1 | /* |
2 | BlueZ - Bluetooth protocol stack for Linux |
3 | Copyright (C) 2000-2001 Qualcomm Incorporated |
4 | |
5 | Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> |
6 | |
7 | This program is free software; you can redistribute it and/or modify |
8 | it under the terms of the GNU General Public License version 2 as |
9 | published by the Free Software Foundation; |
10 | |
11 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS |
12 | OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
13 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. |
14 | IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY |
15 | CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES |
16 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
17 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
18 | OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
19 | |
20 | ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, |
21 | COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS |
22 | SOFTWARE IS DISCLAIMED. |
23 | */ |
24 | |
25 | /* Bluetooth HCI sockets. */ |
26 | #include <linux/compat.h> |
27 | #include <linux/export.h> |
28 | #include <linux/utsname.h> |
29 | #include <linux/sched.h> |
30 | #include <asm/unaligned.h> |
31 | |
32 | #include <net/bluetooth/bluetooth.h> |
33 | #include <net/bluetooth/hci_core.h> |
34 | #include <net/bluetooth/hci_mon.h> |
35 | #include <net/bluetooth/mgmt.h> |
36 | |
37 | #include "mgmt_util.h" |
38 | |
39 | static LIST_HEAD(mgmt_chan_list); |
40 | static DEFINE_MUTEX(mgmt_chan_list_lock); |
41 | |
42 | static DEFINE_IDA(sock_cookie_ida); |
43 | |
44 | static atomic_t monitor_promisc = ATOMIC_INIT(0); |
45 | |
46 | /* ----- HCI socket interface ----- */ |
47 | |
48 | /* Socket info */ |
49 | #define hci_pi(sk) ((struct hci_pinfo *) sk) |
50 | |
51 | struct hci_pinfo { |
52 | struct bt_sock bt; |
53 | struct hci_dev *hdev; |
54 | struct hci_filter filter; |
55 | __u8 cmsg_mask; |
56 | unsigned short channel; |
57 | unsigned long flags; |
58 | __u32 cookie; |
59 | char comm[TASK_COMM_LEN]; |
60 | __u16 mtu; |
61 | }; |
62 | |
63 | static struct hci_dev *hci_hdev_from_sock(struct sock *sk) |
64 | { |
65 | struct hci_dev *hdev = hci_pi(sk)->hdev; |
66 | |
67 | if (!hdev) |
68 | return ERR_PTR(error: -EBADFD); |
69 | if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) |
70 | return ERR_PTR(error: -EPIPE); |
71 | return hdev; |
72 | } |
73 | |
74 | void hci_sock_set_flag(struct sock *sk, int nr) |
75 | { |
76 | set_bit(nr, addr: &hci_pi(sk)->flags); |
77 | } |
78 | |
79 | void hci_sock_clear_flag(struct sock *sk, int nr) |
80 | { |
81 | clear_bit(nr, addr: &hci_pi(sk)->flags); |
82 | } |
83 | |
84 | int hci_sock_test_flag(struct sock *sk, int nr) |
85 | { |
86 | return test_bit(nr, &hci_pi(sk)->flags); |
87 | } |
88 | |
89 | unsigned short hci_sock_get_channel(struct sock *sk) |
90 | { |
91 | return hci_pi(sk)->channel; |
92 | } |
93 | |
94 | u32 hci_sock_get_cookie(struct sock *sk) |
95 | { |
96 | return hci_pi(sk)->cookie; |
97 | } |
98 | |
99 | static bool hci_sock_gen_cookie(struct sock *sk) |
100 | { |
101 | int id = hci_pi(sk)->cookie; |
102 | |
103 | if (!id) { |
104 | id = ida_alloc_min(ida: &sock_cookie_ida, min: 1, GFP_KERNEL); |
105 | if (id < 0) |
106 | id = 0xffffffff; |
107 | |
108 | hci_pi(sk)->cookie = id; |
109 | get_task_comm(hci_pi(sk)->comm, current); |
110 | return true; |
111 | } |
112 | |
113 | return false; |
114 | } |
115 | |
116 | static void hci_sock_free_cookie(struct sock *sk) |
117 | { |
118 | int id = hci_pi(sk)->cookie; |
119 | |
120 | if (id) { |
121 | hci_pi(sk)->cookie = 0xffffffff; |
122 | ida_free(&sock_cookie_ida, id); |
123 | } |
124 | } |
125 | |
126 | static inline int hci_test_bit(int nr, const void *addr) |
127 | { |
128 | return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); |
129 | } |
130 | |
131 | /* Security filter */ |
132 | #define HCI_SFLT_MAX_OGF 5 |
133 | |
134 | struct hci_sec_filter { |
135 | __u32 type_mask; |
136 | __u32 event_mask[2]; |
137 | __u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4]; |
138 | }; |
139 | |
140 | static const struct hci_sec_filter hci_sec_filter = { |
141 | /* Packet types */ |
142 | 0x10, |
143 | /* Events */ |
144 | { 0x1000d9fe, 0x0000b00c }, |
145 | /* Commands */ |
146 | { |
147 | { 0x0 }, |
148 | /* OGF_LINK_CTL */ |
149 | { 0xbe000006, 0x00000001, 0x00000000, 0x00 }, |
150 | /* OGF_LINK_POLICY */ |
151 | { 0x00005200, 0x00000000, 0x00000000, 0x00 }, |
152 | /* OGF_HOST_CTL */ |
153 | { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 }, |
154 | /* OGF_INFO_PARAM */ |
155 | { 0x000002be, 0x00000000, 0x00000000, 0x00 }, |
156 | /* OGF_STATUS_PARAM */ |
157 | { 0x000000ea, 0x00000000, 0x00000000, 0x00 } |
158 | } |
159 | }; |
160 | |
161 | static struct bt_sock_list hci_sk_list = { |
162 | .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock) |
163 | }; |
164 | |
165 | static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb) |
166 | { |
167 | struct hci_filter *flt; |
168 | int flt_type, flt_event; |
169 | |
170 | /* Apply filter */ |
171 | flt = &hci_pi(sk)->filter; |
172 | |
173 | flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS; |
174 | |
175 | if (!test_bit(flt_type, &flt->type_mask)) |
176 | return true; |
177 | |
178 | /* Extra filter for event packets only */ |
179 | if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT) |
180 | return false; |
181 | |
182 | flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS); |
183 | |
184 | if (!hci_test_bit(nr: flt_event, addr: &flt->event_mask)) |
185 | return true; |
186 | |
187 | /* Check filter only when opcode is set */ |
188 | if (!flt->opcode) |
189 | return false; |
190 | |
191 | if (flt_event == HCI_EV_CMD_COMPLETE && |
192 | flt->opcode != get_unaligned((__le16 *)(skb->data + 3))) |
193 | return true; |
194 | |
195 | if (flt_event == HCI_EV_CMD_STATUS && |
196 | flt->opcode != get_unaligned((__le16 *)(skb->data + 4))) |
197 | return true; |
198 | |
199 | return false; |
200 | } |
201 | |
202 | /* Send frame to RAW socket */ |
203 | void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb) |
204 | { |
205 | struct sock *sk; |
206 | struct sk_buff *skb_copy = NULL; |
207 | |
208 | BT_DBG("hdev %p len %d" , hdev, skb->len); |
209 | |
210 | read_lock(&hci_sk_list.lock); |
211 | |
212 | sk_for_each(sk, &hci_sk_list.head) { |
213 | struct sk_buff *nskb; |
214 | |
215 | if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev) |
216 | continue; |
217 | |
218 | /* Don't send frame to the socket it came from */ |
219 | if (skb->sk == sk) |
220 | continue; |
221 | |
222 | if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) { |
223 | if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT && |
224 | hci_skb_pkt_type(skb) != HCI_EVENT_PKT && |
225 | hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && |
226 | hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && |
227 | hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) |
228 | continue; |
229 | if (is_filtered_packet(sk, skb)) |
230 | continue; |
231 | } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { |
232 | if (!bt_cb(skb)->incoming) |
233 | continue; |
234 | if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT && |
235 | hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && |
236 | hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && |
237 | hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) |
238 | continue; |
239 | } else { |
240 | /* Don't send frame to other channel types */ |
241 | continue; |
242 | } |
243 | |
244 | if (!skb_copy) { |
245 | /* Create a private copy with headroom */ |
246 | skb_copy = __pskb_copy_fclone(skb, headroom: 1, GFP_ATOMIC, fclone: true); |
247 | if (!skb_copy) |
248 | continue; |
249 | |
250 | /* Put type byte before the data */ |
251 | memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1); |
252 | } |
253 | |
254 | nskb = skb_clone(skb: skb_copy, GFP_ATOMIC); |
255 | if (!nskb) |
256 | continue; |
257 | |
258 | if (sock_queue_rcv_skb(sk, skb: nskb)) |
259 | kfree_skb(skb: nskb); |
260 | } |
261 | |
262 | read_unlock(&hci_sk_list.lock); |
263 | |
264 | kfree_skb(skb: skb_copy); |
265 | } |
266 | |
267 | static void hci_sock_copy_creds(struct sock *sk, struct sk_buff *skb) |
268 | { |
269 | struct scm_creds *creds; |
270 | |
271 | if (!sk || WARN_ON(!skb)) |
272 | return; |
273 | |
274 | creds = &bt_cb(skb)->creds; |
275 | |
276 | /* Check if peer credentials is set */ |
277 | if (!sk->sk_peer_pid) { |
278 | /* Check if parent peer credentials is set */ |
279 | if (bt_sk(sk)->parent && bt_sk(sk)->parent->sk_peer_pid) |
280 | sk = bt_sk(sk)->parent; |
281 | else |
282 | return; |
283 | } |
284 | |
285 | /* Check if scm_creds already set */ |
286 | if (creds->pid == pid_vnr(pid: sk->sk_peer_pid)) |
287 | return; |
288 | |
289 | memset(creds, 0, sizeof(*creds)); |
290 | |
291 | creds->pid = pid_vnr(pid: sk->sk_peer_pid); |
292 | if (sk->sk_peer_cred) { |
293 | creds->uid = sk->sk_peer_cred->uid; |
294 | creds->gid = sk->sk_peer_cred->gid; |
295 | } |
296 | } |
297 | |
298 | static struct sk_buff *hci_skb_clone(struct sk_buff *skb) |
299 | { |
300 | struct sk_buff *nskb; |
301 | |
302 | if (!skb) |
303 | return NULL; |
304 | |
305 | nskb = skb_clone(skb, GFP_ATOMIC); |
306 | if (!nskb) |
307 | return NULL; |
308 | |
309 | hci_sock_copy_creds(sk: skb->sk, skb: nskb); |
310 | |
311 | return nskb; |
312 | } |
313 | |
314 | /* Send frame to sockets with specific channel */ |
315 | static void __hci_send_to_channel(unsigned short channel, struct sk_buff *skb, |
316 | int flag, struct sock *skip_sk) |
317 | { |
318 | struct sock *sk; |
319 | |
320 | BT_DBG("channel %u len %d" , channel, skb->len); |
321 | |
322 | sk_for_each(sk, &hci_sk_list.head) { |
323 | struct sk_buff *nskb; |
324 | |
325 | /* Ignore socket without the flag set */ |
326 | if (!hci_sock_test_flag(sk, nr: flag)) |
327 | continue; |
328 | |
329 | /* Skip the original socket */ |
330 | if (sk == skip_sk) |
331 | continue; |
332 | |
333 | if (sk->sk_state != BT_BOUND) |
334 | continue; |
335 | |
336 | if (hci_pi(sk)->channel != channel) |
337 | continue; |
338 | |
339 | nskb = hci_skb_clone(skb); |
340 | if (!nskb) |
341 | continue; |
342 | |
343 | if (sock_queue_rcv_skb(sk, skb: nskb)) |
344 | kfree_skb(skb: nskb); |
345 | } |
346 | |
347 | } |
348 | |
349 | void hci_send_to_channel(unsigned short channel, struct sk_buff *skb, |
350 | int flag, struct sock *skip_sk) |
351 | { |
352 | read_lock(&hci_sk_list.lock); |
353 | __hci_send_to_channel(channel, skb, flag, skip_sk); |
354 | read_unlock(&hci_sk_list.lock); |
355 | } |
356 | |
357 | /* Send frame to monitor socket */ |
358 | void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb) |
359 | { |
360 | struct sk_buff *skb_copy = NULL; |
361 | struct hci_mon_hdr *hdr; |
362 | __le16 opcode; |
363 | |
364 | if (!atomic_read(v: &monitor_promisc)) |
365 | return; |
366 | |
367 | BT_DBG("hdev %p len %d" , hdev, skb->len); |
368 | |
369 | switch (hci_skb_pkt_type(skb)) { |
370 | case HCI_COMMAND_PKT: |
371 | opcode = cpu_to_le16(HCI_MON_COMMAND_PKT); |
372 | break; |
373 | case HCI_EVENT_PKT: |
374 | opcode = cpu_to_le16(HCI_MON_EVENT_PKT); |
375 | break; |
376 | case HCI_ACLDATA_PKT: |
377 | if (bt_cb(skb)->incoming) |
378 | opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT); |
379 | else |
380 | opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT); |
381 | break; |
382 | case HCI_SCODATA_PKT: |
383 | if (bt_cb(skb)->incoming) |
384 | opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT); |
385 | else |
386 | opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT); |
387 | break; |
388 | case HCI_ISODATA_PKT: |
389 | if (bt_cb(skb)->incoming) |
390 | opcode = cpu_to_le16(HCI_MON_ISO_RX_PKT); |
391 | else |
392 | opcode = cpu_to_le16(HCI_MON_ISO_TX_PKT); |
393 | break; |
394 | case HCI_DIAG_PKT: |
395 | opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG); |
396 | break; |
397 | default: |
398 | return; |
399 | } |
400 | |
401 | /* Create a private copy with headroom */ |
402 | skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, fclone: true); |
403 | if (!skb_copy) |
404 | return; |
405 | |
406 | hci_sock_copy_creds(sk: skb->sk, skb: skb_copy); |
407 | |
408 | /* Put header before the data */ |
409 | hdr = skb_push(skb: skb_copy, HCI_MON_HDR_SIZE); |
410 | hdr->opcode = opcode; |
411 | hdr->index = cpu_to_le16(hdev->id); |
412 | hdr->len = cpu_to_le16(skb->len); |
413 | |
414 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb: skb_copy, |
415 | flag: HCI_SOCK_TRUSTED, NULL); |
416 | kfree_skb(skb: skb_copy); |
417 | } |
418 | |
419 | void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event, |
420 | void *data, u16 data_len, ktime_t tstamp, |
421 | int flag, struct sock *skip_sk) |
422 | { |
423 | struct sock *sk; |
424 | __le16 index; |
425 | |
426 | if (hdev) |
427 | index = cpu_to_le16(hdev->id); |
428 | else |
429 | index = cpu_to_le16(MGMT_INDEX_NONE); |
430 | |
431 | read_lock(&hci_sk_list.lock); |
432 | |
433 | sk_for_each(sk, &hci_sk_list.head) { |
434 | struct hci_mon_hdr *hdr; |
435 | struct sk_buff *skb; |
436 | |
437 | if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL) |
438 | continue; |
439 | |
440 | /* Ignore socket without the flag set */ |
441 | if (!hci_sock_test_flag(sk, nr: flag)) |
442 | continue; |
443 | |
444 | /* Skip the original socket */ |
445 | if (sk == skip_sk) |
446 | continue; |
447 | |
448 | skb = bt_skb_alloc(len: 6 + data_len, GFP_ATOMIC); |
449 | if (!skb) |
450 | continue; |
451 | |
452 | put_unaligned_le32(hci_pi(sk)->cookie, p: skb_put(skb, len: 4)); |
453 | put_unaligned_le16(val: event, p: skb_put(skb, len: 2)); |
454 | |
455 | if (data) |
456 | skb_put_data(skb, data, len: data_len); |
457 | |
458 | skb->tstamp = tstamp; |
459 | |
460 | hdr = skb_push(skb, HCI_MON_HDR_SIZE); |
461 | hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT); |
462 | hdr->index = index; |
463 | hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); |
464 | |
465 | __hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, |
466 | flag: HCI_SOCK_TRUSTED, NULL); |
467 | kfree_skb(skb); |
468 | } |
469 | |
470 | read_unlock(&hci_sk_list.lock); |
471 | } |
472 | |
473 | static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event) |
474 | { |
475 | struct hci_mon_hdr *hdr; |
476 | struct hci_mon_new_index *ni; |
477 | struct hci_mon_index_info *ii; |
478 | struct sk_buff *skb; |
479 | __le16 opcode; |
480 | |
481 | switch (event) { |
482 | case HCI_DEV_REG: |
483 | skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC); |
484 | if (!skb) |
485 | return NULL; |
486 | |
487 | ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE); |
488 | ni->type = hdev->dev_type; |
489 | ni->bus = hdev->bus; |
490 | bacpy(dst: &ni->bdaddr, src: &hdev->bdaddr); |
491 | memcpy_and_pad(dest: ni->name, dest_len: sizeof(ni->name), src: hdev->name, |
492 | count: strnlen(p: hdev->name, maxlen: sizeof(ni->name)), pad: '\0'); |
493 | |
494 | opcode = cpu_to_le16(HCI_MON_NEW_INDEX); |
495 | break; |
496 | |
497 | case HCI_DEV_UNREG: |
498 | skb = bt_skb_alloc(len: 0, GFP_ATOMIC); |
499 | if (!skb) |
500 | return NULL; |
501 | |
502 | opcode = cpu_to_le16(HCI_MON_DEL_INDEX); |
503 | break; |
504 | |
505 | case HCI_DEV_SETUP: |
506 | if (hdev->manufacturer == 0xffff) |
507 | return NULL; |
508 | fallthrough; |
509 | |
510 | case HCI_DEV_UP: |
511 | skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC); |
512 | if (!skb) |
513 | return NULL; |
514 | |
515 | ii = skb_put(skb, HCI_MON_INDEX_INFO_SIZE); |
516 | bacpy(dst: &ii->bdaddr, src: &hdev->bdaddr); |
517 | ii->manufacturer = cpu_to_le16(hdev->manufacturer); |
518 | |
519 | opcode = cpu_to_le16(HCI_MON_INDEX_INFO); |
520 | break; |
521 | |
522 | case HCI_DEV_OPEN: |
523 | skb = bt_skb_alloc(len: 0, GFP_ATOMIC); |
524 | if (!skb) |
525 | return NULL; |
526 | |
527 | opcode = cpu_to_le16(HCI_MON_OPEN_INDEX); |
528 | break; |
529 | |
530 | case HCI_DEV_CLOSE: |
531 | skb = bt_skb_alloc(len: 0, GFP_ATOMIC); |
532 | if (!skb) |
533 | return NULL; |
534 | |
535 | opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX); |
536 | break; |
537 | |
538 | default: |
539 | return NULL; |
540 | } |
541 | |
542 | __net_timestamp(skb); |
543 | |
544 | hdr = skb_push(skb, HCI_MON_HDR_SIZE); |
545 | hdr->opcode = opcode; |
546 | hdr->index = cpu_to_le16(hdev->id); |
547 | hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); |
548 | |
549 | return skb; |
550 | } |
551 | |
552 | static struct sk_buff *create_monitor_ctrl_open(struct sock *sk) |
553 | { |
554 | struct hci_mon_hdr *hdr; |
555 | struct sk_buff *skb; |
556 | u16 format; |
557 | u8 ver[3]; |
558 | u32 flags; |
559 | |
560 | /* No message needed when cookie is not present */ |
561 | if (!hci_pi(sk)->cookie) |
562 | return NULL; |
563 | |
564 | switch (hci_pi(sk)->channel) { |
565 | case HCI_CHANNEL_RAW: |
566 | format = 0x0000; |
567 | ver[0] = BT_SUBSYS_VERSION; |
568 | put_unaligned_le16(BT_SUBSYS_REVISION, p: ver + 1); |
569 | break; |
570 | case HCI_CHANNEL_USER: |
571 | format = 0x0001; |
572 | ver[0] = BT_SUBSYS_VERSION; |
573 | put_unaligned_le16(BT_SUBSYS_REVISION, p: ver + 1); |
574 | break; |
575 | case HCI_CHANNEL_CONTROL: |
576 | format = 0x0002; |
577 | mgmt_fill_version_info(ver); |
578 | break; |
579 | default: |
580 | /* No message for unsupported format */ |
581 | return NULL; |
582 | } |
583 | |
584 | skb = bt_skb_alloc(len: 14 + TASK_COMM_LEN, GFP_ATOMIC); |
585 | if (!skb) |
586 | return NULL; |
587 | |
588 | hci_sock_copy_creds(sk, skb); |
589 | |
590 | flags = hci_sock_test_flag(sk, nr: HCI_SOCK_TRUSTED) ? 0x1 : 0x0; |
591 | |
592 | put_unaligned_le32(hci_pi(sk)->cookie, p: skb_put(skb, len: 4)); |
593 | put_unaligned_le16(val: format, p: skb_put(skb, len: 2)); |
594 | skb_put_data(skb, data: ver, len: sizeof(ver)); |
595 | put_unaligned_le32(val: flags, p: skb_put(skb, len: 4)); |
596 | skb_put_u8(skb, val: TASK_COMM_LEN); |
597 | skb_put_data(skb, hci_pi(sk)->comm, len: TASK_COMM_LEN); |
598 | |
599 | __net_timestamp(skb); |
600 | |
601 | hdr = skb_push(skb, HCI_MON_HDR_SIZE); |
602 | hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN); |
603 | if (hci_pi(sk)->hdev) |
604 | hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); |
605 | else |
606 | hdr->index = cpu_to_le16(HCI_DEV_NONE); |
607 | hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); |
608 | |
609 | return skb; |
610 | } |
611 | |
612 | static struct sk_buff *create_monitor_ctrl_close(struct sock *sk) |
613 | { |
614 | struct hci_mon_hdr *hdr; |
615 | struct sk_buff *skb; |
616 | |
617 | /* No message needed when cookie is not present */ |
618 | if (!hci_pi(sk)->cookie) |
619 | return NULL; |
620 | |
621 | switch (hci_pi(sk)->channel) { |
622 | case HCI_CHANNEL_RAW: |
623 | case HCI_CHANNEL_USER: |
624 | case HCI_CHANNEL_CONTROL: |
625 | break; |
626 | default: |
627 | /* No message for unsupported format */ |
628 | return NULL; |
629 | } |
630 | |
631 | skb = bt_skb_alloc(len: 4, GFP_ATOMIC); |
632 | if (!skb) |
633 | return NULL; |
634 | |
635 | hci_sock_copy_creds(sk, skb); |
636 | |
637 | put_unaligned_le32(hci_pi(sk)->cookie, p: skb_put(skb, len: 4)); |
638 | |
639 | __net_timestamp(skb); |
640 | |
641 | hdr = skb_push(skb, HCI_MON_HDR_SIZE); |
642 | hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE); |
643 | if (hci_pi(sk)->hdev) |
644 | hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); |
645 | else |
646 | hdr->index = cpu_to_le16(HCI_DEV_NONE); |
647 | hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); |
648 | |
649 | return skb; |
650 | } |
651 | |
652 | static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index, |
653 | u16 opcode, u16 len, |
654 | const void *buf) |
655 | { |
656 | struct hci_mon_hdr *hdr; |
657 | struct sk_buff *skb; |
658 | |
659 | skb = bt_skb_alloc(len: 6 + len, GFP_ATOMIC); |
660 | if (!skb) |
661 | return NULL; |
662 | |
663 | hci_sock_copy_creds(sk, skb); |
664 | |
665 | put_unaligned_le32(hci_pi(sk)->cookie, p: skb_put(skb, len: 4)); |
666 | put_unaligned_le16(val: opcode, p: skb_put(skb, len: 2)); |
667 | |
668 | if (buf) |
669 | skb_put_data(skb, data: buf, len); |
670 | |
671 | __net_timestamp(skb); |
672 | |
673 | hdr = skb_push(skb, HCI_MON_HDR_SIZE); |
674 | hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND); |
675 | hdr->index = cpu_to_le16(index); |
676 | hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); |
677 | |
678 | return skb; |
679 | } |
680 | |
681 | static void __printf(2, 3) |
682 | send_monitor_note(struct sock *sk, const char *fmt, ...) |
683 | { |
684 | size_t len; |
685 | struct hci_mon_hdr *hdr; |
686 | struct sk_buff *skb; |
687 | va_list args; |
688 | |
689 | va_start(args, fmt); |
690 | len = vsnprintf(NULL, size: 0, fmt, args); |
691 | va_end(args); |
692 | |
693 | skb = bt_skb_alloc(len: len + 1, GFP_ATOMIC); |
694 | if (!skb) |
695 | return; |
696 | |
697 | hci_sock_copy_creds(sk, skb); |
698 | |
699 | va_start(args, fmt); |
700 | vsprintf(buf: skb_put(skb, len), fmt, args); |
701 | *(u8 *)skb_put(skb, len: 1) = 0; |
702 | va_end(args); |
703 | |
704 | __net_timestamp(skb); |
705 | |
706 | hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE); |
707 | hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE); |
708 | hdr->index = cpu_to_le16(HCI_DEV_NONE); |
709 | hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); |
710 | |
711 | if (sock_queue_rcv_skb(sk, skb)) |
712 | kfree_skb(skb); |
713 | } |
714 | |
715 | static void send_monitor_replay(struct sock *sk) |
716 | { |
717 | struct hci_dev *hdev; |
718 | |
719 | read_lock(&hci_dev_list_lock); |
720 | |
721 | list_for_each_entry(hdev, &hci_dev_list, list) { |
722 | struct sk_buff *skb; |
723 | |
724 | skb = create_monitor_event(hdev, HCI_DEV_REG); |
725 | if (!skb) |
726 | continue; |
727 | |
728 | if (sock_queue_rcv_skb(sk, skb)) |
729 | kfree_skb(skb); |
730 | |
731 | if (!test_bit(HCI_RUNNING, &hdev->flags)) |
732 | continue; |
733 | |
734 | skb = create_monitor_event(hdev, HCI_DEV_OPEN); |
735 | if (!skb) |
736 | continue; |
737 | |
738 | if (sock_queue_rcv_skb(sk, skb)) |
739 | kfree_skb(skb); |
740 | |
741 | if (test_bit(HCI_UP, &hdev->flags)) |
742 | skb = create_monitor_event(hdev, HCI_DEV_UP); |
743 | else if (hci_dev_test_flag(hdev, HCI_SETUP)) |
744 | skb = create_monitor_event(hdev, HCI_DEV_SETUP); |
745 | else |
746 | skb = NULL; |
747 | |
748 | if (skb) { |
749 | if (sock_queue_rcv_skb(sk, skb)) |
750 | kfree_skb(skb); |
751 | } |
752 | } |
753 | |
754 | read_unlock(&hci_dev_list_lock); |
755 | } |
756 | |
757 | static void send_monitor_control_replay(struct sock *mon_sk) |
758 | { |
759 | struct sock *sk; |
760 | |
761 | read_lock(&hci_sk_list.lock); |
762 | |
763 | sk_for_each(sk, &hci_sk_list.head) { |
764 | struct sk_buff *skb; |
765 | |
766 | skb = create_monitor_ctrl_open(sk); |
767 | if (!skb) |
768 | continue; |
769 | |
770 | if (sock_queue_rcv_skb(sk: mon_sk, skb)) |
771 | kfree_skb(skb); |
772 | } |
773 | |
774 | read_unlock(&hci_sk_list.lock); |
775 | } |
776 | |
777 | /* Generate internal stack event */ |
778 | static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data) |
779 | { |
780 | struct hci_event_hdr *hdr; |
781 | struct hci_ev_stack_internal *ev; |
782 | struct sk_buff *skb; |
783 | |
784 | skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC); |
785 | if (!skb) |
786 | return; |
787 | |
788 | hdr = skb_put(skb, HCI_EVENT_HDR_SIZE); |
789 | hdr->evt = HCI_EV_STACK_INTERNAL; |
790 | hdr->plen = sizeof(*ev) + dlen; |
791 | |
792 | ev = skb_put(skb, len: sizeof(*ev) + dlen); |
793 | ev->type = type; |
794 | memcpy(ev->data, data, dlen); |
795 | |
796 | bt_cb(skb)->incoming = 1; |
797 | __net_timestamp(skb); |
798 | |
799 | hci_skb_pkt_type(skb) = HCI_EVENT_PKT; |
800 | hci_send_to_sock(hdev, skb); |
801 | kfree_skb(skb); |
802 | } |
803 | |
804 | void hci_sock_dev_event(struct hci_dev *hdev, int event) |
805 | { |
806 | BT_DBG("hdev %s event %d" , hdev->name, event); |
807 | |
808 | if (atomic_read(v: &monitor_promisc)) { |
809 | struct sk_buff *skb; |
810 | |
811 | /* Send event to monitor */ |
812 | skb = create_monitor_event(hdev, event); |
813 | if (skb) { |
814 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, |
815 | flag: HCI_SOCK_TRUSTED, NULL); |
816 | kfree_skb(skb); |
817 | } |
818 | } |
819 | |
820 | if (event <= HCI_DEV_DOWN) { |
821 | struct hci_ev_si_device ev; |
822 | |
823 | /* Send event to sockets */ |
824 | ev.event = event; |
825 | ev.dev_id = hdev->id; |
826 | hci_si_event(NULL, HCI_EV_SI_DEVICE, dlen: sizeof(ev), data: &ev); |
827 | } |
828 | |
829 | if (event == HCI_DEV_UNREG) { |
830 | struct sock *sk; |
831 | |
832 | /* Wake up sockets using this dead device */ |
833 | read_lock(&hci_sk_list.lock); |
834 | sk_for_each(sk, &hci_sk_list.head) { |
835 | if (hci_pi(sk)->hdev == hdev) { |
836 | sk->sk_err = EPIPE; |
837 | sk->sk_state_change(sk); |
838 | } |
839 | } |
840 | read_unlock(&hci_sk_list.lock); |
841 | } |
842 | } |
843 | |
844 | static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel) |
845 | { |
846 | struct hci_mgmt_chan *c; |
847 | |
848 | list_for_each_entry(c, &mgmt_chan_list, list) { |
849 | if (c->channel == channel) |
850 | return c; |
851 | } |
852 | |
853 | return NULL; |
854 | } |
855 | |
856 | static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel) |
857 | { |
858 | struct hci_mgmt_chan *c; |
859 | |
860 | mutex_lock(&mgmt_chan_list_lock); |
861 | c = __hci_mgmt_chan_find(channel); |
862 | mutex_unlock(lock: &mgmt_chan_list_lock); |
863 | |
864 | return c; |
865 | } |
866 | |
867 | int hci_mgmt_chan_register(struct hci_mgmt_chan *c) |
868 | { |
869 | if (c->channel < HCI_CHANNEL_CONTROL) |
870 | return -EINVAL; |
871 | |
872 | mutex_lock(&mgmt_chan_list_lock); |
873 | if (__hci_mgmt_chan_find(channel: c->channel)) { |
874 | mutex_unlock(lock: &mgmt_chan_list_lock); |
875 | return -EALREADY; |
876 | } |
877 | |
878 | list_add_tail(new: &c->list, head: &mgmt_chan_list); |
879 | |
880 | mutex_unlock(lock: &mgmt_chan_list_lock); |
881 | |
882 | return 0; |
883 | } |
884 | EXPORT_SYMBOL(hci_mgmt_chan_register); |
885 | |
886 | void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c) |
887 | { |
888 | mutex_lock(&mgmt_chan_list_lock); |
889 | list_del(entry: &c->list); |
890 | mutex_unlock(lock: &mgmt_chan_list_lock); |
891 | } |
892 | EXPORT_SYMBOL(hci_mgmt_chan_unregister); |
893 | |
894 | static int hci_sock_release(struct socket *sock) |
895 | { |
896 | struct sock *sk = sock->sk; |
897 | struct hci_dev *hdev; |
898 | struct sk_buff *skb; |
899 | |
900 | BT_DBG("sock %p sk %p" , sock, sk); |
901 | |
902 | if (!sk) |
903 | return 0; |
904 | |
905 | lock_sock(sk); |
906 | |
907 | switch (hci_pi(sk)->channel) { |
908 | case HCI_CHANNEL_MONITOR: |
909 | atomic_dec(v: &monitor_promisc); |
910 | break; |
911 | case HCI_CHANNEL_RAW: |
912 | case HCI_CHANNEL_USER: |
913 | case HCI_CHANNEL_CONTROL: |
914 | /* Send event to monitor */ |
915 | skb = create_monitor_ctrl_close(sk); |
916 | if (skb) { |
917 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, |
918 | flag: HCI_SOCK_TRUSTED, NULL); |
919 | kfree_skb(skb); |
920 | } |
921 | |
922 | hci_sock_free_cookie(sk); |
923 | break; |
924 | } |
925 | |
926 | bt_sock_unlink(l: &hci_sk_list, s: sk); |
927 | |
928 | hdev = hci_pi(sk)->hdev; |
929 | if (hdev) { |
930 | if (hci_pi(sk)->channel == HCI_CHANNEL_USER && |
931 | !hci_dev_test_flag(hdev, HCI_UNREGISTER)) { |
932 | /* When releasing a user channel exclusive access, |
933 | * call hci_dev_do_close directly instead of calling |
934 | * hci_dev_close to ensure the exclusive access will |
935 | * be released and the controller brought back down. |
936 | * |
937 | * The checking of HCI_AUTO_OFF is not needed in this |
938 | * case since it will have been cleared already when |
939 | * opening the user channel. |
940 | * |
941 | * Make sure to also check that we haven't already |
942 | * unregistered since all the cleanup will have already |
943 | * been complete and hdev will get released when we put |
944 | * below. |
945 | */ |
946 | hci_dev_do_close(hdev); |
947 | hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); |
948 | mgmt_index_added(hdev); |
949 | } |
950 | |
951 | atomic_dec(v: &hdev->promisc); |
952 | hci_dev_put(d: hdev); |
953 | } |
954 | |
955 | sock_orphan(sk); |
956 | release_sock(sk); |
957 | sock_put(sk); |
958 | return 0; |
959 | } |
960 | |
961 | static int hci_sock_reject_list_add(struct hci_dev *hdev, void __user *arg) |
962 | { |
963 | bdaddr_t bdaddr; |
964 | int err; |
965 | |
966 | if (copy_from_user(to: &bdaddr, from: arg, n: sizeof(bdaddr))) |
967 | return -EFAULT; |
968 | |
969 | hci_dev_lock(hdev); |
970 | |
971 | err = hci_bdaddr_list_add(list: &hdev->reject_list, bdaddr: &bdaddr, BDADDR_BREDR); |
972 | |
973 | hci_dev_unlock(hdev); |
974 | |
975 | return err; |
976 | } |
977 | |
978 | static int hci_sock_reject_list_del(struct hci_dev *hdev, void __user *arg) |
979 | { |
980 | bdaddr_t bdaddr; |
981 | int err; |
982 | |
983 | if (copy_from_user(to: &bdaddr, from: arg, n: sizeof(bdaddr))) |
984 | return -EFAULT; |
985 | |
986 | hci_dev_lock(hdev); |
987 | |
988 | err = hci_bdaddr_list_del(list: &hdev->reject_list, bdaddr: &bdaddr, BDADDR_BREDR); |
989 | |
990 | hci_dev_unlock(hdev); |
991 | |
992 | return err; |
993 | } |
994 | |
995 | /* Ioctls that require bound socket */ |
996 | static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, |
997 | unsigned long arg) |
998 | { |
999 | struct hci_dev *hdev = hci_hdev_from_sock(sk); |
1000 | |
1001 | if (IS_ERR(ptr: hdev)) |
1002 | return PTR_ERR(ptr: hdev); |
1003 | |
1004 | if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) |
1005 | return -EBUSY; |
1006 | |
1007 | if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) |
1008 | return -EOPNOTSUPP; |
1009 | |
1010 | if (hdev->dev_type != HCI_PRIMARY) |
1011 | return -EOPNOTSUPP; |
1012 | |
1013 | switch (cmd) { |
1014 | case HCISETRAW: |
1015 | if (!capable(CAP_NET_ADMIN)) |
1016 | return -EPERM; |
1017 | return -EOPNOTSUPP; |
1018 | |
1019 | case HCIGETCONNINFO: |
1020 | return hci_get_conn_info(hdev, arg: (void __user *)arg); |
1021 | |
1022 | case HCIGETAUTHINFO: |
1023 | return hci_get_auth_info(hdev, arg: (void __user *)arg); |
1024 | |
1025 | case HCIBLOCKADDR: |
1026 | if (!capable(CAP_NET_ADMIN)) |
1027 | return -EPERM; |
1028 | return hci_sock_reject_list_add(hdev, arg: (void __user *)arg); |
1029 | |
1030 | case HCIUNBLOCKADDR: |
1031 | if (!capable(CAP_NET_ADMIN)) |
1032 | return -EPERM; |
1033 | return hci_sock_reject_list_del(hdev, arg: (void __user *)arg); |
1034 | } |
1035 | |
1036 | return -ENOIOCTLCMD; |
1037 | } |
1038 | |
1039 | static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, |
1040 | unsigned long arg) |
1041 | { |
1042 | void __user *argp = (void __user *)arg; |
1043 | struct sock *sk = sock->sk; |
1044 | int err; |
1045 | |
1046 | BT_DBG("cmd %x arg %lx" , cmd, arg); |
1047 | |
1048 | /* Make sure the cmd is valid before doing anything */ |
1049 | switch (cmd) { |
1050 | case HCIGETDEVLIST: |
1051 | case HCIGETDEVINFO: |
1052 | case HCIGETCONNLIST: |
1053 | case HCIDEVUP: |
1054 | case HCIDEVDOWN: |
1055 | case HCIDEVRESET: |
1056 | case HCIDEVRESTAT: |
1057 | case HCISETSCAN: |
1058 | case HCISETAUTH: |
1059 | case HCISETENCRYPT: |
1060 | case HCISETPTYPE: |
1061 | case HCISETLINKPOL: |
1062 | case HCISETLINKMODE: |
1063 | case HCISETACLMTU: |
1064 | case HCISETSCOMTU: |
1065 | case HCIINQUIRY: |
1066 | case HCISETRAW: |
1067 | case HCIGETCONNINFO: |
1068 | case HCIGETAUTHINFO: |
1069 | case HCIBLOCKADDR: |
1070 | case HCIUNBLOCKADDR: |
1071 | break; |
1072 | default: |
1073 | return -ENOIOCTLCMD; |
1074 | } |
1075 | |
1076 | lock_sock(sk); |
1077 | |
1078 | if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { |
1079 | err = -EBADFD; |
1080 | goto done; |
1081 | } |
1082 | |
1083 | /* When calling an ioctl on an unbound raw socket, then ensure |
1084 | * that the monitor gets informed. Ensure that the resulting event |
1085 | * is only send once by checking if the cookie exists or not. The |
1086 | * socket cookie will be only ever generated once for the lifetime |
1087 | * of a given socket. |
1088 | */ |
1089 | if (hci_sock_gen_cookie(sk)) { |
1090 | struct sk_buff *skb; |
1091 | |
1092 | /* Perform careful checks before setting the HCI_SOCK_TRUSTED |
1093 | * flag. Make sure that not only the current task but also |
1094 | * the socket opener has the required capability, since |
1095 | * privileged programs can be tricked into making ioctl calls |
1096 | * on HCI sockets, and the socket should not be marked as |
1097 | * trusted simply because the ioctl caller is privileged. |
1098 | */ |
1099 | if (sk_capable(sk, CAP_NET_ADMIN)) |
1100 | hci_sock_set_flag(sk, nr: HCI_SOCK_TRUSTED); |
1101 | |
1102 | /* Send event to monitor */ |
1103 | skb = create_monitor_ctrl_open(sk); |
1104 | if (skb) { |
1105 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, |
1106 | flag: HCI_SOCK_TRUSTED, NULL); |
1107 | kfree_skb(skb); |
1108 | } |
1109 | } |
1110 | |
1111 | release_sock(sk); |
1112 | |
1113 | switch (cmd) { |
1114 | case HCIGETDEVLIST: |
1115 | return hci_get_dev_list(arg: argp); |
1116 | |
1117 | case HCIGETDEVINFO: |
1118 | return hci_get_dev_info(arg: argp); |
1119 | |
1120 | case HCIGETCONNLIST: |
1121 | return hci_get_conn_list(arg: argp); |
1122 | |
1123 | case HCIDEVUP: |
1124 | if (!capable(CAP_NET_ADMIN)) |
1125 | return -EPERM; |
1126 | return hci_dev_open(dev: arg); |
1127 | |
1128 | case HCIDEVDOWN: |
1129 | if (!capable(CAP_NET_ADMIN)) |
1130 | return -EPERM; |
1131 | return hci_dev_close(dev: arg); |
1132 | |
1133 | case HCIDEVRESET: |
1134 | if (!capable(CAP_NET_ADMIN)) |
1135 | return -EPERM; |
1136 | return hci_dev_reset(dev: arg); |
1137 | |
1138 | case HCIDEVRESTAT: |
1139 | if (!capable(CAP_NET_ADMIN)) |
1140 | return -EPERM; |
1141 | return hci_dev_reset_stat(dev: arg); |
1142 | |
1143 | case HCISETSCAN: |
1144 | case HCISETAUTH: |
1145 | case HCISETENCRYPT: |
1146 | case HCISETPTYPE: |
1147 | case HCISETLINKPOL: |
1148 | case HCISETLINKMODE: |
1149 | case HCISETACLMTU: |
1150 | case HCISETSCOMTU: |
1151 | if (!capable(CAP_NET_ADMIN)) |
1152 | return -EPERM; |
1153 | return hci_dev_cmd(cmd, arg: argp); |
1154 | |
1155 | case HCIINQUIRY: |
1156 | return hci_inquiry(arg: argp); |
1157 | } |
1158 | |
1159 | lock_sock(sk); |
1160 | |
1161 | err = hci_sock_bound_ioctl(sk, cmd, arg); |
1162 | |
1163 | done: |
1164 | release_sock(sk); |
1165 | return err; |
1166 | } |
1167 | |
1168 | #ifdef CONFIG_COMPAT |
1169 | static int hci_sock_compat_ioctl(struct socket *sock, unsigned int cmd, |
1170 | unsigned long arg) |
1171 | { |
1172 | switch (cmd) { |
1173 | case HCIDEVUP: |
1174 | case HCIDEVDOWN: |
1175 | case HCIDEVRESET: |
1176 | case HCIDEVRESTAT: |
1177 | return hci_sock_ioctl(sock, cmd, arg); |
1178 | } |
1179 | |
1180 | return hci_sock_ioctl(sock, cmd, arg: (unsigned long)compat_ptr(uptr: arg)); |
1181 | } |
1182 | #endif |
1183 | |
1184 | static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, |
1185 | int addr_len) |
1186 | { |
1187 | struct sockaddr_hci haddr; |
1188 | struct sock *sk = sock->sk; |
1189 | struct hci_dev *hdev = NULL; |
1190 | struct sk_buff *skb; |
1191 | int len, err = 0; |
1192 | |
1193 | BT_DBG("sock %p sk %p" , sock, sk); |
1194 | |
1195 | if (!addr) |
1196 | return -EINVAL; |
1197 | |
1198 | memset(&haddr, 0, sizeof(haddr)); |
1199 | len = min_t(unsigned int, sizeof(haddr), addr_len); |
1200 | memcpy(&haddr, addr, len); |
1201 | |
1202 | if (haddr.hci_family != AF_BLUETOOTH) |
1203 | return -EINVAL; |
1204 | |
1205 | lock_sock(sk); |
1206 | |
1207 | /* Allow detaching from dead device and attaching to alive device, if |
1208 | * the caller wants to re-bind (instead of close) this socket in |
1209 | * response to hci_sock_dev_event(HCI_DEV_UNREG) notification. |
1210 | */ |
1211 | hdev = hci_pi(sk)->hdev; |
1212 | if (hdev && hci_dev_test_flag(hdev, HCI_UNREGISTER)) { |
1213 | hci_pi(sk)->hdev = NULL; |
1214 | sk->sk_state = BT_OPEN; |
1215 | hci_dev_put(d: hdev); |
1216 | } |
1217 | hdev = NULL; |
1218 | |
1219 | if (sk->sk_state == BT_BOUND) { |
1220 | err = -EALREADY; |
1221 | goto done; |
1222 | } |
1223 | |
1224 | switch (haddr.hci_channel) { |
1225 | case HCI_CHANNEL_RAW: |
1226 | if (hci_pi(sk)->hdev) { |
1227 | err = -EALREADY; |
1228 | goto done; |
1229 | } |
1230 | |
1231 | if (haddr.hci_dev != HCI_DEV_NONE) { |
1232 | hdev = hci_dev_get(index: haddr.hci_dev); |
1233 | if (!hdev) { |
1234 | err = -ENODEV; |
1235 | goto done; |
1236 | } |
1237 | |
1238 | atomic_inc(v: &hdev->promisc); |
1239 | } |
1240 | |
1241 | hci_pi(sk)->channel = haddr.hci_channel; |
1242 | |
1243 | if (!hci_sock_gen_cookie(sk)) { |
1244 | /* In the case when a cookie has already been assigned, |
1245 | * then there has been already an ioctl issued against |
1246 | * an unbound socket and with that triggered an open |
1247 | * notification. Send a close notification first to |
1248 | * allow the state transition to bounded. |
1249 | */ |
1250 | skb = create_monitor_ctrl_close(sk); |
1251 | if (skb) { |
1252 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, |
1253 | flag: HCI_SOCK_TRUSTED, NULL); |
1254 | kfree_skb(skb); |
1255 | } |
1256 | } |
1257 | |
1258 | if (capable(CAP_NET_ADMIN)) |
1259 | hci_sock_set_flag(sk, nr: HCI_SOCK_TRUSTED); |
1260 | |
1261 | hci_pi(sk)->hdev = hdev; |
1262 | |
1263 | /* Send event to monitor */ |
1264 | skb = create_monitor_ctrl_open(sk); |
1265 | if (skb) { |
1266 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, |
1267 | flag: HCI_SOCK_TRUSTED, NULL); |
1268 | kfree_skb(skb); |
1269 | } |
1270 | break; |
1271 | |
1272 | case HCI_CHANNEL_USER: |
1273 | if (hci_pi(sk)->hdev) { |
1274 | err = -EALREADY; |
1275 | goto done; |
1276 | } |
1277 | |
1278 | if (haddr.hci_dev == HCI_DEV_NONE) { |
1279 | err = -EINVAL; |
1280 | goto done; |
1281 | } |
1282 | |
1283 | if (!capable(CAP_NET_ADMIN)) { |
1284 | err = -EPERM; |
1285 | goto done; |
1286 | } |
1287 | |
1288 | hdev = hci_dev_get(index: haddr.hci_dev); |
1289 | if (!hdev) { |
1290 | err = -ENODEV; |
1291 | goto done; |
1292 | } |
1293 | |
1294 | if (test_bit(HCI_INIT, &hdev->flags) || |
1295 | hci_dev_test_flag(hdev, HCI_SETUP) || |
1296 | hci_dev_test_flag(hdev, HCI_CONFIG) || |
1297 | (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) && |
1298 | test_bit(HCI_UP, &hdev->flags))) { |
1299 | err = -EBUSY; |
1300 | hci_dev_put(d: hdev); |
1301 | goto done; |
1302 | } |
1303 | |
1304 | if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) { |
1305 | err = -EUSERS; |
1306 | hci_dev_put(d: hdev); |
1307 | goto done; |
1308 | } |
1309 | |
1310 | mgmt_index_removed(hdev); |
1311 | |
1312 | err = hci_dev_open(dev: hdev->id); |
1313 | if (err) { |
1314 | if (err == -EALREADY) { |
1315 | /* In case the transport is already up and |
1316 | * running, clear the error here. |
1317 | * |
1318 | * This can happen when opening a user |
1319 | * channel and HCI_AUTO_OFF grace period |
1320 | * is still active. |
1321 | */ |
1322 | err = 0; |
1323 | } else { |
1324 | hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); |
1325 | mgmt_index_added(hdev); |
1326 | hci_dev_put(d: hdev); |
1327 | goto done; |
1328 | } |
1329 | } |
1330 | |
1331 | hci_pi(sk)->channel = haddr.hci_channel; |
1332 | |
1333 | if (!hci_sock_gen_cookie(sk)) { |
1334 | /* In the case when a cookie has already been assigned, |
1335 | * this socket will transition from a raw socket into |
1336 | * a user channel socket. For a clean transition, send |
1337 | * the close notification first. |
1338 | */ |
1339 | skb = create_monitor_ctrl_close(sk); |
1340 | if (skb) { |
1341 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, |
1342 | flag: HCI_SOCK_TRUSTED, NULL); |
1343 | kfree_skb(skb); |
1344 | } |
1345 | } |
1346 | |
1347 | /* The user channel is restricted to CAP_NET_ADMIN |
1348 | * capabilities and with that implicitly trusted. |
1349 | */ |
1350 | hci_sock_set_flag(sk, nr: HCI_SOCK_TRUSTED); |
1351 | |
1352 | hci_pi(sk)->hdev = hdev; |
1353 | |
1354 | /* Send event to monitor */ |
1355 | skb = create_monitor_ctrl_open(sk); |
1356 | if (skb) { |
1357 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, |
1358 | flag: HCI_SOCK_TRUSTED, NULL); |
1359 | kfree_skb(skb); |
1360 | } |
1361 | |
1362 | atomic_inc(v: &hdev->promisc); |
1363 | break; |
1364 | |
1365 | case HCI_CHANNEL_MONITOR: |
1366 | if (haddr.hci_dev != HCI_DEV_NONE) { |
1367 | err = -EINVAL; |
1368 | goto done; |
1369 | } |
1370 | |
1371 | if (!capable(CAP_NET_RAW)) { |
1372 | err = -EPERM; |
1373 | goto done; |
1374 | } |
1375 | |
1376 | hci_pi(sk)->channel = haddr.hci_channel; |
1377 | |
1378 | /* The monitor interface is restricted to CAP_NET_RAW |
1379 | * capabilities and with that implicitly trusted. |
1380 | */ |
1381 | hci_sock_set_flag(sk, nr: HCI_SOCK_TRUSTED); |
1382 | |
1383 | send_monitor_note(sk, fmt: "Linux version %s (%s)" , |
1384 | init_utsname()->release, |
1385 | init_utsname()->machine); |
1386 | send_monitor_note(sk, fmt: "Bluetooth subsystem version %u.%u" , |
1387 | BT_SUBSYS_VERSION, BT_SUBSYS_REVISION); |
1388 | send_monitor_replay(sk); |
1389 | send_monitor_control_replay(mon_sk: sk); |
1390 | |
1391 | atomic_inc(v: &monitor_promisc); |
1392 | break; |
1393 | |
1394 | case HCI_CHANNEL_LOGGING: |
1395 | if (haddr.hci_dev != HCI_DEV_NONE) { |
1396 | err = -EINVAL; |
1397 | goto done; |
1398 | } |
1399 | |
1400 | if (!capable(CAP_NET_ADMIN)) { |
1401 | err = -EPERM; |
1402 | goto done; |
1403 | } |
1404 | |
1405 | hci_pi(sk)->channel = haddr.hci_channel; |
1406 | break; |
1407 | |
1408 | default: |
1409 | if (!hci_mgmt_chan_find(channel: haddr.hci_channel)) { |
1410 | err = -EINVAL; |
1411 | goto done; |
1412 | } |
1413 | |
1414 | if (haddr.hci_dev != HCI_DEV_NONE) { |
1415 | err = -EINVAL; |
1416 | goto done; |
1417 | } |
1418 | |
1419 | /* Users with CAP_NET_ADMIN capabilities are allowed |
1420 | * access to all management commands and events. For |
1421 | * untrusted users the interface is restricted and |
1422 | * also only untrusted events are sent. |
1423 | */ |
1424 | if (capable(CAP_NET_ADMIN)) |
1425 | hci_sock_set_flag(sk, nr: HCI_SOCK_TRUSTED); |
1426 | |
1427 | hci_pi(sk)->channel = haddr.hci_channel; |
1428 | |
1429 | /* At the moment the index and unconfigured index events |
1430 | * are enabled unconditionally. Setting them on each |
1431 | * socket when binding keeps this functionality. They |
1432 | * however might be cleared later and then sending of these |
1433 | * events will be disabled, but that is then intentional. |
1434 | * |
1435 | * This also enables generic events that are safe to be |
1436 | * received by untrusted users. Example for such events |
1437 | * are changes to settings, class of device, name etc. |
1438 | */ |
1439 | if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) { |
1440 | if (!hci_sock_gen_cookie(sk)) { |
1441 | /* In the case when a cookie has already been |
1442 | * assigned, this socket will transition from |
1443 | * a raw socket into a control socket. To |
1444 | * allow for a clean transition, send the |
1445 | * close notification first. |
1446 | */ |
1447 | skb = create_monitor_ctrl_close(sk); |
1448 | if (skb) { |
1449 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, |
1450 | flag: HCI_SOCK_TRUSTED, NULL); |
1451 | kfree_skb(skb); |
1452 | } |
1453 | } |
1454 | |
1455 | /* Send event to monitor */ |
1456 | skb = create_monitor_ctrl_open(sk); |
1457 | if (skb) { |
1458 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, |
1459 | flag: HCI_SOCK_TRUSTED, NULL); |
1460 | kfree_skb(skb); |
1461 | } |
1462 | |
1463 | hci_sock_set_flag(sk, nr: HCI_MGMT_INDEX_EVENTS); |
1464 | hci_sock_set_flag(sk, nr: HCI_MGMT_UNCONF_INDEX_EVENTS); |
1465 | hci_sock_set_flag(sk, nr: HCI_MGMT_OPTION_EVENTS); |
1466 | hci_sock_set_flag(sk, nr: HCI_MGMT_SETTING_EVENTS); |
1467 | hci_sock_set_flag(sk, nr: HCI_MGMT_DEV_CLASS_EVENTS); |
1468 | hci_sock_set_flag(sk, nr: HCI_MGMT_LOCAL_NAME_EVENTS); |
1469 | } |
1470 | break; |
1471 | } |
1472 | |
1473 | /* Default MTU to HCI_MAX_FRAME_SIZE if not set */ |
1474 | if (!hci_pi(sk)->mtu) |
1475 | hci_pi(sk)->mtu = HCI_MAX_FRAME_SIZE; |
1476 | |
1477 | sk->sk_state = BT_BOUND; |
1478 | |
1479 | done: |
1480 | release_sock(sk); |
1481 | return err; |
1482 | } |
1483 | |
1484 | static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, |
1485 | int peer) |
1486 | { |
1487 | struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr; |
1488 | struct sock *sk = sock->sk; |
1489 | struct hci_dev *hdev; |
1490 | int err = 0; |
1491 | |
1492 | BT_DBG("sock %p sk %p" , sock, sk); |
1493 | |
1494 | if (peer) |
1495 | return -EOPNOTSUPP; |
1496 | |
1497 | lock_sock(sk); |
1498 | |
1499 | hdev = hci_hdev_from_sock(sk); |
1500 | if (IS_ERR(ptr: hdev)) { |
1501 | err = PTR_ERR(ptr: hdev); |
1502 | goto done; |
1503 | } |
1504 | |
1505 | haddr->hci_family = AF_BLUETOOTH; |
1506 | haddr->hci_dev = hdev->id; |
1507 | haddr->hci_channel= hci_pi(sk)->channel; |
1508 | err = sizeof(*haddr); |
1509 | |
1510 | done: |
1511 | release_sock(sk); |
1512 | return err; |
1513 | } |
1514 | |
1515 | static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg, |
1516 | struct sk_buff *skb) |
1517 | { |
1518 | __u8 mask = hci_pi(sk)->cmsg_mask; |
1519 | |
1520 | if (mask & HCI_CMSG_DIR) { |
1521 | int incoming = bt_cb(skb)->incoming; |
1522 | put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, len: sizeof(incoming), |
1523 | data: &incoming); |
1524 | } |
1525 | |
1526 | if (mask & HCI_CMSG_TSTAMP) { |
1527 | #ifdef CONFIG_COMPAT |
1528 | struct old_timeval32 ctv; |
1529 | #endif |
1530 | struct __kernel_old_timeval tv; |
1531 | void *data; |
1532 | int len; |
1533 | |
1534 | skb_get_timestamp(skb, stamp: &tv); |
1535 | |
1536 | data = &tv; |
1537 | len = sizeof(tv); |
1538 | #ifdef CONFIG_COMPAT |
1539 | if (!COMPAT_USE_64BIT_TIME && |
1540 | (msg->msg_flags & MSG_CMSG_COMPAT)) { |
1541 | ctv.tv_sec = tv.tv_sec; |
1542 | ctv.tv_usec = tv.tv_usec; |
1543 | data = &ctv; |
1544 | len = sizeof(ctv); |
1545 | } |
1546 | #endif |
1547 | |
1548 | put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data); |
1549 | } |
1550 | } |
1551 | |
1552 | static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg, |
1553 | size_t len, int flags) |
1554 | { |
1555 | struct scm_cookie scm; |
1556 | struct sock *sk = sock->sk; |
1557 | struct sk_buff *skb; |
1558 | int copied, err; |
1559 | unsigned int skblen; |
1560 | |
1561 | BT_DBG("sock %p, sk %p" , sock, sk); |
1562 | |
1563 | if (flags & MSG_OOB) |
1564 | return -EOPNOTSUPP; |
1565 | |
1566 | if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING) |
1567 | return -EOPNOTSUPP; |
1568 | |
1569 | if (sk->sk_state == BT_CLOSED) |
1570 | return 0; |
1571 | |
1572 | skb = skb_recv_datagram(sk, flags, err: &err); |
1573 | if (!skb) |
1574 | return err; |
1575 | |
1576 | skblen = skb->len; |
1577 | copied = skb->len; |
1578 | if (len < copied) { |
1579 | msg->msg_flags |= MSG_TRUNC; |
1580 | copied = len; |
1581 | } |
1582 | |
1583 | skb_reset_transport_header(skb); |
1584 | err = skb_copy_datagram_msg(from: skb, offset: 0, msg, size: copied); |
1585 | |
1586 | switch (hci_pi(sk)->channel) { |
1587 | case HCI_CHANNEL_RAW: |
1588 | hci_sock_cmsg(sk, msg, skb); |
1589 | break; |
1590 | case HCI_CHANNEL_USER: |
1591 | case HCI_CHANNEL_MONITOR: |
1592 | sock_recv_timestamp(msg, sk, skb); |
1593 | break; |
1594 | default: |
1595 | if (hci_mgmt_chan_find(hci_pi(sk)->channel)) |
1596 | sock_recv_timestamp(msg, sk, skb); |
1597 | break; |
1598 | } |
1599 | |
1600 | memset(&scm, 0, sizeof(scm)); |
1601 | scm.creds = bt_cb(skb)->creds; |
1602 | |
1603 | skb_free_datagram(sk, skb); |
1604 | |
1605 | if (flags & MSG_TRUNC) |
1606 | copied = skblen; |
1607 | |
1608 | scm_recv(sock, msg, scm: &scm, flags); |
1609 | |
1610 | return err ? : copied; |
1611 | } |
1612 | |
1613 | static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk, |
1614 | struct sk_buff *skb) |
1615 | { |
1616 | u8 *cp; |
1617 | struct mgmt_hdr *hdr; |
1618 | u16 opcode, index, len; |
1619 | struct hci_dev *hdev = NULL; |
1620 | const struct hci_mgmt_handler *handler; |
1621 | bool var_len, no_hdev; |
1622 | int err; |
1623 | |
1624 | BT_DBG("got %d bytes" , skb->len); |
1625 | |
1626 | if (skb->len < sizeof(*hdr)) |
1627 | return -EINVAL; |
1628 | |
1629 | hdr = (void *)skb->data; |
1630 | opcode = __le16_to_cpu(hdr->opcode); |
1631 | index = __le16_to_cpu(hdr->index); |
1632 | len = __le16_to_cpu(hdr->len); |
1633 | |
1634 | if (len != skb->len - sizeof(*hdr)) { |
1635 | err = -EINVAL; |
1636 | goto done; |
1637 | } |
1638 | |
1639 | if (chan->channel == HCI_CHANNEL_CONTROL) { |
1640 | struct sk_buff *cmd; |
1641 | |
1642 | /* Send event to monitor */ |
1643 | cmd = create_monitor_ctrl_command(sk, index, opcode, len, |
1644 | buf: skb->data + sizeof(*hdr)); |
1645 | if (cmd) { |
1646 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb: cmd, |
1647 | flag: HCI_SOCK_TRUSTED, NULL); |
1648 | kfree_skb(skb: cmd); |
1649 | } |
1650 | } |
1651 | |
1652 | if (opcode >= chan->handler_count || |
1653 | chan->handlers[opcode].func == NULL) { |
1654 | BT_DBG("Unknown op %u" , opcode); |
1655 | err = mgmt_cmd_status(sk, index, cmd: opcode, |
1656 | MGMT_STATUS_UNKNOWN_COMMAND); |
1657 | goto done; |
1658 | } |
1659 | |
1660 | handler = &chan->handlers[opcode]; |
1661 | |
1662 | if (!hci_sock_test_flag(sk, nr: HCI_SOCK_TRUSTED) && |
1663 | !(handler->flags & HCI_MGMT_UNTRUSTED)) { |
1664 | err = mgmt_cmd_status(sk, index, cmd: opcode, |
1665 | MGMT_STATUS_PERMISSION_DENIED); |
1666 | goto done; |
1667 | } |
1668 | |
1669 | if (index != MGMT_INDEX_NONE) { |
1670 | hdev = hci_dev_get(index); |
1671 | if (!hdev) { |
1672 | err = mgmt_cmd_status(sk, index, cmd: opcode, |
1673 | MGMT_STATUS_INVALID_INDEX); |
1674 | goto done; |
1675 | } |
1676 | |
1677 | if (hci_dev_test_flag(hdev, HCI_SETUP) || |
1678 | hci_dev_test_flag(hdev, HCI_CONFIG) || |
1679 | hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { |
1680 | err = mgmt_cmd_status(sk, index, cmd: opcode, |
1681 | MGMT_STATUS_INVALID_INDEX); |
1682 | goto done; |
1683 | } |
1684 | |
1685 | if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) && |
1686 | !(handler->flags & HCI_MGMT_UNCONFIGURED)) { |
1687 | err = mgmt_cmd_status(sk, index, cmd: opcode, |
1688 | MGMT_STATUS_INVALID_INDEX); |
1689 | goto done; |
1690 | } |
1691 | } |
1692 | |
1693 | if (!(handler->flags & HCI_MGMT_HDEV_OPTIONAL)) { |
1694 | no_hdev = (handler->flags & HCI_MGMT_NO_HDEV); |
1695 | if (no_hdev != !hdev) { |
1696 | err = mgmt_cmd_status(sk, index, cmd: opcode, |
1697 | MGMT_STATUS_INVALID_INDEX); |
1698 | goto done; |
1699 | } |
1700 | } |
1701 | |
1702 | var_len = (handler->flags & HCI_MGMT_VAR_LEN); |
1703 | if ((var_len && len < handler->data_len) || |
1704 | (!var_len && len != handler->data_len)) { |
1705 | err = mgmt_cmd_status(sk, index, cmd: opcode, |
1706 | MGMT_STATUS_INVALID_PARAMS); |
1707 | goto done; |
1708 | } |
1709 | |
1710 | if (hdev && chan->hdev_init) |
1711 | chan->hdev_init(sk, hdev); |
1712 | |
1713 | cp = skb->data + sizeof(*hdr); |
1714 | |
1715 | err = handler->func(sk, hdev, cp, len); |
1716 | if (err < 0) |
1717 | goto done; |
1718 | |
1719 | err = skb->len; |
1720 | |
1721 | done: |
1722 | if (hdev) |
1723 | hci_dev_put(d: hdev); |
1724 | |
1725 | return err; |
1726 | } |
1727 | |
1728 | static int hci_logging_frame(struct sock *sk, struct sk_buff *skb, |
1729 | unsigned int flags) |
1730 | { |
1731 | struct hci_mon_hdr *hdr; |
1732 | struct hci_dev *hdev; |
1733 | u16 index; |
1734 | int err; |
1735 | |
1736 | /* The logging frame consists at minimum of the standard header, |
1737 | * the priority byte, the ident length byte and at least one string |
1738 | * terminator NUL byte. Anything shorter are invalid packets. |
1739 | */ |
1740 | if (skb->len < sizeof(*hdr) + 3) |
1741 | return -EINVAL; |
1742 | |
1743 | hdr = (void *)skb->data; |
1744 | |
1745 | if (__le16_to_cpu(hdr->len) != skb->len - sizeof(*hdr)) |
1746 | return -EINVAL; |
1747 | |
1748 | if (__le16_to_cpu(hdr->opcode) == 0x0000) { |
1749 | __u8 priority = skb->data[sizeof(*hdr)]; |
1750 | __u8 ident_len = skb->data[sizeof(*hdr) + 1]; |
1751 | |
1752 | /* Only the priorities 0-7 are valid and with that any other |
1753 | * value results in an invalid packet. |
1754 | * |
1755 | * The priority byte is followed by an ident length byte and |
1756 | * the NUL terminated ident string. Check that the ident |
1757 | * length is not overflowing the packet and also that the |
1758 | * ident string itself is NUL terminated. In case the ident |
1759 | * length is zero, the length value actually doubles as NUL |
1760 | * terminator identifier. |
1761 | * |
1762 | * The message follows the ident string (if present) and |
1763 | * must be NUL terminated. Otherwise it is not a valid packet. |
1764 | */ |
1765 | if (priority > 7 || skb->data[skb->len - 1] != 0x00 || |
1766 | ident_len > skb->len - sizeof(*hdr) - 3 || |
1767 | skb->data[sizeof(*hdr) + ident_len + 1] != 0x00) |
1768 | return -EINVAL; |
1769 | } else { |
1770 | return -EINVAL; |
1771 | } |
1772 | |
1773 | index = __le16_to_cpu(hdr->index); |
1774 | |
1775 | if (index != MGMT_INDEX_NONE) { |
1776 | hdev = hci_dev_get(index); |
1777 | if (!hdev) |
1778 | return -ENODEV; |
1779 | } else { |
1780 | hdev = NULL; |
1781 | } |
1782 | |
1783 | hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING); |
1784 | |
1785 | hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, flag: HCI_SOCK_TRUSTED, NULL); |
1786 | err = skb->len; |
1787 | |
1788 | if (hdev) |
1789 | hci_dev_put(d: hdev); |
1790 | |
1791 | return err; |
1792 | } |
1793 | |
1794 | static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg, |
1795 | size_t len) |
1796 | { |
1797 | struct sock *sk = sock->sk; |
1798 | struct hci_mgmt_chan *chan; |
1799 | struct hci_dev *hdev; |
1800 | struct sk_buff *skb; |
1801 | int err; |
1802 | const unsigned int flags = msg->msg_flags; |
1803 | |
1804 | BT_DBG("sock %p sk %p" , sock, sk); |
1805 | |
1806 | if (flags & MSG_OOB) |
1807 | return -EOPNOTSUPP; |
1808 | |
1809 | if (flags & ~(MSG_DONTWAIT | MSG_NOSIGNAL | MSG_ERRQUEUE | MSG_CMSG_COMPAT)) |
1810 | return -EINVAL; |
1811 | |
1812 | if (len < 4 || len > hci_pi(sk)->mtu) |
1813 | return -EINVAL; |
1814 | |
1815 | skb = bt_skb_sendmsg(sk, msg, len, mtu: len, headroom: 0, tailroom: 0); |
1816 | if (IS_ERR(ptr: skb)) |
1817 | return PTR_ERR(ptr: skb); |
1818 | |
1819 | lock_sock(sk); |
1820 | |
1821 | switch (hci_pi(sk)->channel) { |
1822 | case HCI_CHANNEL_RAW: |
1823 | case HCI_CHANNEL_USER: |
1824 | break; |
1825 | case HCI_CHANNEL_MONITOR: |
1826 | err = -EOPNOTSUPP; |
1827 | goto drop; |
1828 | case HCI_CHANNEL_LOGGING: |
1829 | err = hci_logging_frame(sk, skb, flags); |
1830 | goto drop; |
1831 | default: |
1832 | mutex_lock(&mgmt_chan_list_lock); |
1833 | chan = __hci_mgmt_chan_find(hci_pi(sk)->channel); |
1834 | if (chan) |
1835 | err = hci_mgmt_cmd(chan, sk, skb); |
1836 | else |
1837 | err = -EINVAL; |
1838 | |
1839 | mutex_unlock(lock: &mgmt_chan_list_lock); |
1840 | goto drop; |
1841 | } |
1842 | |
1843 | hdev = hci_hdev_from_sock(sk); |
1844 | if (IS_ERR(ptr: hdev)) { |
1845 | err = PTR_ERR(ptr: hdev); |
1846 | goto drop; |
1847 | } |
1848 | |
1849 | if (!test_bit(HCI_UP, &hdev->flags)) { |
1850 | err = -ENETDOWN; |
1851 | goto drop; |
1852 | } |
1853 | |
1854 | hci_skb_pkt_type(skb) = skb->data[0]; |
1855 | skb_pull(skb, len: 1); |
1856 | |
1857 | if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { |
1858 | /* No permission check is needed for user channel |
1859 | * since that gets enforced when binding the socket. |
1860 | * |
1861 | * However check that the packet type is valid. |
1862 | */ |
1863 | if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT && |
1864 | hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && |
1865 | hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && |
1866 | hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) { |
1867 | err = -EINVAL; |
1868 | goto drop; |
1869 | } |
1870 | |
1871 | skb_queue_tail(list: &hdev->raw_q, newsk: skb); |
1872 | queue_work(wq: hdev->workqueue, work: &hdev->tx_work); |
1873 | } else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) { |
1874 | u16 opcode = get_unaligned_le16(p: skb->data); |
1875 | u16 ogf = hci_opcode_ogf(opcode); |
1876 | u16 ocf = hci_opcode_ocf(opcode); |
1877 | |
1878 | if (((ogf > HCI_SFLT_MAX_OGF) || |
1879 | !hci_test_bit(nr: ocf & HCI_FLT_OCF_BITS, |
1880 | addr: &hci_sec_filter.ocf_mask[ogf])) && |
1881 | !capable(CAP_NET_RAW)) { |
1882 | err = -EPERM; |
1883 | goto drop; |
1884 | } |
1885 | |
1886 | /* Since the opcode has already been extracted here, store |
1887 | * a copy of the value for later use by the drivers. |
1888 | */ |
1889 | hci_skb_opcode(skb) = opcode; |
1890 | |
1891 | if (ogf == 0x3f) { |
1892 | skb_queue_tail(list: &hdev->raw_q, newsk: skb); |
1893 | queue_work(wq: hdev->workqueue, work: &hdev->tx_work); |
1894 | } else { |
1895 | /* Stand-alone HCI commands must be flagged as |
1896 | * single-command requests. |
1897 | */ |
1898 | bt_cb(skb)->hci.req_flags |= HCI_REQ_START; |
1899 | |
1900 | skb_queue_tail(list: &hdev->cmd_q, newsk: skb); |
1901 | queue_work(wq: hdev->workqueue, work: &hdev->cmd_work); |
1902 | } |
1903 | } else { |
1904 | if (!capable(CAP_NET_RAW)) { |
1905 | err = -EPERM; |
1906 | goto drop; |
1907 | } |
1908 | |
1909 | if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT && |
1910 | hci_skb_pkt_type(skb) != HCI_SCODATA_PKT && |
1911 | hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) { |
1912 | err = -EINVAL; |
1913 | goto drop; |
1914 | } |
1915 | |
1916 | skb_queue_tail(list: &hdev->raw_q, newsk: skb); |
1917 | queue_work(wq: hdev->workqueue, work: &hdev->tx_work); |
1918 | } |
1919 | |
1920 | err = len; |
1921 | |
1922 | done: |
1923 | release_sock(sk); |
1924 | return err; |
1925 | |
1926 | drop: |
1927 | kfree_skb(skb); |
1928 | goto done; |
1929 | } |
1930 | |
1931 | static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, |
1932 | sockptr_t optval, unsigned int len) |
1933 | { |
1934 | struct hci_ufilter uf = { .opcode = 0 }; |
1935 | struct sock *sk = sock->sk; |
1936 | int err = 0, opt = 0; |
1937 | |
1938 | BT_DBG("sk %p, opt %d" , sk, optname); |
1939 | |
1940 | lock_sock(sk); |
1941 | |
1942 | if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { |
1943 | err = -EBADFD; |
1944 | goto done; |
1945 | } |
1946 | |
1947 | switch (optname) { |
1948 | case HCI_DATA_DIR: |
1949 | err = bt_copy_from_sockptr(dst: &opt, dst_size: sizeof(opt), src: optval, src_size: len); |
1950 | if (err) |
1951 | break; |
1952 | |
1953 | if (opt) |
1954 | hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; |
1955 | else |
1956 | hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR; |
1957 | break; |
1958 | |
1959 | case HCI_TIME_STAMP: |
1960 | err = bt_copy_from_sockptr(dst: &opt, dst_size: sizeof(opt), src: optval, src_size: len); |
1961 | if (err) |
1962 | break; |
1963 | |
1964 | if (opt) |
1965 | hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; |
1966 | else |
1967 | hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP; |
1968 | break; |
1969 | |
1970 | case HCI_FILTER: |
1971 | { |
1972 | struct hci_filter *f = &hci_pi(sk)->filter; |
1973 | |
1974 | uf.type_mask = f->type_mask; |
1975 | uf.opcode = f->opcode; |
1976 | uf.event_mask[0] = *((u32 *) f->event_mask + 0); |
1977 | uf.event_mask[1] = *((u32 *) f->event_mask + 1); |
1978 | } |
1979 | |
1980 | err = bt_copy_from_sockptr(dst: &uf, dst_size: sizeof(uf), src: optval, src_size: len); |
1981 | if (err) |
1982 | break; |
1983 | |
1984 | if (!capable(CAP_NET_RAW)) { |
1985 | uf.type_mask &= hci_sec_filter.type_mask; |
1986 | uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0); |
1987 | uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1); |
1988 | } |
1989 | |
1990 | { |
1991 | struct hci_filter *f = &hci_pi(sk)->filter; |
1992 | |
1993 | f->type_mask = uf.type_mask; |
1994 | f->opcode = uf.opcode; |
1995 | *((u32 *) f->event_mask + 0) = uf.event_mask[0]; |
1996 | *((u32 *) f->event_mask + 1) = uf.event_mask[1]; |
1997 | } |
1998 | break; |
1999 | |
2000 | default: |
2001 | err = -ENOPROTOOPT; |
2002 | break; |
2003 | } |
2004 | |
2005 | done: |
2006 | release_sock(sk); |
2007 | return err; |
2008 | } |
2009 | |
2010 | static int hci_sock_setsockopt(struct socket *sock, int level, int optname, |
2011 | sockptr_t optval, unsigned int len) |
2012 | { |
2013 | struct sock *sk = sock->sk; |
2014 | int err = 0; |
2015 | u16 opt; |
2016 | |
2017 | BT_DBG("sk %p, opt %d" , sk, optname); |
2018 | |
2019 | if (level == SOL_HCI) |
2020 | return hci_sock_setsockopt_old(sock, level, optname, optval, |
2021 | len); |
2022 | |
2023 | if (level != SOL_BLUETOOTH) |
2024 | return -ENOPROTOOPT; |
2025 | |
2026 | lock_sock(sk); |
2027 | |
2028 | switch (optname) { |
2029 | case BT_SNDMTU: |
2030 | case BT_RCVMTU: |
2031 | switch (hci_pi(sk)->channel) { |
2032 | /* Don't allow changing MTU for channels that are meant for HCI |
2033 | * traffic only. |
2034 | */ |
2035 | case HCI_CHANNEL_RAW: |
2036 | case HCI_CHANNEL_USER: |
2037 | err = -ENOPROTOOPT; |
2038 | goto done; |
2039 | } |
2040 | |
2041 | err = bt_copy_from_sockptr(dst: &opt, dst_size: sizeof(opt), src: optval, src_size: len); |
2042 | if (err) |
2043 | break; |
2044 | |
2045 | hci_pi(sk)->mtu = opt; |
2046 | break; |
2047 | |
2048 | default: |
2049 | err = -ENOPROTOOPT; |
2050 | break; |
2051 | } |
2052 | |
2053 | done: |
2054 | release_sock(sk); |
2055 | return err; |
2056 | } |
2057 | |
2058 | static int hci_sock_getsockopt_old(struct socket *sock, int level, int optname, |
2059 | char __user *optval, int __user *optlen) |
2060 | { |
2061 | struct hci_ufilter uf; |
2062 | struct sock *sk = sock->sk; |
2063 | int len, opt, err = 0; |
2064 | |
2065 | BT_DBG("sk %p, opt %d" , sk, optname); |
2066 | |
2067 | if (get_user(len, optlen)) |
2068 | return -EFAULT; |
2069 | |
2070 | lock_sock(sk); |
2071 | |
2072 | if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { |
2073 | err = -EBADFD; |
2074 | goto done; |
2075 | } |
2076 | |
2077 | switch (optname) { |
2078 | case HCI_DATA_DIR: |
2079 | if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR) |
2080 | opt = 1; |
2081 | else |
2082 | opt = 0; |
2083 | |
2084 | if (put_user(opt, optval)) |
2085 | err = -EFAULT; |
2086 | break; |
2087 | |
2088 | case HCI_TIME_STAMP: |
2089 | if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP) |
2090 | opt = 1; |
2091 | else |
2092 | opt = 0; |
2093 | |
2094 | if (put_user(opt, optval)) |
2095 | err = -EFAULT; |
2096 | break; |
2097 | |
2098 | case HCI_FILTER: |
2099 | { |
2100 | struct hci_filter *f = &hci_pi(sk)->filter; |
2101 | |
2102 | memset(&uf, 0, sizeof(uf)); |
2103 | uf.type_mask = f->type_mask; |
2104 | uf.opcode = f->opcode; |
2105 | uf.event_mask[0] = *((u32 *) f->event_mask + 0); |
2106 | uf.event_mask[1] = *((u32 *) f->event_mask + 1); |
2107 | } |
2108 | |
2109 | len = min_t(unsigned int, len, sizeof(uf)); |
2110 | if (copy_to_user(to: optval, from: &uf, n: len)) |
2111 | err = -EFAULT; |
2112 | break; |
2113 | |
2114 | default: |
2115 | err = -ENOPROTOOPT; |
2116 | break; |
2117 | } |
2118 | |
2119 | done: |
2120 | release_sock(sk); |
2121 | return err; |
2122 | } |
2123 | |
2124 | static int hci_sock_getsockopt(struct socket *sock, int level, int optname, |
2125 | char __user *optval, int __user *optlen) |
2126 | { |
2127 | struct sock *sk = sock->sk; |
2128 | int err = 0; |
2129 | |
2130 | BT_DBG("sk %p, opt %d" , sk, optname); |
2131 | |
2132 | if (level == SOL_HCI) |
2133 | return hci_sock_getsockopt_old(sock, level, optname, optval, |
2134 | optlen); |
2135 | |
2136 | if (level != SOL_BLUETOOTH) |
2137 | return -ENOPROTOOPT; |
2138 | |
2139 | lock_sock(sk); |
2140 | |
2141 | switch (optname) { |
2142 | case BT_SNDMTU: |
2143 | case BT_RCVMTU: |
2144 | if (put_user(hci_pi(sk)->mtu, (u16 __user *)optval)) |
2145 | err = -EFAULT; |
2146 | break; |
2147 | |
2148 | default: |
2149 | err = -ENOPROTOOPT; |
2150 | break; |
2151 | } |
2152 | |
2153 | release_sock(sk); |
2154 | return err; |
2155 | } |
2156 | |
2157 | static void hci_sock_destruct(struct sock *sk) |
2158 | { |
2159 | mgmt_cleanup(sk); |
2160 | skb_queue_purge(list: &sk->sk_receive_queue); |
2161 | skb_queue_purge(list: &sk->sk_write_queue); |
2162 | } |
2163 | |
2164 | static const struct proto_ops hci_sock_ops = { |
2165 | .family = PF_BLUETOOTH, |
2166 | .owner = THIS_MODULE, |
2167 | .release = hci_sock_release, |
2168 | .bind = hci_sock_bind, |
2169 | .getname = hci_sock_getname, |
2170 | .sendmsg = hci_sock_sendmsg, |
2171 | .recvmsg = hci_sock_recvmsg, |
2172 | .ioctl = hci_sock_ioctl, |
2173 | #ifdef CONFIG_COMPAT |
2174 | .compat_ioctl = hci_sock_compat_ioctl, |
2175 | #endif |
2176 | .poll = datagram_poll, |
2177 | .listen = sock_no_listen, |
2178 | .shutdown = sock_no_shutdown, |
2179 | .setsockopt = hci_sock_setsockopt, |
2180 | .getsockopt = hci_sock_getsockopt, |
2181 | .connect = sock_no_connect, |
2182 | .socketpair = sock_no_socketpair, |
2183 | .accept = sock_no_accept, |
2184 | .mmap = sock_no_mmap |
2185 | }; |
2186 | |
2187 | static struct proto hci_sk_proto = { |
2188 | .name = "HCI" , |
2189 | .owner = THIS_MODULE, |
2190 | .obj_size = sizeof(struct hci_pinfo) |
2191 | }; |
2192 | |
2193 | static int hci_sock_create(struct net *net, struct socket *sock, int protocol, |
2194 | int kern) |
2195 | { |
2196 | struct sock *sk; |
2197 | |
2198 | BT_DBG("sock %p" , sock); |
2199 | |
2200 | if (sock->type != SOCK_RAW) |
2201 | return -ESOCKTNOSUPPORT; |
2202 | |
2203 | sock->ops = &hci_sock_ops; |
2204 | |
2205 | sk = bt_sock_alloc(net, sock, prot: &hci_sk_proto, proto: protocol, GFP_ATOMIC, |
2206 | kern); |
2207 | if (!sk) |
2208 | return -ENOMEM; |
2209 | |
2210 | sock->state = SS_UNCONNECTED; |
2211 | sk->sk_destruct = hci_sock_destruct; |
2212 | |
2213 | bt_sock_link(l: &hci_sk_list, s: sk); |
2214 | return 0; |
2215 | } |
2216 | |
2217 | static const struct net_proto_family hci_sock_family_ops = { |
2218 | .family = PF_BLUETOOTH, |
2219 | .owner = THIS_MODULE, |
2220 | .create = hci_sock_create, |
2221 | }; |
2222 | |
2223 | int __init hci_sock_init(void) |
2224 | { |
2225 | int err; |
2226 | |
2227 | BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr)); |
2228 | |
2229 | err = proto_register(prot: &hci_sk_proto, alloc_slab: 0); |
2230 | if (err < 0) |
2231 | return err; |
2232 | |
2233 | err = bt_sock_register(BTPROTO_HCI, ops: &hci_sock_family_ops); |
2234 | if (err < 0) { |
2235 | BT_ERR("HCI socket registration failed" ); |
2236 | goto error; |
2237 | } |
2238 | |
2239 | err = bt_procfs_init(net: &init_net, name: "hci" , sk_list: &hci_sk_list, NULL); |
2240 | if (err < 0) { |
2241 | BT_ERR("Failed to create HCI proc file" ); |
2242 | bt_sock_unregister(BTPROTO_HCI); |
2243 | goto error; |
2244 | } |
2245 | |
2246 | BT_INFO("HCI socket layer initialized" ); |
2247 | |
2248 | return 0; |
2249 | |
2250 | error: |
2251 | proto_unregister(prot: &hci_sk_proto); |
2252 | return err; |
2253 | } |
2254 | |
2255 | void hci_sock_cleanup(void) |
2256 | { |
2257 | bt_procfs_cleanup(net: &init_net, name: "hci" ); |
2258 | bt_sock_unregister(BTPROTO_HCI); |
2259 | proto_unregister(prot: &hci_sk_proto); |
2260 | } |
2261 | |