123 ((evt == HCI_EV_CMD_COMPLETE && 124 flt->opcode != 125 get_unaligned((__le16 *)(skb->data + 3))) || 126 (evt == HCI_EV_CMD_STATUS && 127 flt->opcode != 128 get_unaligned((__le16 *)(skb->data + 4))))) 129 continue; 130 } 131 132 if (!(nskb = skb_clone(skb, GFP_ATOMIC))) 133 continue; 134 135 /* Put type byte before the data */ 136 memcpy(skb_push(nskb, 1), &bt_cb(nskb)->pkt_type, 1); 137 138 if (sock_queue_rcv_skb(sk, nskb)) 139 kfree_skb(nskb); 140 } 141 read_unlock(&hci_sk_list.lock); 142} 143 144static int hci_sock_release(struct socket *sock) 145{ 146 struct sock *sk = sock->sk; 147 struct hci_dev *hdev; 148 149 BT_DBG("sock %p sk %p", sock, sk); 150 151 if (!sk) 152 return 0; 153 154 hdev = hci_pi(sk)->hdev; 155 156 bt_sock_unlink(&hci_sk_list, sk); 157 158 if (hdev) { 159 atomic_dec(&hdev->promisc); 160 hci_dev_put(hdev); 161 } 162 163 sock_orphan(sk); 164 165 skb_queue_purge(&sk->sk_receive_queue); 166 skb_queue_purge(&sk->sk_write_queue); 167 168 sock_put(sk); 169 return 0; 170} 171 172/* Ioctls that require bound socket */ 173static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg) 174{ 175 struct hci_dev *hdev = hci_pi(sk)->hdev; 176 177 if (!hdev) 178 return -EBADFD; 179 180 switch (cmd) { 181 case HCISETRAW: 182 if (!capable(CAP_NET_ADMIN)) 183 return -EACCES; 184 185 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks)) 186 return -EPERM; 187 188 if (arg) 189 set_bit(HCI_RAW, &hdev->flags); 190 else 191 clear_bit(HCI_RAW, &hdev->flags); 192 193 return 0; 194 195 case HCISETSECMGR: 196 if (!capable(CAP_NET_ADMIN)) 197 return -EACCES; 198 199 if (arg) 200 set_bit(HCI_SECMGR, &hdev->flags); 201 else 202 clear_bit(HCI_SECMGR, &hdev->flags); 203 204 return 0; 205 206 case HCIGETCONNINFO: 207 return hci_get_conn_info(hdev, (void __user *)arg); 208 209 default: 210 if (hdev->ioctl) 211 return hdev->ioctl(hdev, cmd, arg); 212 return -EINVAL; 213 } 214} 215 216static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 217{ 218 struct sock *sk = sock->sk; 219 void __user *argp = (void __user *)arg; 220 int err; 221 222 BT_DBG("cmd %x arg %lx", cmd, arg); 223 224 switch (cmd) { 225 case HCIGETDEVLIST: 226 return hci_get_dev_list(argp); 227 228 case HCIGETDEVINFO: 229 return hci_get_dev_info(argp); 230 231 case HCIGETCONNLIST: 232 return hci_get_conn_list(argp); 233 234 case HCIDEVUP: 235 if (!capable(CAP_NET_ADMIN)) 236 return -EACCES; 237 return hci_dev_open(arg); 238 239 case HCIDEVDOWN: 240 if (!capable(CAP_NET_ADMIN)) 241 return -EACCES; 242 return hci_dev_close(arg); 243 244 case HCIDEVRESET: 245 if (!capable(CAP_NET_ADMIN)) 246 return -EACCES; 247 return hci_dev_reset(arg); 248 249 case HCIDEVRESTAT: 250 if (!capable(CAP_NET_ADMIN)) 251 return -EACCES; 252 return hci_dev_reset_stat(arg); 253 254 case HCISETSCAN: 255 case HCISETAUTH: 256 case HCISETENCRYPT: 257 case HCISETPTYPE: 258 case HCISETLINKPOL: 259 case HCISETLINKMODE: 260 case HCISETACLMTU: 261 case HCISETSCOMTU: 262 if (!capable(CAP_NET_ADMIN)) 263 return -EACCES; 264 return hci_dev_cmd(cmd, argp); 265 266 case HCIINQUIRY: 267 return hci_inquiry(argp); 268 269 default: 270 lock_sock(sk); 271 err = hci_sock_bound_ioctl(sk, cmd, arg); 272 release_sock(sk); 273 return err; 274 } 275} 276 277static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len) 278{ 279 struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr; 280 struct sock *sk = sock->sk; 281 struct hci_dev *hdev = NULL; 282 int err = 0; 283 284 BT_DBG("sock %p sk %p", sock, sk); 285 286 if (!haddr || haddr->hci_family != AF_BLUETOOTH) 287 return -EINVAL; 288 289 lock_sock(sk); 290 291 if (hci_pi(sk)->hdev) { 292 err = -EALREADY; 293 goto done; 294 } 295 296 if (haddr->hci_dev != HCI_DEV_NONE) { 297 if (!(hdev = hci_dev_get(haddr->hci_dev))) { 298 err = -ENODEV; 299 goto done; 300 } 301 302 atomic_inc(&hdev->promisc); 303 } 304 305 hci_pi(sk)->hdev = hdev; 306 sk->sk_state = BT_BOUND; 307 308done: 309 release_sock(sk); 310 return err; 311} 312 313static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *addr_len, int peer) 314{ 315 struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr; 316 struct sock *sk = sock->sk; 317 struct hci_dev *hdev = hci_pi(sk)->hdev; 318 319 BT_DBG("sock %p sk %p", sock, sk); 320 321 if (!hdev) 322 return -EBADFD; 323 324 lock_sock(sk); 325 326 *addr_len = sizeof(*haddr); 327 haddr->hci_family = AF_BLUETOOTH; 328 haddr->hci_dev = hdev->id; 329 330 release_sock(sk); 331 return 0; 332} 333 334static inline void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, struct sk_buff *skb) 335{ 336 __u32 mask = hci_pi(sk)->cmsg_mask; 337 338 if (mask & HCI_CMSG_DIR) { 339 int incoming = bt_cb(skb)->incoming; 340 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming), &incoming); 341 } 342 343 if (mask & HCI_CMSG_TSTAMP) { 344 struct timeval tv; 345 346 skb_get_timestamp(skb, &tv); 347 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, sizeof(tv), &tv); 348 } 349} 350 351static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock, 352 struct msghdr *msg, size_t len, int flags) 353{ 354 int noblock = flags & MSG_DONTWAIT; 355 struct sock *sk = sock->sk; 356 struct sk_buff *skb; 357 int copied, err; 358 359 BT_DBG("sock %p, sk %p", sock, sk); 360 361 if (flags & (MSG_OOB)) 362 return -EOPNOTSUPP; 363 364 if (sk->sk_state == BT_CLOSED) 365 return 0; 366 367 if (!(skb = skb_recv_datagram(sk, flags, noblock, &err))) 368 return err; 369 370 msg->msg_namelen = 0; 371 372 copied = skb->len; 373 if (len < copied) { 374 msg->msg_flags |= MSG_TRUNC; 375 copied = len; 376 } 377 378 skb_reset_transport_header(skb); 379 err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); 380 381 hci_sock_cmsg(sk, msg, skb); 382 383 skb_free_datagram(sk, skb); 384 385 return err ? : copied; 386} 387 388static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 389 struct msghdr *msg, size_t len) 390{ 391 struct sock *sk = sock->sk; 392 struct hci_dev *hdev; 393 struct sk_buff *skb; 394 int err; 395 396 BT_DBG("sock %p sk %p", sock, sk); 397 398 if (msg->msg_flags & MSG_OOB) 399 return -EOPNOTSUPP; 400 401 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE)) 402 return -EINVAL; 403 404 if (len < 4 || len > HCI_MAX_FRAME_SIZE) 405 return -EINVAL; 406 407 lock_sock(sk); 408 409 if (!(hdev = hci_pi(sk)->hdev)) { 410 err = -EBADFD; 411 goto done; 412 } 413 414 if (!(skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err))) 415 goto done; 416 417 if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) { 418 err = -EFAULT; 419 goto drop; 420 } 421 422 bt_cb(skb)->pkt_type = *((unsigned char *) skb->data); 423 skb_pull(skb, 1); 424 skb->dev = (void *) hdev; 425 426 if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) { 427 u16 opcode = __le16_to_cpu(get_unaligned((__le16 *) skb->data)); 428 u16 ogf = hci_opcode_ogf(opcode); 429 u16 ocf = hci_opcode_ocf(opcode); 430 431 if (((ogf > HCI_SFLT_MAX_OGF) || 432 !hci_test_bit(ocf & HCI_FLT_OCF_BITS, &hci_sec_filter.ocf_mask[ogf])) && 433 !capable(CAP_NET_RAW)) { 434 err = -EPERM; 435 goto drop; 436 } 437 438 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == OGF_VENDOR_CMD)) { 439 skb_queue_tail(&hdev->raw_q, skb); 440 hci_sched_tx(hdev); 441 } else { 442 skb_queue_tail(&hdev->cmd_q, skb); 443 hci_sched_cmd(hdev); 444 } 445 } else { 446 if (!capable(CAP_NET_RAW)) { 447 err = -EPERM; 448 goto drop; 449 } 450 451 skb_queue_tail(&hdev->raw_q, skb); 452 hci_sched_tx(hdev); 453 } 454 455 err = len; 456 457done: 458 release_sock(sk); 459 return err; 460 461drop: 462 kfree_skb(skb); 463 goto done; 464} 465 466static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, int len) 467{ 468 struct hci_ufilter uf = { .opcode = 0 }; 469 struct sock *sk = sock->sk; 470 int err = 0, opt = 0; 471 472 BT_DBG("sk %p, opt %d", sk, optname); 473 474 lock_sock(sk); 475 476 switch (optname) { 477 case HCI_DATA_DIR: 478 if (get_user(opt, (int __user *)optval)) { 479 err = -EFAULT; 480 break; 481 } 482 483 if (opt) 484 hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; 485 else 486 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR; 487 break; 488 489 case HCI_TIME_STAMP: 490 if (get_user(opt, (int __user *)optval)) { 491 err = -EFAULT; 492 break; 493 } 494 495 if (opt) 496 hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; 497 else 498 hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP; 499 break; 500 501 case HCI_FILTER: 502 { 503 struct hci_filter *f = &hci_pi(sk)->filter; 504 505 uf.type_mask = f->type_mask; 506 uf.opcode = f->opcode; 507 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 508 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 509 } 510 511 len = min_t(unsigned int, len, sizeof(uf)); 512 if (copy_from_user(&uf, optval, len)) { 513 err = -EFAULT; 514 break; 515 } 516 517 if (!capable(CAP_NET_RAW)) { 518 uf.type_mask &= hci_sec_filter.type_mask; 519 uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0); 520 uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1); 521 } 522 523 { 524 struct hci_filter *f = &hci_pi(sk)->filter; 525 526 f->type_mask = uf.type_mask; 527 f->opcode = uf.opcode; 528 *((u32 *) f->event_mask + 0) = uf.event_mask[0]; 529 *((u32 *) f->event_mask + 1) = uf.event_mask[1]; 530 } 531 break; 532 533 default: 534 err = -ENOPROTOOPT; 535 break; 536 } 537 538 release_sock(sk); 539 return err; 540} 541 542static int hci_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) 543{ 544 struct hci_ufilter uf; 545 struct sock *sk = sock->sk; 546 int len, opt; 547 548 if (get_user(len, optlen)) 549 return -EFAULT; 550 551 switch (optname) { 552 case HCI_DATA_DIR: 553 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR) 554 opt = 1; 555 else 556 opt = 0; 557 558 if (put_user(opt, optval)) 559 return -EFAULT; 560 break; 561 562 case HCI_TIME_STAMP: 563 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP) 564 opt = 1; 565 else 566 opt = 0; 567 568 if (put_user(opt, optval)) 569 return -EFAULT; 570 break; 571 572 case HCI_FILTER: 573 { 574 struct hci_filter *f = &hci_pi(sk)->filter; 575 576 uf.type_mask = f->type_mask; 577 uf.opcode = f->opcode; 578 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 579 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 580 } 581 582 len = min_t(unsigned int, len, sizeof(uf)); 583 if (copy_to_user(optval, &uf, len)) 584 return -EFAULT; 585 break; 586 587 default: 588 return -ENOPROTOOPT; 589 break; 590 } 591 592 return 0; 593} 594 595static const struct proto_ops hci_sock_ops = { 596 .family = PF_BLUETOOTH, 597 .owner = THIS_MODULE, 598 .release = hci_sock_release, 599 .bind = hci_sock_bind, 600 .getname = hci_sock_getname, 601 .sendmsg = hci_sock_sendmsg, 602 .recvmsg = hci_sock_recvmsg, 603 .ioctl = hci_sock_ioctl, 604 .poll = datagram_poll, 605 .listen = sock_no_listen, 606 .shutdown = sock_no_shutdown, 607 .setsockopt = hci_sock_setsockopt, 608 .getsockopt = hci_sock_getsockopt, 609 .connect = sock_no_connect, 610 .socketpair = sock_no_socketpair, 611 .accept = sock_no_accept, 612 .mmap = sock_no_mmap 613}; 614 615static struct proto hci_sk_proto = { 616 .name = "HCI", 617 .owner = THIS_MODULE, 618 .obj_size = sizeof(struct hci_pinfo) 619}; 620 621static int hci_sock_create(struct socket *sock, int protocol) 622{ 623 struct sock *sk; 624 625 BT_DBG("sock %p", sock); 626 627 if (sock->type != SOCK_RAW) 628 return -ESOCKTNOSUPPORT; 629 630 sock->ops = &hci_sock_ops; 631 632 sk = sk_alloc(PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, 1); 633 if (!sk) 634 return -ENOMEM; 635 636 sock_init_data(sock, sk); 637 638 sock_reset_flag(sk, SOCK_ZAPPED); 639 640 sk->sk_protocol = protocol; 641 642 sock->state = SS_UNCONNECTED; 643 sk->sk_state = BT_OPEN; 644 645 bt_sock_link(&hci_sk_list, sk); 646 return 0; 647} 648 649static int hci_sock_dev_event(struct notifier_block *this, unsigned long event, void *ptr) 650{ 651 struct hci_dev *hdev = (struct hci_dev *) ptr; 652 struct hci_ev_si_device ev; 653 654 BT_DBG("hdev %s event %ld", hdev->name, event); 655 656 /* Send event to sockets */ 657 ev.event = event; 658 ev.dev_id = hdev->id; 659 hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev); 660 661 if (event == HCI_DEV_UNREG) { 662 struct sock *sk; 663 struct hlist_node *node; 664 665 /* Detach sockets from device */ 666 read_lock(&hci_sk_list.lock); 667 sk_for_each(sk, node, &hci_sk_list.head) { 668 local_bh_disable(); 669 bh_lock_sock_nested(sk); 670 if (hci_pi(sk)->hdev == hdev) { 671 hci_pi(sk)->hdev = NULL; 672 sk->sk_err = EPIPE; 673 sk->sk_state = BT_OPEN; 674 sk->sk_state_change(sk); 675 676 hci_dev_put(hdev); 677 } 678 bh_unlock_sock(sk); 679 local_bh_enable(); 680 } 681 read_unlock(&hci_sk_list.lock); 682 } 683 684 return NOTIFY_DONE; 685} 686 687static struct net_proto_family hci_sock_family_ops = { 688 .family = PF_BLUETOOTH, 689 .owner = THIS_MODULE, 690 .create = hci_sock_create, 691}; 692 693static struct notifier_block hci_sock_nblock = { 694 .notifier_call = hci_sock_dev_event 695}; 696 697int __init hci_sock_init(void) 698{ 699 int err; 700 701 err = proto_register(&hci_sk_proto, 0); 702 if (err < 0) 703 return err; 704 705 err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops); 706 if (err < 0) 707 goto error; 708 709 hci_register_notifier(&hci_sock_nblock); 710 711 BT_INFO("HCI socket layer initialized"); 712 713 return 0; 714 715error: 716 BT_ERR("HCI socket registration failed"); 717 proto_unregister(&hci_sk_proto); 718 return err; 719} 720 721int __exit hci_sock_cleanup(void) 722{ 723 if (bt_sock_unregister(BTPROTO_HCI) < 0) 724 BT_ERR("HCI socket unregistration failed"); 725 726 hci_unregister_notifier(&hci_sock_nblock); 727 728 proto_unregister(&hci_sk_proto); 729 730 return 0; 731} 732