net/bluetooth/hci_sock.c

   1 /*
   2    BlueZ - Bluetooth protocol stack for Linux
   3    Copyright (C) 2000-2001 Qualcomm Incorporated
   4
   5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License version 2 as
   9    published by the Free Software Foundation;
  10
  11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22    SOFTWARE IS DISCLAIMED.
  23 */
  24
  25 /* Bluetooth HCI sockets. */
  26
  27 #include <linux/export.h>
  28 #include <asm/unaligned.h>
  29
  30 #include <net/bluetooth/bluetooth.h>
  31 #include <net/bluetooth/hci_core.h>
  32 #include <net/bluetooth/hci_mon.h>
  33
  34 static atomic_t monitor_promisc = ATOMIC_INIT(0);
  35
  36 /* ----- HCI socket interface ----- */
  37
  38 static inline int hci_test_bit(int nr, void *addr)
  39 {
  40         return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
  41 }
  42
  43 /* Security filter */
  44 static struct hci_sec_filter hci_sec_filter = {
  45         /* Packet types */
  46         0x10,
  47         /* Events */
  48         { 0x1000d9fe, 0x0000b00c },
  49         /* Commands */
  50         {
  51                 { 0x0 },
  52                 /* OGF_LINK_CTL */
  53                 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
  54                 /* OGF_LINK_POLICY */
  55                 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
  56                 /* OGF_HOST_CTL */
  57                 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
  58                 /* OGF_INFO_PARAM */
  59                 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
  60                 /* OGF_STATUS_PARAM */
  61                 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
  62         }
  63 };
  64
  65 static struct bt_sock_list hci_sk_list = {
  66         .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
  67 };
  68
  69 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
  70 {
  71         struct hci_filter *flt;
  72         int flt_type, flt_event;
  73
  74         /* Apply filter */
  75         flt = &hci_pi(sk)->filter;
  76
  77         if (bt_cb(skb)->pkt_type == HCI_VENDOR_PKT)
  78                 flt_type = 0;
  79         else
  80                 flt_type = bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS;
  81
  82         if (!test_bit(flt_type, &flt->type_mask))
  83                 return true;
  84
  85         /* Extra filter for event packets only */
  86         if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT)
  87                 return false;
  88
  89         flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
  90
  91         if (!hci_test_bit(flt_event, &flt->event_mask))
  92                 return true;
  93
  94         /* Check filter only when opcode is set */
  95         if (!flt->opcode)
  96                 return false;
  97
  98         if (flt_event == HCI_EV_CMD_COMPLETE &&
  99             flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
 100                 return true;
 101
 102         if (flt_event == HCI_EV_CMD_STATUS &&
 103             flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
 104                 return true;
 105
 106         return false;
 107 }
 108
 109 /* Send frame to RAW socket */
 110 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
 111 {
 112         struct sock *sk;
 113         struct sk_buff *skb_copy = NULL;
 114
 115         BT_DBG("hdev %p len %d", hdev, skb->len);
 116
 117         read_lock(&hci_sk_list.lock);
 118
 119         sk_for_each(sk, &hci_sk_list.head) {
 120                 struct sk_buff *nskb;
 121
 122                 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
 123                         continue;
 124
 125                 /* Don't send frame to the socket it came from */
 126                 if (skb->sk == sk)
 127                         continue;
 128
 129                 if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
 130                         if (is_filtered_packet(sk, skb))
 131                                 continue;
 132                 } else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 133                         if (!bt_cb(skb)->incoming)
 134                                 continue;
 135                         if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT &&
 136                             bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
 137                             bt_cb(skb)->pkt_type != HCI_SCODATA_PKT)
 138                                 continue;
 139                 } else {
 140                         /* Don't send frame to other channel types */
 141                         continue;
 142                 }
 143
 144                 if (!skb_copy) {
 145                         /* Create a private copy with headroom */
 146                         skb_copy = __pskb_copy(skb, 1, GFP_ATOMIC);
 147                         if (!skb_copy)
 148                                 continue;
 149
 150                         /* Put type byte before the data */
 151                         memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1);
 152                 }
 153
 154                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 155                 if (!nskb)
 156                         continue;
 157
 158                 if (sock_queue_rcv_skb(sk, nskb))
 159                         kfree_skb(nskb);
 160         }
 161
 162         read_unlock(&hci_sk_list.lock);
 163
 164         kfree_skb(skb_copy);
 165 }
 166
 167 /* Send frame to control socket */
 168 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk)
 169 {
 170         struct sock *sk;
 171
 172         BT_DBG("len %d", skb->len);
 173
 174         read_lock(&hci_sk_list.lock);
 175
 176         sk_for_each(sk, &hci_sk_list.head) {
 177                 struct sk_buff *nskb;
 178
 179                 /* Skip the original socket */
 180                 if (sk == skip_sk)
 181                         continue;
 182
 183                 if (sk->sk_state != BT_BOUND)
 184                         continue;
 185
 186                 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
 187                         continue;
 188
 189                 nskb = skb_clone(skb, GFP_ATOMIC);
 190                 if (!nskb)
 191                         continue;
 192
 193                 if (sock_queue_rcv_skb(sk, nskb))
 194                         kfree_skb(nskb);
 195         }
 196
 197         read_unlock(&hci_sk_list.lock);
 198 }
 199
 200 /* Send frame to monitor socket */
 201 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
 202 {
 203         struct sock *sk;
 204         struct sk_buff *skb_copy = NULL;
 205         __le16 opcode;
 206
 207         if (!atomic_read(&monitor_promisc))
 208                 return;
 209
 210         BT_DBG("hdev %p len %d", hdev, skb->len);
 211
 212         switch (bt_cb(skb)->pkt_type) {
 213         case HCI_COMMAND_PKT:
 214                 opcode = __constant_cpu_to_le16(HCI_MON_COMMAND_PKT);
 215                 break;
 216         case HCI_EVENT_PKT:
 217                 opcode = __constant_cpu_to_le16(HCI_MON_EVENT_PKT);
 218                 break;
 219         case HCI_ACLDATA_PKT:
 220                 if (bt_cb(skb)->incoming)
 221                         opcode = __constant_cpu_to_le16(HCI_MON_ACL_RX_PKT);
 222                 else
 223                         opcode = __constant_cpu_to_le16(HCI_MON_ACL_TX_PKT);
 224                 break;
 225         case HCI_SCODATA_PKT:
 226                 if (bt_cb(skb)->incoming)
 227                         opcode = __constant_cpu_to_le16(HCI_MON_SCO_RX_PKT);
 228                 else
 229                         opcode = __constant_cpu_to_le16(HCI_MON_SCO_TX_PKT);
 230                 break;
 231         default:
 232                 return;
 233         }
 234
 235         read_lock(&hci_sk_list.lock);
 236
 237         sk_for_each(sk, &hci_sk_list.head) {
 238                 struct sk_buff *nskb;
 239
 240                 if (sk->sk_state != BT_BOUND)
 241                         continue;
 242
 243                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 244                         continue;
 245
 246                 if (!skb_copy) {
 247                         struct hci_mon_hdr *hdr;
 248
 249                         /* Create a private copy with headroom */
 250                         skb_copy = __pskb_copy(skb, HCI_MON_HDR_SIZE,
 251                                                GFP_ATOMIC);
 252                         if (!skb_copy)
 253                                 continue;
 254
 255                         /* Put header before the data */
 256                         hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE);
 257                         hdr->opcode = opcode;
 258                         hdr->index = cpu_to_le16(hdev->id);
 259                         hdr->len = cpu_to_le16(skb->len);
 260                 }
 261
 262                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 263                 if (!nskb)
 264                         continue;
 265
 266                 if (sock_queue_rcv_skb(sk, nskb))
 267                         kfree_skb(nskb);
 268         }
 269
 270         read_unlock(&hci_sk_list.lock);
 271
 272         kfree_skb(skb_copy);
 273 }
 274
 275 static void send_monitor_event(struct sk_buff *skb)
 276 {
 277         struct sock *sk;
 278
 279         BT_DBG("len %d", skb->len);
 280
 281         read_lock(&hci_sk_list.lock);
 282
 283         sk_for_each(sk, &hci_sk_list.head) {
 284                 struct sk_buff *nskb;
 285
 286                 if (sk->sk_state != BT_BOUND)
 287                         continue;
 288
 289                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 290                         continue;
 291
 292                 nskb = skb_clone(skb, GFP_ATOMIC);
 293                 if (!nskb)
 294                         continue;
 295
 296                 if (sock_queue_rcv_skb(sk, nskb))
 297                         kfree_skb(nskb);
 298         }
 299
 300         read_unlock(&hci_sk_list.lock);
 301 }
 302
 303 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
 304 {
 305         struct hci_mon_hdr *hdr;
 306         struct hci_mon_new_index *ni;
 307         struct sk_buff *skb;
 308         __le16 opcode;
 309
 310         switch (event) {
 311         case HCI_DEV_REG:
 312                 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
 313                 if (!skb)
 314                         return NULL;
 315
 316                 ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
 317                 ni->type = hdev->dev_type;
 318                 ni->bus = hdev->bus;
 319                 bacpy(&ni->bdaddr, &hdev->bdaddr);
 320                 memcpy(ni->name, hdev->name, 8);
 321
 322                 opcode = __constant_cpu_to_le16(HCI_MON_NEW_INDEX);
 323                 break;
 324
 325         case HCI_DEV_UNREG:
 326                 skb = bt_skb_alloc(0, GFP_ATOMIC);
 327                 if (!skb)
 328                         return NULL;
 329
 330                 opcode = __constant_cpu_to_le16(HCI_MON_DEL_INDEX);
 331                 break;
 332
 333         default:
 334                 return NULL;
 335         }
 336
 337         __net_timestamp(skb);
 338
 339         hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE);
 340         hdr->opcode = opcode;
 341         hdr->index = cpu_to_le16(hdev->id);
 342         hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
 343
 344         return skb;
 345 }
 346
 347 static void send_monitor_replay(struct sock *sk)
 348 {
 349         struct hci_dev *hdev;
 350
 351         read_lock(&hci_dev_list_lock);
 352
 353         list_for_each_entry(hdev, &hci_dev_list, list) {
 354                 struct sk_buff *skb;
 355
 356                 skb = create_monitor_event(hdev, HCI_DEV_REG);
 357                 if (!skb)
 358                         continue;
 359
 360                 if (sock_queue_rcv_skb(sk, skb))
 361                         kfree_skb(skb);
 362         }
 363
 364         read_unlock(&hci_dev_list_lock);
 365 }
 366
 367 /* Generate internal stack event */
 368 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
 369 {
 370         struct hci_event_hdr *hdr;
 371         struct hci_ev_stack_internal *ev;
 372         struct sk_buff *skb;
 373
 374         skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
 375         if (!skb)
 376                 return;
 377
 378         hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
 379         hdr->evt  = HCI_EV_STACK_INTERNAL;
 380         hdr->plen = sizeof(*ev) + dlen;
 381
 382         ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
 383         ev->type = type;
 384         memcpy(ev->data, data, dlen);
 385
 386         bt_cb(skb)->incoming = 1;
 387         __net_timestamp(skb);
 388
 389         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
 390         skb->dev = (void *) hdev;
 391         hci_send_to_sock(hdev, skb);
 392         kfree_skb(skb);
 393 }
 394
 395 void hci_sock_dev_event(struct hci_dev *hdev, int event)
 396 {
 397         struct hci_ev_si_device ev;
 398
 399         BT_DBG("hdev %s event %d", hdev->name, event);
 400
 401         /* Send event to monitor */
 402         if (atomic_read(&monitor_promisc)) {
 403                 struct sk_buff *skb;
 404
 405                 skb = create_monitor_event(hdev, event);
 406                 if (skb) {
 407                         send_monitor_event(skb);
 408                         kfree_skb(skb);
 409                 }
 410         }
 411
 412         /* Send event to sockets */
 413         ev.event  = event;
 414         ev.dev_id = hdev->id;
 415         hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
 416
 417         if (event == HCI_DEV_UNREG) {
 418                 struct sock *sk;
 419
 420                 /* Detach sockets from device */
 421                 read_lock(&hci_sk_list.lock);
 422                 sk_for_each(sk, &hci_sk_list.head) {
 423                         bh_lock_sock_nested(sk);
 424                         if (hci_pi(sk)->hdev == hdev) {
 425                                 hci_pi(sk)->hdev = NULL;
 426                                 sk->sk_err = EPIPE;
 427                                 sk->sk_state = BT_OPEN;
 428                                 sk->sk_state_change(sk);
 429
 430                                 hci_dev_put(hdev);
 431                         }
 432                         bh_unlock_sock(sk);
 433                 }
 434                 read_unlock(&hci_sk_list.lock);
 435         }
 436 }
 437
 438 static int hci_sock_release(struct socket *sock)
 439 {
 440         struct sock *sk = sock->sk;
 441         struct hci_dev *hdev;
 442
 443         BT_DBG("sock %p sk %p", sock, sk);
 444
 445         if (!sk)
 446                 return 0;
 447
 448         hdev = hci_pi(sk)->hdev;
 449
 450         if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
 451                 atomic_dec(&monitor_promisc);
 452
 453         bt_sock_unlink(&hci_sk_list, sk);
 454
 455         if (hdev) {
 456                 if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
 457                         mgmt_index_added(hdev);
 458                         clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags);
 459                         hci_dev_close(hdev->id);
 460                 }
 461
 462                 atomic_dec(&hdev->promisc);
 463                 hci_dev_put(hdev);
 464         }
 465
 466         sock_orphan(sk);
 467
 468         skb_queue_purge(&sk->sk_receive_queue);
 469         skb_queue_purge(&sk->sk_write_queue);
 470
 471         sock_put(sk);
 472         return 0;
 473 }
 474
 475 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
 476 {
 477         bdaddr_t bdaddr;
 478         int err;
 479
 480         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 481                 return -EFAULT;
 482
 483         hci_dev_lock(hdev);
 484
 485         err = hci_blacklist_add(hdev, &bdaddr, 0);
 486
 487         hci_dev_unlock(hdev);
 488
 489         return err;
 490 }
 491
 492 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
 493 {
 494         bdaddr_t bdaddr;
 495         int err;
 496
 497         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 498                 return -EFAULT;
 499
 500         hci_dev_lock(hdev);
 501
 502         err = hci_blacklist_del(hdev, &bdaddr, 0);
 503
 504         hci_dev_unlock(hdev);
 505
 506         return err;
 507 }
 508
 509 /* Ioctls that require bound socket */
 510 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
 511                                 unsigned long arg)
 512 {
 513         struct hci_dev *hdev = hci_pi(sk)->hdev;
 514
 515         if (!hdev)
 516                 return -EBADFD;
 517
 518         if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
 519                 return -EBUSY;
 520
 521         switch (cmd) {
 522         case HCISETRAW:
 523                 if (!capable(CAP_NET_ADMIN))
 524                         return -EPERM;
 525
 526                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
 527                         return -EPERM;
 528
 529                 if (arg)
 530                         set_bit(HCI_RAW, &hdev->flags);
 531                 else
 532                         clear_bit(HCI_RAW, &hdev->flags);
 533
 534                 return 0;
 535
 536         case HCIGETCONNINFO:
 537                 return hci_get_conn_info(hdev, (void __user *) arg);
 538
 539         case HCIGETAUTHINFO:
 540                 return hci_get_auth_info(hdev, (void __user *) arg);
 541
 542         case HCIBLOCKADDR:
 543                 if (!capable(CAP_NET_ADMIN))
 544                         return -EPERM;
 545                 return hci_sock_blacklist_add(hdev, (void __user *) arg);
 546
 547         case HCIUNBLOCKADDR:
 548                 if (!capable(CAP_NET_ADMIN))
 549                         return -EPERM;
 550                 return hci_sock_blacklist_del(hdev, (void __user *) arg);
 551         }
 552
 553         if (hdev->ioctl)
 554                 return hdev->ioctl(hdev, cmd, arg);
 555
 556         return -EINVAL;
 557 }
 558
 559 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 560                           unsigned long arg)
 561 {
 562         void __user *argp = (void __user *) arg;
 563         struct sock *sk = sock->sk;
 564         int err;
 565
 566         BT_DBG("cmd %x arg %lx", cmd, arg);
 567
 568         lock_sock(sk);
 569
 570         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
 571                 err = -EBADFD;
 572                 goto done;
 573         }
 574
 575         release_sock(sk);
 576
 577         switch (cmd) {
 578         case HCIGETDEVLIST:
 579                 return hci_get_dev_list(argp);
 580
 581         case HCIGETDEVINFO:
 582                 return hci_get_dev_info(argp);
 583
 584         case HCIGETCONNLIST:
 585                 return hci_get_conn_list(argp);
 586
 587         case HCIDEVUP:
 588                 if (!capable(CAP_NET_ADMIN))
 589                         return -EPERM;
 590                 return hci_dev_open(arg);
 591
 592         case HCIDEVDOWN:
 593                 if (!capable(CAP_NET_ADMIN))
 594                         return -EPERM;
 595                 return hci_dev_close(arg);
 596
 597         case HCIDEVRESET:
 598                 if (!capable(CAP_NET_ADMIN))
 599                         return -EPERM;
 600                 return hci_dev_reset(arg);
 601
 602         case HCIDEVRESTAT:
 603                 if (!capable(CAP_NET_ADMIN))
 604                         return -EPERM;
 605                 return hci_dev_reset_stat(arg);
 606
 607         case HCISETSCAN:
 608         case HCISETAUTH:
 609         case HCISETENCRYPT:
 610         case HCISETPTYPE:
 611         case HCISETLINKPOL:
 612         case HCISETLINKMODE:
 613         case HCISETACLMTU:
 614         case HCISETSCOMTU:
 615                 if (!capable(CAP_NET_ADMIN))
 616                         return -EPERM;
 617                 return hci_dev_cmd(cmd, argp);
 618
 619         case HCIINQUIRY:
 620                 return hci_inquiry(argp);
 621         }
 622
 623         lock_sock(sk);
 624
 625         err = hci_sock_bound_ioctl(sk, cmd, arg);
 626
 627 done:
 628         release_sock(sk);
 629         return err;
 630 }
 631
 632 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
 633                          int addr_len)
 634 {
 635         struct sockaddr_hci haddr;
 636         struct sock *sk = sock->sk;
 637         struct hci_dev *hdev = NULL;
 638         int len, err = 0;
 639
 640         BT_DBG("sock %p sk %p", sock, sk);
 641
 642         if (!addr)
 643                 return -EINVAL;
 644
 645         memset(&haddr, 0, sizeof(haddr));
 646         len = min_t(unsigned int, sizeof(haddr), addr_len);
 647         memcpy(&haddr, addr, len);
 648
 649         if (haddr.hci_family != AF_BLUETOOTH)
 650                 return -EINVAL;
 651
 652         lock_sock(sk);
 653
 654         if (sk->sk_state == BT_BOUND) {
 655                 err = -EALREADY;
 656                 goto done;
 657         }
 658
 659         switch (haddr.hci_channel) {
 660         case HCI_CHANNEL_RAW:
 661                 if (hci_pi(sk)->hdev) {
 662                         err = -EALREADY;
 663                         goto done;
 664                 }
 665
 666                 if (haddr.hci_dev != HCI_DEV_NONE) {
 667                         hdev = hci_dev_get(haddr.hci_dev);
 668                         if (!hdev) {
 669                                 err = -ENODEV;
 670                                 goto done;
 671                         }
 672
 673                         atomic_inc(&hdev->promisc);
 674                 }
 675
 676                 hci_pi(sk)->hdev = hdev;
 677                 break;
 678
 679         case HCI_CHANNEL_USER:
 680                 if (hci_pi(sk)->hdev) {
 681                         err = -EALREADY;
 682                         goto done;
 683                 }
 684
 685                 if (haddr.hci_dev == HCI_DEV_NONE) {
 686                         err = -EINVAL;
 687                         goto done;
 688                 }
 689
 690                 if (!capable(CAP_NET_ADMIN)) {
 691                         err = -EPERM;
 692                         goto done;
 693                 }
 694
 695                 hdev = hci_dev_get(haddr.hci_dev);
 696                 if (!hdev) {
 697                         err = -ENODEV;
 698                         goto done;
 699                 }
 700
 701                 if (test_bit(HCI_UP, &hdev->flags) ||
 702                     test_bit(HCI_INIT, &hdev->flags) ||
 703                     test_bit(HCI_SETUP, &hdev->dev_flags)) {
 704                         err = -EBUSY;
 705                         hci_dev_put(hdev);
 706                         goto done;
 707                 }
 708
 709                 if (test_and_set_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
 710                         err = -EUSERS;
 711                         hci_dev_put(hdev);
 712                         goto done;
 713                 }
 714
 715                 mgmt_index_removed(hdev);
 716
 717                 err = hci_dev_open(hdev->id);
 718                 if (err) {
 719                         clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags);
 720                         hci_dev_put(hdev);
 721                         goto done;
 722                 }
 723
 724                 atomic_inc(&hdev->promisc);
 725
 726                 hci_pi(sk)->hdev = hdev;
 727                 break;
 728
 729         case HCI_CHANNEL_CONTROL:
 730                 if (haddr.hci_dev != HCI_DEV_NONE) {
 731                         err = -EINVAL;
 732                         goto done;
 733                 }
 734
 735                 if (!capable(CAP_NET_ADMIN)) {
 736                         err = -EPERM;
 737                         goto done;
 738                 }
 739
 740                 break;
 741
 742         case HCI_CHANNEL_MONITOR:
 743                 if (haddr.hci_dev != HCI_DEV_NONE) {
 744                         err = -EINVAL;
 745                         goto done;
 746                 }
 747
 748                 if (!capable(CAP_NET_RAW)) {
 749                         err = -EPERM;
 750                         goto done;
 751                 }
 752
 753                 send_monitor_replay(sk);
 754
 755                 atomic_inc(&monitor_promisc);
 756                 break;
 757
 758         default:
 759                 err = -EINVAL;
 760                 goto done;
 761         }
 762
 763
 764         hci_pi(sk)->channel = haddr.hci_channel;
 765         sk->sk_state = BT_BOUND;
 766
 767 done:
 768         release_sock(sk);
 769         return err;
 770 }
 771
 772 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
 773                             int *addr_len, int peer)
 774 {
 775         struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
 776         struct sock *sk = sock->sk;
 777         struct hci_dev *hdev;
 778         int err = 0;
 779
 780         BT_DBG("sock %p sk %p", sock, sk);
 781
 782         if (peer)
 783                 return -EOPNOTSUPP;
 784
 785         lock_sock(sk);
 786
 787         hdev = hci_pi(sk)->hdev;
 788         if (!hdev) {
 789                 err = -EBADFD;
 790                 goto done;
 791         }
 792
 793         *addr_len = sizeof(*haddr);
 794         haddr->hci_family = AF_BLUETOOTH;
 795         haddr->hci_dev    = hdev->id;
 796         haddr->hci_channel= hci_pi(sk)->channel;
 797
 798 done:
 799         release_sock(sk);
 800         return err;
 801 }
 802
 803 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
 804                           struct sk_buff *skb)
 805 {
 806         __u32 mask = hci_pi(sk)->cmsg_mask;
 807
 808         if (mask & HCI_CMSG_DIR) {
 809                 int incoming = bt_cb(skb)->incoming;
 810                 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
 811                          &incoming);
 812         }
 813
 814         if (mask & HCI_CMSG_TSTAMP) {
 815 #ifdef CONFIG_COMPAT
 816                 struct compat_timeval ctv;
 817 #endif
 818                 struct timeval tv;
 819                 void *data;
 820                 int len;
 821
 822                 skb_get_timestamp(skb, &tv);
 823
 824                 data = &tv;
 825                 len = sizeof(tv);
 826 #ifdef CONFIG_COMPAT
 827                 if (!COMPAT_USE_64BIT_TIME &&
 828                     (msg->msg_flags & MSG_CMSG_COMPAT)) {
 829                         ctv.tv_sec = tv.tv_sec;
 830                         ctv.tv_usec = tv.tv_usec;
 831                         data = &ctv;
 832                         len = sizeof(ctv);
 833                 }
 834 #endif
 835
 836                 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
 837         }
 838 }
 839
 840 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
 841                             struct msghdr *msg, size_t len, int flags)
 842 {
 843         int noblock = flags & MSG_DONTWAIT;
 844         struct sock *sk = sock->sk;
 845         struct sk_buff *skb;
 846         int copied, err;
 847
 848         BT_DBG("sock %p, sk %p", sock, sk);
 849
 850         if (flags & (MSG_OOB))
 851                 return -EOPNOTSUPP;
 852
 853         if (sk->sk_state == BT_CLOSED)
 854                 return 0;
 855
 856         skb = skb_recv_datagram(sk, flags, noblock, &err);
 857         if (!skb)
 858                 return err;
 859
 860         msg->msg_namelen = 0;
 861
 862         copied = skb->len;
 863         if (len < copied) {
 864                 msg->msg_flags |= MSG_TRUNC;
 865                 copied = len;
 866         }
 867
 868         skb_reset_transport_header(skb);
 869         err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
 870
 871         switch (hci_pi(sk)->channel) {
 872         case HCI_CHANNEL_RAW:
 873                 hci_sock_cmsg(sk, msg, skb);
 874                 break;
 875         case HCI_CHANNEL_USER:
 876         case HCI_CHANNEL_CONTROL:
 877         case HCI_CHANNEL_MONITOR:
 878                 sock_recv_timestamp(msg, sk, skb);
 879                 break;
 880         }
 881
 882         skb_free_datagram(sk, skb);
 883
 884         return err ? : copied;
 885 }
 886
 887 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
 888                             struct msghdr *msg, size_t len)
 889 {
 890         struct sock *sk = sock->sk;
 891         struct hci_dev *hdev;
 892         struct sk_buff *skb;
 893         int err;
 894
 895         BT_DBG("sock %p sk %p", sock, sk);
 896
 897         if (msg->msg_flags & MSG_OOB)
 898                 return -EOPNOTSUPP;
 899
 900         if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
 901                 return -EINVAL;
 902
 903         if (len < 4 || len > HCI_MAX_FRAME_SIZE)
 904                 return -EINVAL;
 905
 906         lock_sock(sk);
 907
 908         switch (hci_pi(sk)->channel) {
 909         case HCI_CHANNEL_RAW:
 910         case HCI_CHANNEL_USER:
 911                 break;
 912         case HCI_CHANNEL_CONTROL:
 913                 err = mgmt_control(sk, msg, len);
 914                 goto done;
 915         case HCI_CHANNEL_MONITOR:
 916                 err = -EOPNOTSUPP;
 917                 goto done;
 918         default:
 919                 err = -EINVAL;
 920                 goto done;
 921         }
 922
 923         hdev = hci_pi(sk)->hdev;
 924         if (!hdev) {
 925                 err = -EBADFD;
 926                 goto done;
 927         }
 928
 929         if (!test_bit(HCI_UP, &hdev->flags)) {
 930                 err = -ENETDOWN;
 931                 goto done;
 932         }
 933
 934         skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
 935         if (!skb)
 936                 goto done;
 937
 938         if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
 939                 err = -EFAULT;
 940                 goto drop;
 941         }
 942
 943         bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
 944         skb_pull(skb, 1);
 945         skb->dev = (void *) hdev;
 946
 947         if (hci_pi(sk)->channel == HCI_CHANNEL_RAW &&
 948             bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
 949                 u16 opcode = get_unaligned_le16(skb->data);
 950                 u16 ogf = hci_opcode_ogf(opcode);
 951                 u16 ocf = hci_opcode_ocf(opcode);
 952
 953                 if (((ogf > HCI_SFLT_MAX_OGF) ||
 954                      !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
 955                                    &hci_sec_filter.ocf_mask[ogf])) &&
 956                     !capable(CAP_NET_RAW)) {
 957                         err = -EPERM;
 958                         goto drop;
 959                 }
 960
 961                 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) {
 962                         skb_queue_tail(&hdev->raw_q, skb);
 963                         queue_work(hdev->workqueue, &hdev->tx_work);
 964                 } else {
 965                         /* Stand-alone HCI commands must be flaged as
 966                          * single-command requests.
 967                          */
 968                         bt_cb(skb)->req.start = true;
 969
 970                         skb_queue_tail(&hdev->cmd_q, skb);
 971                         queue_work(hdev->workqueue, &hdev->cmd_work);
 972                 }
 973         } else {
 974                 if (!capable(CAP_NET_RAW)) {
 975                         err = -EPERM;
 976                         goto drop;
 977                 }
 978
 979                 if (hci_pi(sk)->channel == HCI_CHANNEL_USER &&
 980                     bt_cb(skb)->pkt_type != HCI_COMMAND_PKT &&
 981                     bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
 982                     bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) {
 983                         err = -EINVAL;
 984                         goto drop;
 985                 }
 986
 987                 skb_queue_tail(&hdev->raw_q, skb);
 988                 queue_work(hdev->workqueue, &hdev->tx_work);
 989         }
 990
 991         err = len;
 992
 993 done:
 994         release_sock(sk);
 995         return err;
 996
 997 drop:
 998         kfree_skb(skb);
 999         goto done;
1000 }
1001
1002 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
1003                                char __user *optval, unsigned int len)
1004 {
1005         struct hci_ufilter uf = { .opcode = 0 };
1006         struct sock *sk = sock->sk;
1007         int err = 0, opt = 0;
1008
1009         BT_DBG("sk %p, opt %d", sk, optname);
1010
1011         lock_sock(sk);
1012
1013         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1014                 err = -EBADFD;
1015                 goto done;
1016         }
1017
1018         switch (optname) {
1019         case HCI_DATA_DIR:
1020                 if (get_user(opt, (int __user *)optval)) {
1021                         err = -EFAULT;
1022                         break;
1023                 }
1024
1025                 if (opt)
1026                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1027                 else
1028                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1029                 break;
1030
1031         case HCI_TIME_STAMP:
1032                 if (get_user(opt, (int __user *)optval)) {
1033                         err = -EFAULT;
1034                         break;
1035                 }
1036
1037                 if (opt)
1038                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1039                 else
1040                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1041                 break;
1042
1043         case HCI_FILTER:
1044                 {
1045                         struct hci_filter *f = &hci_pi(sk)->filter;
1046
1047                         uf.type_mask = f->type_mask;
1048                         uf.opcode    = f->opcode;
1049                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1050                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1051                 }
1052
1053                 len = min_t(unsigned int, len, sizeof(uf));
1054                 if (copy_from_user(&uf, optval, len)) {
1055                         err = -EFAULT;
1056                         break;
1057                 }
1058
1059                 if (!capable(CAP_NET_RAW)) {
1060                         uf.type_mask &= hci_sec_filter.type_mask;
1061                         uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1062                         uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1063                 }
1064
1065                 {
1066                         struct hci_filter *f = &hci_pi(sk)->filter;
1067
1068                         f->type_mask = uf.type_mask;
1069                         f->opcode    = uf.opcode;
1070                         *((u32 *) f->event_mask + 0) = uf.event_mask[0];
1071                         *((u32 *) f->event_mask + 1) = uf.event_mask[1];
1072                 }
1073                 break;
1074
1075         default:
1076                 err = -ENOPROTOOPT;
1077                 break;
1078         }
1079
1080 done:
1081         release_sock(sk);
1082         return err;
1083 }
1084
1085 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1086                                char __user *optval, int __user *optlen)
1087 {
1088         struct hci_ufilter uf;
1089         struct sock *sk = sock->sk;
1090         int len, opt, err = 0;
1091
1092         BT_DBG("sk %p, opt %d", sk, optname);
1093
1094         if (get_user(len, optlen))
1095                 return -EFAULT;
1096
1097         lock_sock(sk);
1098
1099         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1100                 err = -EBADFD;
1101                 goto done;
1102         }
1103
1104         switch (optname) {
1105         case HCI_DATA_DIR:
1106                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1107                         opt = 1;
1108                 else
1109                         opt = 0;
1110
1111                 if (put_user(opt, optval))
1112                         err = -EFAULT;
1113                 break;
1114
1115         case HCI_TIME_STAMP:
1116                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1117                         opt = 1;
1118                 else
1119                         opt = 0;
1120
1121                 if (put_user(opt, optval))
1122                         err = -EFAULT;
1123                 break;
1124
1125         case HCI_FILTER:
1126                 {
1127                         struct hci_filter *f = &hci_pi(sk)->filter;
1128
1129                         memset(&uf, 0, sizeof(uf));
1130                         uf.type_mask = f->type_mask;
1131                         uf.opcode    = f->opcode;
1132                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1133                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1134                 }
1135
1136                 len = min_t(unsigned int, len, sizeof(uf));
1137                 if (copy_to_user(optval, &uf, len))
1138                         err = -EFAULT;
1139                 break;
1140
1141         default:
1142                 err = -ENOPROTOOPT;
1143                 break;
1144         }
1145
1146 done:
1147         release_sock(sk);
1148         return err;
1149 }
1150
1151 static const struct proto_ops hci_sock_ops = {
1152         .family         = PF_BLUETOOTH,
1153         .owner          = THIS_MODULE,
1154         .release        = hci_sock_release,
1155         .bind           = hci_sock_bind,
1156         .getname        = hci_sock_getname,
1157         .sendmsg        = hci_sock_sendmsg,
1158         .recvmsg        = hci_sock_recvmsg,
1159         .ioctl          = hci_sock_ioctl,
1160         .poll           = datagram_poll,
1161         .listen         = sock_no_listen,
1162         .shutdown       = sock_no_shutdown,
1163         .setsockopt     = hci_sock_setsockopt,
1164         .getsockopt     = hci_sock_getsockopt,
1165         .connect        = sock_no_connect,
1166         .socketpair     = sock_no_socketpair,
1167         .accept         = sock_no_accept,
1168         .mmap           = sock_no_mmap
1169 };
1170
1171 static struct proto hci_sk_proto = {
1172         .name           = "HCI",
1173         .owner          = THIS_MODULE,
1174         .obj_size       = sizeof(struct hci_pinfo)
1175 };
1176
1177 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1178                            int kern)
1179 {
1180         struct sock *sk;
1181
1182         BT_DBG("sock %p", sock);
1183
1184         if (sock->type != SOCK_RAW)
1185                 return -ESOCKTNOSUPPORT;
1186
1187         sock->ops = &hci_sock_ops;
1188
1189         sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto);
1190         if (!sk)
1191                 return -ENOMEM;
1192
1193         sock_init_data(sock, sk);
1194
1195         sock_reset_flag(sk, SOCK_ZAPPED);
1196
1197         sk->sk_protocol = protocol;
1198
1199         sock->state = SS_UNCONNECTED;
1200         sk->sk_state = BT_OPEN;
1201
1202         bt_sock_link(&hci_sk_list, sk);
1203         return 0;
1204 }
1205
1206 static const struct net_proto_family hci_sock_family_ops = {
1207         .family = PF_BLUETOOTH,
1208         .owner  = THIS_MODULE,
1209         .create = hci_sock_create,
1210 };
1211
1212 int __init hci_sock_init(void)
1213 {
1214         int err;
1215
1216         err = proto_register(&hci_sk_proto, 0);
1217         if (err < 0)
1218                 return err;
1219
1220         err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1221         if (err < 0) {
1222                 BT_ERR("HCI socket registration failed");
1223                 goto error;
1224         }
1225
1226         err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
1227         if (err < 0) {
1228                 BT_ERR("Failed to create HCI proc file");
1229                 bt_sock_unregister(BTPROTO_HCI);
1230                 goto error;
1231         }
1232
1233         BT_INFO("HCI socket layer initialized");
1234
1235         return 0;
1236
1237 error:
1238         proto_unregister(&hci_sk_proto);
1239         return err;
1240 }
1241
1242 void hci_sock_cleanup(void)
1243 {
1244         bt_procfs_cleanup(&init_net, "hci");
1245         bt_sock_unregister(BTPROTO_HCI);
1246         proto_unregister(&hci_sk_proto);
1247 }