net/bluetooth/hci_sock.c

   1 /*
   2    BlueZ - Bluetooth protocol stack for Linux
   3    Copyright (C) 2000-2001 Qualcomm Incorporated
   4
   5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License version 2 as
   9    published by the Free Software Foundation;
  10
  11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22    SOFTWARE IS DISCLAIMED.
  23 */
  24
  25 /* Bluetooth HCI sockets. */
  26
  27 #include <linux/export.h>
  28 #include <asm/unaligned.h>
  29
  30 #include <net/bluetooth/bluetooth.h>
  31 #include <net/bluetooth/hci_core.h>
  32 #include <net/bluetooth/hci_mon.h>
  33
  34 static atomic_t monitor_promisc = ATOMIC_INIT(0);
  35
  36 /* ----- HCI socket interface ----- */
  37
  38 static inline int hci_test_bit(int nr, void *addr)
  39 {
  40         return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
  41 }
  42
  43 /* Security filter */
  44 static struct hci_sec_filter hci_sec_filter = {
  45         /* Packet types */
  46         0x10,
  47         /* Events */
  48         { 0x1000d9fe, 0x0000b00c },
  49         /* Commands */
  50         {
  51                 { 0x0 },
  52                 /* OGF_LINK_CTL */
  53                 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
  54                 /* OGF_LINK_POLICY */
  55                 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
  56                 /* OGF_HOST_CTL */
  57                 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
  58                 /* OGF_INFO_PARAM */
  59                 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
  60                 /* OGF_STATUS_PARAM */
  61                 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
  62         }
  63 };
  64
  65 static struct bt_sock_list hci_sk_list = {
  66         .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
  67 };
  68
  69 static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
  70 {
  71         struct hci_filter *flt;
  72         int flt_type, flt_event;
  73
  74         /* Apply filter */
  75         flt = &hci_pi(sk)->filter;
  76
  77         if (bt_cb(skb)->pkt_type == HCI_VENDOR_PKT)
  78                 flt_type = 0;
  79         else
  80                 flt_type = bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS;
  81
  82         if (!test_bit(flt_type, &flt->type_mask))
  83                 return true;
  84
  85         /* Extra filter for event packets only */
  86         if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT)
  87                 return false;
  88
  89         flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
  90
  91         if (!hci_test_bit(flt_event, &flt->event_mask))
  92                 return true;
  93
  94         /* Check filter only when opcode is set */
  95         if (!flt->opcode)
  96                 return false;
  97
  98         if (flt_event == HCI_EV_CMD_COMPLETE &&
  99             flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
 100                 return true;
 101
 102         if (flt_event == HCI_EV_CMD_STATUS &&
 103             flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
 104                 return true;
 105
 106         return false;
 107 }
 108
 109 /* Send frame to RAW socket */
 110 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
 111 {
 112         struct sock *sk;
 113         struct sk_buff *skb_copy = NULL;
 114
 115         BT_DBG("hdev %p len %d", hdev, skb->len);
 116
 117         read_lock(&hci_sk_list.lock);
 118
 119         sk_for_each(sk, &hci_sk_list.head) {
 120                 struct sk_buff *nskb;
 121
 122                 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
 123                         continue;
 124
 125                 /* Don't send frame to the socket it came from */
 126                 if (skb->sk == sk)
 127                         continue;
 128
 129                 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW)
 130                         continue;
 131
 132                 if (is_filtered_packet(sk, skb))
 133                         continue;
 134
 135                 if (!skb_copy) {
 136                         /* Create a private copy with headroom */
 137                         skb_copy = __pskb_copy(skb, 1, GFP_ATOMIC);
 138                         if (!skb_copy)
 139                                 continue;
 140
 141                         /* Put type byte before the data */
 142                         memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1);
 143                 }
 144
 145                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 146                 if (!nskb)
 147                         continue;
 148
 149                 if (sock_queue_rcv_skb(sk, nskb))
 150                         kfree_skb(nskb);
 151         }
 152
 153         read_unlock(&hci_sk_list.lock);
 154
 155         kfree_skb(skb_copy);
 156 }
 157
 158 /* Send frame to control socket */
 159 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk)
 160 {
 161         struct sock *sk;
 162
 163         BT_DBG("len %d", skb->len);
 164
 165         read_lock(&hci_sk_list.lock);
 166
 167         sk_for_each(sk, &hci_sk_list.head) {
 168                 struct sk_buff *nskb;
 169
 170                 /* Skip the original socket */
 171                 if (sk == skip_sk)
 172                         continue;
 173
 174                 if (sk->sk_state != BT_BOUND)
 175                         continue;
 176
 177                 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
 178                         continue;
 179
 180                 nskb = skb_clone(skb, GFP_ATOMIC);
 181                 if (!nskb)
 182                         continue;
 183
 184                 if (sock_queue_rcv_skb(sk, nskb))
 185                         kfree_skb(nskb);
 186         }
 187
 188         read_unlock(&hci_sk_list.lock);
 189 }
 190
 191 /* Send frame to monitor socket */
 192 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
 193 {
 194         struct sock *sk;
 195         struct sk_buff *skb_copy = NULL;
 196         __le16 opcode;
 197
 198         if (!atomic_read(&monitor_promisc))
 199                 return;
 200
 201         BT_DBG("hdev %p len %d", hdev, skb->len);
 202
 203         switch (bt_cb(skb)->pkt_type) {
 204         case HCI_COMMAND_PKT:
 205                 opcode = __constant_cpu_to_le16(HCI_MON_COMMAND_PKT);
 206                 break;
 207         case HCI_EVENT_PKT:
 208                 opcode = __constant_cpu_to_le16(HCI_MON_EVENT_PKT);
 209                 break;
 210         case HCI_ACLDATA_PKT:
 211                 if (bt_cb(skb)->incoming)
 212                         opcode = __constant_cpu_to_le16(HCI_MON_ACL_RX_PKT);
 213                 else
 214                         opcode = __constant_cpu_to_le16(HCI_MON_ACL_TX_PKT);
 215                 break;
 216         case HCI_SCODATA_PKT:
 217                 if (bt_cb(skb)->incoming)
 218                         opcode = __constant_cpu_to_le16(HCI_MON_SCO_RX_PKT);
 219                 else
 220                         opcode = __constant_cpu_to_le16(HCI_MON_SCO_TX_PKT);
 221                 break;
 222         default:
 223                 return;
 224         }
 225
 226         read_lock(&hci_sk_list.lock);
 227
 228         sk_for_each(sk, &hci_sk_list.head) {
 229                 struct sk_buff *nskb;
 230
 231                 if (sk->sk_state != BT_BOUND)
 232                         continue;
 233
 234                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 235                         continue;
 236
 237                 if (!skb_copy) {
 238                         struct hci_mon_hdr *hdr;
 239
 240                         /* Create a private copy with headroom */
 241                         skb_copy = __pskb_copy(skb, HCI_MON_HDR_SIZE,
 242                                                GFP_ATOMIC);
 243                         if (!skb_copy)
 244                                 continue;
 245
 246                         /* Put header before the data */
 247                         hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE);
 248                         hdr->opcode = opcode;
 249                         hdr->index = cpu_to_le16(hdev->id);
 250                         hdr->len = cpu_to_le16(skb->len);
 251                 }
 252
 253                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
 254                 if (!nskb)
 255                         continue;
 256
 257                 if (sock_queue_rcv_skb(sk, nskb))
 258                         kfree_skb(nskb);
 259         }
 260
 261         read_unlock(&hci_sk_list.lock);
 262
 263         kfree_skb(skb_copy);
 264 }
 265
 266 static void send_monitor_event(struct sk_buff *skb)
 267 {
 268         struct sock *sk;
 269
 270         BT_DBG("len %d", skb->len);
 271
 272         read_lock(&hci_sk_list.lock);
 273
 274         sk_for_each(sk, &hci_sk_list.head) {
 275                 struct sk_buff *nskb;
 276
 277                 if (sk->sk_state != BT_BOUND)
 278                         continue;
 279
 280                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
 281                         continue;
 282
 283                 nskb = skb_clone(skb, GFP_ATOMIC);
 284                 if (!nskb)
 285                         continue;
 286
 287                 if (sock_queue_rcv_skb(sk, nskb))
 288                         kfree_skb(nskb);
 289         }
 290
 291         read_unlock(&hci_sk_list.lock);
 292 }
 293
 294 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
 295 {
 296         struct hci_mon_hdr *hdr;
 297         struct hci_mon_new_index *ni;
 298         struct sk_buff *skb;
 299         __le16 opcode;
 300
 301         switch (event) {
 302         case HCI_DEV_REG:
 303                 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
 304                 if (!skb)
 305                         return NULL;
 306
 307                 ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
 308                 ni->type = hdev->dev_type;
 309                 ni->bus = hdev->bus;
 310                 bacpy(&ni->bdaddr, &hdev->bdaddr);
 311                 memcpy(ni->name, hdev->name, 8);
 312
 313                 opcode = __constant_cpu_to_le16(HCI_MON_NEW_INDEX);
 314                 break;
 315
 316         case HCI_DEV_UNREG:
 317                 skb = bt_skb_alloc(0, GFP_ATOMIC);
 318                 if (!skb)
 319                         return NULL;
 320
 321                 opcode = __constant_cpu_to_le16(HCI_MON_DEL_INDEX);
 322                 break;
 323
 324         default:
 325                 return NULL;
 326         }
 327
 328         __net_timestamp(skb);
 329
 330         hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE);
 331         hdr->opcode = opcode;
 332         hdr->index = cpu_to_le16(hdev->id);
 333         hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
 334
 335         return skb;
 336 }
 337
 338 static void send_monitor_replay(struct sock *sk)
 339 {
 340         struct hci_dev *hdev;
 341
 342         read_lock(&hci_dev_list_lock);
 343
 344         list_for_each_entry(hdev, &hci_dev_list, list) {
 345                 struct sk_buff *skb;
 346
 347                 skb = create_monitor_event(hdev, HCI_DEV_REG);
 348                 if (!skb)
 349                         continue;
 350
 351                 if (sock_queue_rcv_skb(sk, skb))
 352                         kfree_skb(skb);
 353         }
 354
 355         read_unlock(&hci_dev_list_lock);
 356 }
 357
 358 /* Generate internal stack event */
 359 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
 360 {
 361         struct hci_event_hdr *hdr;
 362         struct hci_ev_stack_internal *ev;
 363         struct sk_buff *skb;
 364
 365         skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
 366         if (!skb)
 367                 return;
 368
 369         hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
 370         hdr->evt  = HCI_EV_STACK_INTERNAL;
 371         hdr->plen = sizeof(*ev) + dlen;
 372
 373         ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
 374         ev->type = type;
 375         memcpy(ev->data, data, dlen);
 376
 377         bt_cb(skb)->incoming = 1;
 378         __net_timestamp(skb);
 379
 380         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
 381         skb->dev = (void *) hdev;
 382         hci_send_to_sock(hdev, skb);
 383         kfree_skb(skb);
 384 }
 385
 386 void hci_sock_dev_event(struct hci_dev *hdev, int event)
 387 {
 388         struct hci_ev_si_device ev;
 389
 390         BT_DBG("hdev %s event %d", hdev->name, event);
 391
 392         /* Send event to monitor */
 393         if (atomic_read(&monitor_promisc)) {
 394                 struct sk_buff *skb;
 395
 396                 skb = create_monitor_event(hdev, event);
 397                 if (skb) {
 398                         send_monitor_event(skb);
 399                         kfree_skb(skb);
 400                 }
 401         }
 402
 403         /* Send event to sockets */
 404         ev.event  = event;
 405         ev.dev_id = hdev->id;
 406         hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
 407
 408         if (event == HCI_DEV_UNREG) {
 409                 struct sock *sk;
 410
 411                 /* Detach sockets from device */
 412                 read_lock(&hci_sk_list.lock);
 413                 sk_for_each(sk, &hci_sk_list.head) {
 414                         bh_lock_sock_nested(sk);
 415                         if (hci_pi(sk)->hdev == hdev) {
 416                                 hci_pi(sk)->hdev = NULL;
 417                                 sk->sk_err = EPIPE;
 418                                 sk->sk_state = BT_OPEN;
 419                                 sk->sk_state_change(sk);
 420
 421                                 hci_dev_put(hdev);
 422                         }
 423                         bh_unlock_sock(sk);
 424                 }
 425                 read_unlock(&hci_sk_list.lock);
 426         }
 427 }
 428
 429 static int hci_sock_release(struct socket *sock)
 430 {
 431         struct sock *sk = sock->sk;
 432         struct hci_dev *hdev;
 433
 434         BT_DBG("sock %p sk %p", sock, sk);
 435
 436         if (!sk)
 437                 return 0;
 438
 439         hdev = hci_pi(sk)->hdev;
 440
 441         if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
 442                 atomic_dec(&monitor_promisc);
 443
 444         bt_sock_unlink(&hci_sk_list, sk);
 445
 446         if (hdev) {
 447                 atomic_dec(&hdev->promisc);
 448                 hci_dev_put(hdev);
 449         }
 450
 451         sock_orphan(sk);
 452
 453         skb_queue_purge(&sk->sk_receive_queue);
 454         skb_queue_purge(&sk->sk_write_queue);
 455
 456         sock_put(sk);
 457         return 0;
 458 }
 459
 460 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
 461 {
 462         bdaddr_t bdaddr;
 463         int err;
 464
 465         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 466                 return -EFAULT;
 467
 468         hci_dev_lock(hdev);
 469
 470         err = hci_blacklist_add(hdev, &bdaddr, 0);
 471
 472         hci_dev_unlock(hdev);
 473
 474         return err;
 475 }
 476
 477 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
 478 {
 479         bdaddr_t bdaddr;
 480         int err;
 481
 482         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
 483                 return -EFAULT;
 484
 485         hci_dev_lock(hdev);
 486
 487         err = hci_blacklist_del(hdev, &bdaddr, 0);
 488
 489         hci_dev_unlock(hdev);
 490
 491         return err;
 492 }
 493
 494 /* Ioctls that require bound socket */
 495 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
 496                                 unsigned long arg)
 497 {
 498         struct hci_dev *hdev = hci_pi(sk)->hdev;
 499
 500         if (!hdev)
 501                 return -EBADFD;
 502
 503         if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
 504                 return -EBUSY;
 505
 506         switch (cmd) {
 507         case HCISETRAW:
 508                 if (!capable(CAP_NET_ADMIN))
 509                         return -EPERM;
 510
 511                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
 512                         return -EPERM;
 513
 514                 if (arg)
 515                         set_bit(HCI_RAW, &hdev->flags);
 516                 else
 517                         clear_bit(HCI_RAW, &hdev->flags);
 518
 519                 return 0;
 520
 521         case HCIGETCONNINFO:
 522                 return hci_get_conn_info(hdev, (void __user *) arg);
 523
 524         case HCIGETAUTHINFO:
 525                 return hci_get_auth_info(hdev, (void __user *) arg);
 526
 527         case HCIBLOCKADDR:
 528                 if (!capable(CAP_NET_ADMIN))
 529                         return -EPERM;
 530                 return hci_sock_blacklist_add(hdev, (void __user *) arg);
 531
 532         case HCIUNBLOCKADDR:
 533                 if (!capable(CAP_NET_ADMIN))
 534                         return -EPERM;
 535                 return hci_sock_blacklist_del(hdev, (void __user *) arg);
 536         }
 537
 538         if (hdev->ioctl)
 539                 return hdev->ioctl(hdev, cmd, arg);
 540
 541         return -EINVAL;
 542 }
 543
 544 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
 545                           unsigned long arg)
 546 {
 547         void __user *argp = (void __user *) arg;
 548         struct sock *sk = sock->sk;
 549         int err;
 550
 551         BT_DBG("cmd %x arg %lx", cmd, arg);
 552
 553         lock_sock(sk);
 554
 555         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
 556                 err = -EBADFD;
 557                 goto done;
 558         }
 559
 560         release_sock(sk);
 561
 562         switch (cmd) {
 563         case HCIGETDEVLIST:
 564                 return hci_get_dev_list(argp);
 565
 566         case HCIGETDEVINFO:
 567                 return hci_get_dev_info(argp);
 568
 569         case HCIGETCONNLIST:
 570                 return hci_get_conn_list(argp);
 571
 572         case HCIDEVUP:
 573                 if (!capable(CAP_NET_ADMIN))
 574                         return -EPERM;
 575                 return hci_dev_open(arg);
 576
 577         case HCIDEVDOWN:
 578                 if (!capable(CAP_NET_ADMIN))
 579                         return -EPERM;
 580                 return hci_dev_close(arg);
 581
 582         case HCIDEVRESET:
 583                 if (!capable(CAP_NET_ADMIN))
 584                         return -EPERM;
 585                 return hci_dev_reset(arg);
 586
 587         case HCIDEVRESTAT:
 588                 if (!capable(CAP_NET_ADMIN))
 589                         return -EPERM;
 590                 return hci_dev_reset_stat(arg);
 591
 592         case HCISETSCAN:
 593         case HCISETAUTH:
 594         case HCISETENCRYPT:
 595         case HCISETPTYPE:
 596         case HCISETLINKPOL:
 597         case HCISETLINKMODE:
 598         case HCISETACLMTU:
 599         case HCISETSCOMTU:
 600                 if (!capable(CAP_NET_ADMIN))
 601                         return -EPERM;
 602                 return hci_dev_cmd(cmd, argp);
 603
 604         case HCIINQUIRY:
 605                 return hci_inquiry(argp);
 606         }
 607
 608         lock_sock(sk);
 609
 610         err = hci_sock_bound_ioctl(sk, cmd, arg);
 611
 612 done:
 613         release_sock(sk);
 614         return err;
 615 }
 616
 617 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
 618                          int addr_len)
 619 {
 620         struct sockaddr_hci haddr;
 621         struct sock *sk = sock->sk;
 622         struct hci_dev *hdev = NULL;
 623         int len, err = 0;
 624
 625         BT_DBG("sock %p sk %p", sock, sk);
 626
 627         if (!addr)
 628                 return -EINVAL;
 629
 630         memset(&haddr, 0, sizeof(haddr));
 631         len = min_t(unsigned int, sizeof(haddr), addr_len);
 632         memcpy(&haddr, addr, len);
 633
 634         if (haddr.hci_family != AF_BLUETOOTH)
 635                 return -EINVAL;
 636
 637         lock_sock(sk);
 638
 639         if (sk->sk_state == BT_BOUND) {
 640                 err = -EALREADY;
 641                 goto done;
 642         }
 643
 644         switch (haddr.hci_channel) {
 645         case HCI_CHANNEL_RAW:
 646                 if (hci_pi(sk)->hdev) {
 647                         err = -EALREADY;
 648                         goto done;
 649                 }
 650
 651                 if (haddr.hci_dev != HCI_DEV_NONE) {
 652                         hdev = hci_dev_get(haddr.hci_dev);
 653                         if (!hdev) {
 654                                 err = -ENODEV;
 655                                 goto done;
 656                         }
 657
 658                         atomic_inc(&hdev->promisc);
 659                 }
 660
 661                 hci_pi(sk)->hdev = hdev;
 662                 break;
 663
 664         case HCI_CHANNEL_CONTROL:
 665                 if (haddr.hci_dev != HCI_DEV_NONE) {
 666                         err = -EINVAL;
 667                         goto done;
 668                 }
 669
 670                 if (!capable(CAP_NET_ADMIN)) {
 671                         err = -EPERM;
 672                         goto done;
 673                 }
 674
 675                 break;
 676
 677         case HCI_CHANNEL_MONITOR:
 678                 if (haddr.hci_dev != HCI_DEV_NONE) {
 679                         err = -EINVAL;
 680                         goto done;
 681                 }
 682
 683                 if (!capable(CAP_NET_RAW)) {
 684                         err = -EPERM;
 685                         goto done;
 686                 }
 687
 688                 send_monitor_replay(sk);
 689
 690                 atomic_inc(&monitor_promisc);
 691                 break;
 692
 693         default:
 694                 err = -EINVAL;
 695                 goto done;
 696         }
 697
 698
 699         hci_pi(sk)->channel = haddr.hci_channel;
 700         sk->sk_state = BT_BOUND;
 701
 702 done:
 703         release_sock(sk);
 704         return err;
 705 }
 706
 707 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
 708                             int *addr_len, int peer)
 709 {
 710         struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
 711         struct sock *sk = sock->sk;
 712         struct hci_dev *hdev;
 713         int err = 0;
 714
 715         BT_DBG("sock %p sk %p", sock, sk);
 716
 717         if (peer)
 718                 return -EOPNOTSUPP;
 719
 720         lock_sock(sk);
 721
 722         hdev = hci_pi(sk)->hdev;
 723         if (!hdev) {
 724                 err = -EBADFD;
 725                 goto done;
 726         }
 727
 728         *addr_len = sizeof(*haddr);
 729         haddr->hci_family = AF_BLUETOOTH;
 730         haddr->hci_dev    = hdev->id;
 731         haddr->hci_channel= hci_pi(sk)->channel;
 732
 733 done:
 734         release_sock(sk);
 735         return err;
 736 }
 737
 738 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
 739                           struct sk_buff *skb)
 740 {
 741         __u32 mask = hci_pi(sk)->cmsg_mask;
 742
 743         if (mask & HCI_CMSG_DIR) {
 744                 int incoming = bt_cb(skb)->incoming;
 745                 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
 746                          &incoming);
 747         }
 748
 749         if (mask & HCI_CMSG_TSTAMP) {
 750 #ifdef CONFIG_COMPAT
 751                 struct compat_timeval ctv;
 752 #endif
 753                 struct timeval tv;
 754                 void *data;
 755                 int len;
 756
 757                 skb_get_timestamp(skb, &tv);
 758
 759                 data = &tv;
 760                 len = sizeof(tv);
 761 #ifdef CONFIG_COMPAT
 762                 if (!COMPAT_USE_64BIT_TIME &&
 763                     (msg->msg_flags & MSG_CMSG_COMPAT)) {
 764                         ctv.tv_sec = tv.tv_sec;
 765                         ctv.tv_usec = tv.tv_usec;
 766                         data = &ctv;
 767                         len = sizeof(ctv);
 768                 }
 769 #endif
 770
 771                 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
 772         }
 773 }
 774
 775 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
 776                             struct msghdr *msg, size_t len, int flags)
 777 {
 778         int noblock = flags & MSG_DONTWAIT;
 779         struct sock *sk = sock->sk;
 780         struct sk_buff *skb;
 781         int copied, err;
 782
 783         BT_DBG("sock %p, sk %p", sock, sk);
 784
 785         if (flags & (MSG_OOB))
 786                 return -EOPNOTSUPP;
 787
 788         if (sk->sk_state == BT_CLOSED)
 789                 return 0;
 790
 791         skb = skb_recv_datagram(sk, flags, noblock, &err);
 792         if (!skb)
 793                 return err;
 794
 795         msg->msg_namelen = 0;
 796
 797         copied = skb->len;
 798         if (len < copied) {
 799                 msg->msg_flags |= MSG_TRUNC;
 800                 copied = len;
 801         }
 802
 803         skb_reset_transport_header(skb);
 804         err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
 805
 806         switch (hci_pi(sk)->channel) {
 807         case HCI_CHANNEL_RAW:
 808                 hci_sock_cmsg(sk, msg, skb);
 809                 break;
 810         case HCI_CHANNEL_CONTROL:
 811         case HCI_CHANNEL_MONITOR:
 812                 sock_recv_timestamp(msg, sk, skb);
 813                 break;
 814         }
 815
 816         skb_free_datagram(sk, skb);
 817
 818         return err ? : copied;
 819 }
 820
 821 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
 822                             struct msghdr *msg, size_t len)
 823 {
 824         struct sock *sk = sock->sk;
 825         struct hci_dev *hdev;
 826         struct sk_buff *skb;
 827         int err;
 828
 829         BT_DBG("sock %p sk %p", sock, sk);
 830
 831         if (msg->msg_flags & MSG_OOB)
 832                 return -EOPNOTSUPP;
 833
 834         if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
 835                 return -EINVAL;
 836
 837         if (len < 4 || len > HCI_MAX_FRAME_SIZE)
 838                 return -EINVAL;
 839
 840         lock_sock(sk);
 841
 842         switch (hci_pi(sk)->channel) {
 843         case HCI_CHANNEL_RAW:
 844                 break;
 845         case HCI_CHANNEL_CONTROL:
 846                 err = mgmt_control(sk, msg, len);
 847                 goto done;
 848         case HCI_CHANNEL_MONITOR:
 849                 err = -EOPNOTSUPP;
 850                 goto done;
 851         default:
 852                 err = -EINVAL;
 853                 goto done;
 854         }
 855
 856         hdev = hci_pi(sk)->hdev;
 857         if (!hdev) {
 858                 err = -EBADFD;
 859                 goto done;
 860         }
 861
 862         if (!test_bit(HCI_UP, &hdev->flags)) {
 863                 err = -ENETDOWN;
 864                 goto done;
 865         }
 866
 867         skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
 868         if (!skb)
 869                 goto done;
 870
 871         if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
 872                 err = -EFAULT;
 873                 goto drop;
 874         }
 875
 876         bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
 877         skb_pull(skb, 1);
 878         skb->dev = (void *) hdev;
 879
 880         if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
 881                 u16 opcode = get_unaligned_le16(skb->data);
 882                 u16 ogf = hci_opcode_ogf(opcode);
 883                 u16 ocf = hci_opcode_ocf(opcode);
 884
 885                 if (((ogf > HCI_SFLT_MAX_OGF) ||
 886                      !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
 887                                    &hci_sec_filter.ocf_mask[ogf])) &&
 888                     !capable(CAP_NET_RAW)) {
 889                         err = -EPERM;
 890                         goto drop;
 891                 }
 892
 893                 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) {
 894                         skb_queue_tail(&hdev->raw_q, skb);
 895                         queue_work(hdev->workqueue, &hdev->tx_work);
 896                 } else {
 897                         /* Stand-alone HCI commands must be flaged as
 898                          * single-command requests.
 899                          */
 900                         bt_cb(skb)->req.start = true;
 901
 902                         skb_queue_tail(&hdev->cmd_q, skb);
 903                         queue_work(hdev->workqueue, &hdev->cmd_work);
 904                 }
 905         } else {
 906                 if (!capable(CAP_NET_RAW)) {
 907                         err = -EPERM;
 908                         goto drop;
 909                 }
 910
 911                 skb_queue_tail(&hdev->raw_q, skb);
 912                 queue_work(hdev->workqueue, &hdev->tx_work);
 913         }
 914
 915         err = len;
 916
 917 done:
 918         release_sock(sk);
 919         return err;
 920
 921 drop:
 922         kfree_skb(skb);
 923         goto done;
 924 }
 925
 926 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
 927                                char __user *optval, unsigned int len)
 928 {
 929         struct hci_ufilter uf = { .opcode = 0 };
 930         struct sock *sk = sock->sk;
 931         int err = 0, opt = 0;
 932
 933         BT_DBG("sk %p, opt %d", sk, optname);
 934
 935         lock_sock(sk);
 936
 937         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
 938                 err = -EBADFD;
 939                 goto done;
 940         }
 941
 942         switch (optname) {
 943         case HCI_DATA_DIR:
 944                 if (get_user(opt, (int __user *)optval)) {
 945                         err = -EFAULT;
 946                         break;
 947                 }
 948
 949                 if (opt)
 950                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
 951                 else
 952                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
 953                 break;
 954
 955         case HCI_TIME_STAMP:
 956                 if (get_user(opt, (int __user *)optval)) {
 957                         err = -EFAULT;
 958                         break;
 959                 }
 960
 961                 if (opt)
 962                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
 963                 else
 964                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
 965                 break;
 966
 967         case HCI_FILTER:
 968                 {
 969                         struct hci_filter *f = &hci_pi(sk)->filter;
 970
 971                         uf.type_mask = f->type_mask;
 972                         uf.opcode    = f->opcode;
 973                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
 974                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
 975                 }
 976
 977                 len = min_t(unsigned int, len, sizeof(uf));
 978                 if (copy_from_user(&uf, optval, len)) {
 979                         err = -EFAULT;
 980                         break;
 981                 }
 982
 983                 if (!capable(CAP_NET_RAW)) {
 984                         uf.type_mask &= hci_sec_filter.type_mask;
 985                         uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
 986                         uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
 987                 }
 988
 989                 {
 990                         struct hci_filter *f = &hci_pi(sk)->filter;
 991
 992                         f->type_mask = uf.type_mask;
 993                         f->opcode    = uf.opcode;
 994                         *((u32 *) f->event_mask + 0) = uf.event_mask[0];
 995                         *((u32 *) f->event_mask + 1) = uf.event_mask[1];
 996                 }
 997                 break;
 998
 999         default:
1000                 err = -ENOPROTOOPT;
1001                 break;
1002         }
1003
1004 done:
1005         release_sock(sk);
1006         return err;
1007 }
1008
1009 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1010                                char __user *optval, int __user *optlen)
1011 {
1012         struct hci_ufilter uf;
1013         struct sock *sk = sock->sk;
1014         int len, opt, err = 0;
1015
1016         BT_DBG("sk %p, opt %d", sk, optname);
1017
1018         if (get_user(len, optlen))
1019                 return -EFAULT;
1020
1021         lock_sock(sk);
1022
1023         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1024                 err = -EBADFD;
1025                 goto done;
1026         }
1027
1028         switch (optname) {
1029         case HCI_DATA_DIR:
1030                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
1031                         opt = 1;
1032                 else
1033                         opt = 0;
1034
1035                 if (put_user(opt, optval))
1036                         err = -EFAULT;
1037                 break;
1038
1039         case HCI_TIME_STAMP:
1040                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1041                         opt = 1;
1042                 else
1043                         opt = 0;
1044
1045                 if (put_user(opt, optval))
1046                         err = -EFAULT;
1047                 break;
1048
1049         case HCI_FILTER:
1050                 {
1051                         struct hci_filter *f = &hci_pi(sk)->filter;
1052
1053                         memset(&uf, 0, sizeof(uf));
1054                         uf.type_mask = f->type_mask;
1055                         uf.opcode    = f->opcode;
1056                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1057                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1058                 }
1059
1060                 len = min_t(unsigned int, len, sizeof(uf));
1061                 if (copy_to_user(optval, &uf, len))
1062                         err = -EFAULT;
1063                 break;
1064
1065         default:
1066                 err = -ENOPROTOOPT;
1067                 break;
1068         }
1069
1070 done:
1071         release_sock(sk);
1072         return err;
1073 }
1074
1075 static const struct proto_ops hci_sock_ops = {
1076         .family         = PF_BLUETOOTH,
1077         .owner          = THIS_MODULE,
1078         .release        = hci_sock_release,
1079         .bind           = hci_sock_bind,
1080         .getname        = hci_sock_getname,
1081         .sendmsg        = hci_sock_sendmsg,
1082         .recvmsg        = hci_sock_recvmsg,
1083         .ioctl          = hci_sock_ioctl,
1084         .poll           = datagram_poll,
1085         .listen         = sock_no_listen,
1086         .shutdown       = sock_no_shutdown,
1087         .setsockopt     = hci_sock_setsockopt,
1088         .getsockopt     = hci_sock_getsockopt,
1089         .connect        = sock_no_connect,
1090         .socketpair     = sock_no_socketpair,
1091         .accept         = sock_no_accept,
1092         .mmap           = sock_no_mmap
1093 };
1094
1095 static struct proto hci_sk_proto = {
1096         .name           = "HCI",
1097         .owner          = THIS_MODULE,
1098         .obj_size       = sizeof(struct hci_pinfo)
1099 };
1100
1101 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1102                            int kern)
1103 {
1104         struct sock *sk;
1105
1106         BT_DBG("sock %p", sock);
1107
1108         if (sock->type != SOCK_RAW)
1109                 return -ESOCKTNOSUPPORT;
1110
1111         sock->ops = &hci_sock_ops;
1112
1113         sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto);
1114         if (!sk)
1115                 return -ENOMEM;
1116
1117         sock_init_data(sock, sk);
1118
1119         sock_reset_flag(sk, SOCK_ZAPPED);
1120
1121         sk->sk_protocol = protocol;
1122
1123         sock->state = SS_UNCONNECTED;
1124         sk->sk_state = BT_OPEN;
1125
1126         bt_sock_link(&hci_sk_list, sk);
1127         return 0;
1128 }
1129
1130 static const struct net_proto_family hci_sock_family_ops = {
1131         .family = PF_BLUETOOTH,
1132         .owner  = THIS_MODULE,
1133         .create = hci_sock_create,
1134 };
1135
1136 int __init hci_sock_init(void)
1137 {
1138         int err;
1139
1140         err = proto_register(&hci_sk_proto, 0);
1141         if (err < 0)
1142                 return err;
1143
1144         err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1145         if (err < 0) {
1146                 BT_ERR("HCI socket registration failed");
1147                 goto error;
1148         }
1149
1150         err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
1151         if (err < 0) {
1152                 BT_ERR("Failed to create HCI proc file");
1153                 bt_sock_unregister(BTPROTO_HCI);
1154                 goto error;
1155         }
1156
1157         BT_INFO("HCI socket layer initialized");
1158
1159         return 0;
1160
1161 error:
1162         proto_unregister(&hci_sk_proto);
1163         return err;
1164 }
1165
1166 void hci_sock_cleanup(void)
1167 {
1168         bt_procfs_cleanup(&init_net, "hci");
1169         bt_sock_unregister(BTPROTO_HCI);
1170         proto_unregister(&hci_sk_proto);
1171 }