1
/*
2
   BlueZ - Bluetooth protocol stack for Linux
3
   Copyright (C) 2000-2001 Qualcomm Incorporated
4

5
   Written 2000,2001 by Maxim Krasnyansky <[email protected]>
6

7
   This program is free software; you can redistribute it and/or modify
8
   it under the terms of the GNU General Public License version 2 as
9
   published by the Free Software Foundation;
10

11
   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19

20
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22
   SOFTWARE IS DISCLAIMED.
23
*/
24

25
/* Bluetooth HCI sockets. */
26
#include <linux/compat.h>
27
#include <linux/export.h>
28
#include <linux/utsname.h>
29
#include <linux/sched.h>
30
#include <linux/unaligned.h>
31

32
#include <net/bluetooth/bluetooth.h>
33
#include <net/bluetooth/hci_core.h>
34
#include <net/bluetooth/hci_mon.h>
35
#include <net/bluetooth/mgmt.h>
36

37
#include "mgmt_util.h"
38

39
static LIST_HEAD(mgmt_chan_list);
40
static DEFINE_MUTEX(mgmt_chan_list_lock);
41

42
static DEFINE_IDA(sock_cookie_ida);
43

44
static atomic_t monitor_promisc = ATOMIC_INIT(0);
45

46
/* ----- HCI socket interface ----- */
47

48
/* Socket info */
49
#define hci_pi(sk) ((struct hci_pinfo *) sk)
50

51
struct hci_pinfo {
52
	struct bt_sock    bt;
53
	struct hci_dev    *hdev;
54
	struct hci_filter filter;
55
	__u8              cmsg_mask;
56
	unsigned short    channel;
57
	unsigned long     flags;
58
	__u32             cookie;
59
	char              comm[TASK_COMM_LEN];
60
	__u16             mtu;
61
};
62

63
static struct hci_dev *hci_hdev_from_sock(struct sock *sk)
64
{
65
	struct hci_dev *hdev = hci_pi(sk)->hdev;
66

67
	if (!hdev)
68
		return ERR_PTR(-EBADFD);
69
	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
70
		return ERR_PTR(-EPIPE);
71
	return hdev;
72
}
73

74
void hci_sock_set_flag(struct sock *sk, int nr)
75
{
76
	set_bit(nr, &hci_pi(sk)->flags);
77
}
78

79
void hci_sock_clear_flag(struct sock *sk, int nr)
80
{
81
	clear_bit(nr, &hci_pi(sk)->flags);
82
}
83

84
int hci_sock_test_flag(struct sock *sk, int nr)
85
{
86
	return test_bit(nr, &hci_pi(sk)->flags);
87
}
88

89
unsigned short hci_sock_get_channel(struct sock *sk)
90
{
91
	return hci_pi(sk)->channel;
92
}
93

94
u32 hci_sock_get_cookie(struct sock *sk)
95
{
96
	return hci_pi(sk)->cookie;
97
}
98

99
static bool hci_sock_gen_cookie(struct sock *sk)
100
{
101
	int id = hci_pi(sk)->cookie;
102

103
	if (!id) {
104
		id = ida_alloc_min(&sock_cookie_ida, 1, GFP_KERNEL);
105
		if (id < 0)
106
			id = 0xffffffff;
107

108
		hci_pi(sk)->cookie = id;
109
		get_task_comm(hci_pi(sk)->comm, current);
110
		return true;
111
	}
112

113
	return false;
114
}
115

116
static void hci_sock_free_cookie(struct sock *sk)
117
{
118
	int id = hci_pi(sk)->cookie;
119

120
	if (id) {
121
		hci_pi(sk)->cookie = 0;
122
		ida_free(&sock_cookie_ida, id);
123
	}
124
}
125

126
static inline int hci_test_bit(int nr, const void *addr)
127
{
128
	return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
129
}
130

131
/* Security filter */
132
#define HCI_SFLT_MAX_OGF  5
133

134
struct hci_sec_filter {
135
	__u32 type_mask;
136
	__u32 event_mask[2];
137
	__u32 ocf_mask[HCI_SFLT_MAX_OGF + 1][4];
138
};
139

140
static const struct hci_sec_filter hci_sec_filter = {
141
	/* Packet types */
142
	0x10,
143
	/* Events */
144
	{ 0x1000d9fe, 0x0000b00c },
145
	/* Commands */
146
	{
147
		{ 0x0 },
148
		/* OGF_LINK_CTL */
149
		{ 0xbe000006, 0x00000001, 0x00000000, 0x00 },
150
		/* OGF_LINK_POLICY */
151
		{ 0x00005200, 0x00000000, 0x00000000, 0x00 },
152
		/* OGF_HOST_CTL */
153
		{ 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
154
		/* OGF_INFO_PARAM */
155
		{ 0x000002be, 0x00000000, 0x00000000, 0x00 },
156
		/* OGF_STATUS_PARAM */
157
		{ 0x000000ea, 0x00000000, 0x00000000, 0x00 }
158
	}
159
};
160

161
static struct bt_sock_list hci_sk_list = {
162
	.lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
163
};
164

165
static bool is_filtered_packet(struct sock *sk, struct sk_buff *skb)
166
{
167
	struct hci_filter *flt;
168
	int flt_type, flt_event;
169

170
	/* Apply filter */
171
	flt = &hci_pi(sk)->filter;
172

173
	flt_type = hci_skb_pkt_type(skb) & HCI_FLT_TYPE_BITS;
174

175
	if (!test_bit(flt_type, &flt->type_mask))
176
		return true;
177

178
	/* Extra filter for event packets only */
179
	if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT)
180
		return false;
181

182
	flt_event = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
183

184
	if (!hci_test_bit(flt_event, &flt->event_mask))
185
		return true;
186

187
	/* Check filter only when opcode is set */
188
	if (!flt->opcode)
189
		return false;
190

191
	if (flt_event == HCI_EV_CMD_COMPLETE &&
192
	    flt->opcode != get_unaligned((__le16 *)(skb->data + 3)))
193
		return true;
194

195
	if (flt_event == HCI_EV_CMD_STATUS &&
196
	    flt->opcode != get_unaligned((__le16 *)(skb->data + 4)))
197
		return true;
198

199
	return false;
200
}
201

202
/* Send frame to RAW socket */
203
void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
204
{
205
	struct sock *sk;
206
	struct sk_buff *skb_copy = NULL;
207

208
	BT_DBG("hdev %p len %d", hdev, skb->len);
209

210
	read_lock(&hci_sk_list.lock);
211

212
	sk_for_each(sk, &hci_sk_list.head) {
213
		struct sk_buff *nskb;
214

215
		if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
216
			continue;
217

218
		/* Don't send frame to the socket it came from */
219
		if (skb->sk == sk)
220
			continue;
221

222
		if (hci_pi(sk)->channel == HCI_CHANNEL_RAW) {
223
			if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
224
			    hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
225
			    hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
226
			    hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
227
			    hci_skb_pkt_type(skb) != HCI_ISODATA_PKT)
228
				continue;
229
			if (is_filtered_packet(sk, skb))
230
				continue;
231
		} else if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
232
			if (!bt_cb(skb)->incoming)
233
				continue;
234
			if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
235
			    hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
236
			    hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
237
			    hci_skb_pkt_type(skb) != HCI_ISODATA_PKT &&
238
			    hci_skb_pkt_type(skb) != HCI_DRV_PKT)
239
				continue;
240
		} else {
241
			/* Don't send frame to other channel types */
242
			continue;
243
		}
244

245
		if (!skb_copy) {
246
			/* Create a private copy with headroom */
247
			skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
248
			if (!skb_copy)
249
				continue;
250

251
			/* Put type byte before the data */
252
			memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1);
253
		}
254

255
		nskb = skb_clone(skb_copy, GFP_ATOMIC);
256
		if (!nskb)
257
			continue;
258

259
		if (sock_queue_rcv_skb(sk, nskb))
260
			kfree_skb(nskb);
261
	}
262

263
	read_unlock(&hci_sk_list.lock);
264

265
	kfree_skb(skb_copy);
266
}
267

268
static void hci_sock_copy_creds(struct sock *sk, struct sk_buff *skb)
269
{
270
	struct scm_creds *creds;
271

272
	if (!sk || WARN_ON(!skb))
273
		return;
274

275
	creds = &bt_cb(skb)->creds;
276

277
	/* Check if peer credentials is set */
278
	if (!sk->sk_peer_pid) {
279
		/* Check if parent peer credentials is set */
280
		if (bt_sk(sk)->parent && bt_sk(sk)->parent->sk_peer_pid)
281
			sk = bt_sk(sk)->parent;
282
		else
283
			return;
284
	}
285

286
	/* Check if scm_creds already set */
287
	if (creds->pid == pid_vnr(sk->sk_peer_pid))
288
		return;
289

290
	memset(creds, 0, sizeof(*creds));
291

292
	creds->pid = pid_vnr(sk->sk_peer_pid);
293
	if (sk->sk_peer_cred) {
294
		creds->uid = sk->sk_peer_cred->uid;
295
		creds->gid = sk->sk_peer_cred->gid;
296
	}
297
}
298

299
static struct sk_buff *hci_skb_clone(struct sk_buff *skb)
300
{
301
	struct sk_buff *nskb;
302

303
	if (!skb)
304
		return NULL;
305

306
	nskb = skb_clone(skb, GFP_ATOMIC);
307
	if (!nskb)
308
		return NULL;
309

310
	hci_sock_copy_creds(skb->sk, nskb);
311

312
	return nskb;
313
}
314

315
/* Send frame to sockets with specific channel */
316
static void __hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
317
				  int flag, struct sock *skip_sk)
318
{
319
	struct sock *sk;
320

321
	BT_DBG("channel %u len %d", channel, skb->len);
322

323
	sk_for_each(sk, &hci_sk_list.head) {
324
		struct sk_buff *nskb;
325

326
		/* Ignore socket without the flag set */
327
		if (!hci_sock_test_flag(sk, flag))
328
			continue;
329

330
		/* Skip the original socket */
331
		if (sk == skip_sk)
332
			continue;
333

334
		if (sk->sk_state != BT_BOUND)
335
			continue;
336

337
		if (hci_pi(sk)->channel != channel)
338
			continue;
339

340
		nskb = hci_skb_clone(skb);
341
		if (!nskb)
342
			continue;
343

344
		if (sock_queue_rcv_skb(sk, nskb))
345
			kfree_skb(nskb);
346
	}
347

348
}
349

350
void hci_send_to_channel(unsigned short channel, struct sk_buff *skb,
351
			 int flag, struct sock *skip_sk)
352
{
353
	read_lock(&hci_sk_list.lock);
354
	__hci_send_to_channel(channel, skb, flag, skip_sk);
355
	read_unlock(&hci_sk_list.lock);
356
}
357

358
/* Send frame to monitor socket */
359
void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
360
{
361
	struct sk_buff *skb_copy = NULL;
362
	struct hci_mon_hdr *hdr;
363
	__le16 opcode;
364

365
	if (!atomic_read(&monitor_promisc))
366
		return;
367

368
	BT_DBG("hdev %p len %d", hdev, skb->len);
369

370
	switch (hci_skb_pkt_type(skb)) {
371
	case HCI_COMMAND_PKT:
372
		opcode = cpu_to_le16(HCI_MON_COMMAND_PKT);
373
		break;
374
	case HCI_EVENT_PKT:
375
		opcode = cpu_to_le16(HCI_MON_EVENT_PKT);
376
		break;
377
	case HCI_ACLDATA_PKT:
378
		if (bt_cb(skb)->incoming)
379
			opcode = cpu_to_le16(HCI_MON_ACL_RX_PKT);
380
		else
381
			opcode = cpu_to_le16(HCI_MON_ACL_TX_PKT);
382
		break;
383
	case HCI_SCODATA_PKT:
384
		if (bt_cb(skb)->incoming)
385
			opcode = cpu_to_le16(HCI_MON_SCO_RX_PKT);
386
		else
387
			opcode = cpu_to_le16(HCI_MON_SCO_TX_PKT);
388
		break;
389
	case HCI_ISODATA_PKT:
390
		if (bt_cb(skb)->incoming)
391
			opcode = cpu_to_le16(HCI_MON_ISO_RX_PKT);
392
		else
393
			opcode = cpu_to_le16(HCI_MON_ISO_TX_PKT);
394
		break;
395
	case HCI_DRV_PKT:
396
		if (bt_cb(skb)->incoming)
397
			opcode = cpu_to_le16(HCI_MON_DRV_RX_PKT);
398
		else
399
			opcode = cpu_to_le16(HCI_MON_DRV_TX_PKT);
400
		break;
401
	case HCI_DIAG_PKT:
402
		opcode = cpu_to_le16(HCI_MON_VENDOR_DIAG);
403
		break;
404
	default:
405
		return;
406
	}
407

408
	/* Create a private copy with headroom */
409
	skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE, GFP_ATOMIC, true);
410
	if (!skb_copy)
411
		return;
412

413
	hci_sock_copy_creds(skb->sk, skb_copy);
414

415
	/* Put header before the data */
416
	hdr = skb_push(skb_copy, HCI_MON_HDR_SIZE);
417
	hdr->opcode = opcode;
418
	hdr->index = cpu_to_le16(hdev->id);
419
	hdr->len = cpu_to_le16(skb->len);
420

421
	hci_send_to_channel(HCI_CHANNEL_MONITOR, skb_copy,
422
			    HCI_SOCK_TRUSTED, NULL);
423
	kfree_skb(skb_copy);
424
}
425

426
void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event,
427
				 void *data, u16 data_len, ktime_t tstamp,
428
				 int flag, struct sock *skip_sk)
429
{
430
	struct sock *sk;
431
	__le16 index;
432

433
	if (hdev)
434
		index = cpu_to_le16(hdev->id);
435
	else
436
		index = cpu_to_le16(MGMT_INDEX_NONE);
437

438
	read_lock(&hci_sk_list.lock);
439

440
	sk_for_each(sk, &hci_sk_list.head) {
441
		struct hci_mon_hdr *hdr;
442
		struct sk_buff *skb;
443

444
		if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
445
			continue;
446

447
		/* Ignore socket without the flag set */
448
		if (!hci_sock_test_flag(sk, flag))
449
			continue;
450

451
		/* Skip the original socket */
452
		if (sk == skip_sk)
453
			continue;
454

455
		skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC);
456
		if (!skb)
457
			continue;
458

459
		put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
460
		put_unaligned_le16(event, skb_put(skb, 2));
461

462
		if (data)
463
			skb_put_data(skb, data, data_len);
464

465
		skb->tstamp = tstamp;
466

467
		hdr = skb_push(skb, HCI_MON_HDR_SIZE);
468
		hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT);
469
		hdr->index = index;
470
		hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
471

472
		__hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
473
				      HCI_SOCK_TRUSTED, NULL);
474
		kfree_skb(skb);
475
	}
476

477
	read_unlock(&hci_sk_list.lock);
478
}
479

480
static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
481
{
482
	struct hci_mon_hdr *hdr;
483
	struct hci_mon_new_index *ni;
484
	struct hci_mon_index_info *ii;
485
	struct sk_buff *skb;
486
	__le16 opcode;
487

488
	switch (event) {
489
	case HCI_DEV_REG:
490
		skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
491
		if (!skb)
492
			return NULL;
493

494
		ni = skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
495
		ni->type = 0x00; /* Old hdev->dev_type */
496
		ni->bus = hdev->bus;
497
		bacpy(&ni->bdaddr, &hdev->bdaddr);
498
		memcpy_and_pad(ni->name, sizeof(ni->name), hdev->name,
499
			       strnlen(hdev->name, sizeof(ni->name)), '\0');
500

501
		opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
502
		break;
503

504
	case HCI_DEV_UNREG:
505
		skb = bt_skb_alloc(0, GFP_ATOMIC);
506
		if (!skb)
507
			return NULL;
508

509
		opcode = cpu_to_le16(HCI_MON_DEL_INDEX);
510
		break;
511

512
	case HCI_DEV_SETUP:
513
		if (hdev->manufacturer == 0xffff)
514
			return NULL;
515
		fallthrough;
516

517
	case HCI_DEV_UP:
518
		skb = bt_skb_alloc(HCI_MON_INDEX_INFO_SIZE, GFP_ATOMIC);
519
		if (!skb)
520
			return NULL;
521

522
		ii = skb_put(skb, HCI_MON_INDEX_INFO_SIZE);
523
		bacpy(&ii->bdaddr, &hdev->bdaddr);
524
		ii->manufacturer = cpu_to_le16(hdev->manufacturer);
525

526
		opcode = cpu_to_le16(HCI_MON_INDEX_INFO);
527
		break;
528

529
	case HCI_DEV_OPEN:
530
		skb = bt_skb_alloc(0, GFP_ATOMIC);
531
		if (!skb)
532
			return NULL;
533

534
		opcode = cpu_to_le16(HCI_MON_OPEN_INDEX);
535
		break;
536

537
	case HCI_DEV_CLOSE:
538
		skb = bt_skb_alloc(0, GFP_ATOMIC);
539
		if (!skb)
540
			return NULL;
541

542
		opcode = cpu_to_le16(HCI_MON_CLOSE_INDEX);
543
		break;
544

545
	default:
546
		return NULL;
547
	}
548

549
	__net_timestamp(skb);
550

551
	hdr = skb_push(skb, HCI_MON_HDR_SIZE);
552
	hdr->opcode = opcode;
553
	hdr->index = cpu_to_le16(hdev->id);
554
	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
555

556
	return skb;
557
}
558

559
static struct sk_buff *create_monitor_ctrl_open(struct sock *sk)
560
{
561
	struct hci_mon_hdr *hdr;
562
	struct sk_buff *skb;
563
	u16 format;
564
	u8 ver[3];
565
	u32 flags;
566

567
	/* No message needed when cookie is not present */
568
	if (!hci_pi(sk)->cookie)
569
		return NULL;
570

571
	switch (hci_pi(sk)->channel) {
572
	case HCI_CHANNEL_RAW:
573
		format = 0x0000;
574
		ver[0] = BT_SUBSYS_VERSION;
575
		put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
576
		break;
577
	case HCI_CHANNEL_USER:
578
		format = 0x0001;
579
		ver[0] = BT_SUBSYS_VERSION;
580
		put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1);
581
		break;
582
	case HCI_CHANNEL_CONTROL:
583
		format = 0x0002;
584
		mgmt_fill_version_info(ver);
585
		break;
586
	default:
587
		/* No message for unsupported format */
588
		return NULL;
589
	}
590

591
	skb = bt_skb_alloc(14 + TASK_COMM_LEN, GFP_ATOMIC);
592
	if (!skb)
593
		return NULL;
594

595
	hci_sock_copy_creds(sk, skb);
596

597
	flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0;
598

599
	put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
600
	put_unaligned_le16(format, skb_put(skb, 2));
601
	skb_put_data(skb, ver, sizeof(ver));
602
	put_unaligned_le32(flags, skb_put(skb, 4));
603
	skb_put_u8(skb, TASK_COMM_LEN);
604
	skb_put_data(skb, hci_pi(sk)->comm, TASK_COMM_LEN);
605

606
	__net_timestamp(skb);
607

608
	hdr = skb_push(skb, HCI_MON_HDR_SIZE);
609
	hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN);
610
	if (hci_pi(sk)->hdev)
611
		hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
612
	else
613
		hdr->index = cpu_to_le16(HCI_DEV_NONE);
614
	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
615

616
	return skb;
617
}
618

619
static struct sk_buff *create_monitor_ctrl_close(struct sock *sk)
620
{
621
	struct hci_mon_hdr *hdr;
622
	struct sk_buff *skb;
623

624
	/* No message needed when cookie is not present */
625
	if (!hci_pi(sk)->cookie)
626
		return NULL;
627

628
	switch (hci_pi(sk)->channel) {
629
	case HCI_CHANNEL_RAW:
630
	case HCI_CHANNEL_USER:
631
	case HCI_CHANNEL_CONTROL:
632
		break;
633
	default:
634
		/* No message for unsupported format */
635
		return NULL;
636
	}
637

638
	skb = bt_skb_alloc(4, GFP_ATOMIC);
639
	if (!skb)
640
		return NULL;
641

642
	hci_sock_copy_creds(sk, skb);
643

644
	put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
645

646
	__net_timestamp(skb);
647

648
	hdr = skb_push(skb, HCI_MON_HDR_SIZE);
649
	hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE);
650
	if (hci_pi(sk)->hdev)
651
		hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id);
652
	else
653
		hdr->index = cpu_to_le16(HCI_DEV_NONE);
654
	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
655

656
	return skb;
657
}
658

659
static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index,
660
						   u16 opcode, u16 len,
661
						   const void *buf)
662
{
663
	struct hci_mon_hdr *hdr;
664
	struct sk_buff *skb;
665

666
	skb = bt_skb_alloc(6 + len, GFP_ATOMIC);
667
	if (!skb)
668
		return NULL;
669

670
	hci_sock_copy_creds(sk, skb);
671

672
	put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4));
673
	put_unaligned_le16(opcode, skb_put(skb, 2));
674

675
	if (buf)
676
		skb_put_data(skb, buf, len);
677

678
	__net_timestamp(skb);
679

680
	hdr = skb_push(skb, HCI_MON_HDR_SIZE);
681
	hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND);
682
	hdr->index = cpu_to_le16(index);
683
	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
684

685
	return skb;
686
}
687

688
static void __printf(2, 3)
689
send_monitor_note(struct sock *sk, const char *fmt, ...)
690
{
691
	size_t len;
692
	struct hci_mon_hdr *hdr;
693
	struct sk_buff *skb;
694
	va_list args;
695

696
	va_start(args, fmt);
697
	len = vsnprintf(NULL, 0, fmt, args);
698
	va_end(args);
699

700
	skb = bt_skb_alloc(len + 1, GFP_ATOMIC);
701
	if (!skb)
702
		return;
703

704
	hci_sock_copy_creds(sk, skb);
705

706
	va_start(args, fmt);
707
	vsprintf(skb_put(skb, len), fmt, args);
708
	*(u8 *)skb_put(skb, 1) = 0;
709
	va_end(args);
710

711
	__net_timestamp(skb);
712

713
	hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE);
714
	hdr->opcode = cpu_to_le16(HCI_MON_SYSTEM_NOTE);
715
	hdr->index = cpu_to_le16(HCI_DEV_NONE);
716
	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
717

718
	if (sock_queue_rcv_skb(sk, skb))
719
		kfree_skb(skb);
720
}
721

722
static void send_monitor_replay(struct sock *sk)
723
{
724
	struct hci_dev *hdev;
725

726
	read_lock(&hci_dev_list_lock);
727

728
	list_for_each_entry(hdev, &hci_dev_list, list) {
729
		struct sk_buff *skb;
730

731
		skb = create_monitor_event(hdev, HCI_DEV_REG);
732
		if (!skb)
733
			continue;
734

735
		if (sock_queue_rcv_skb(sk, skb))
736
			kfree_skb(skb);
737

738
		if (!test_bit(HCI_RUNNING, &hdev->flags))
739
			continue;
740

741
		skb = create_monitor_event(hdev, HCI_DEV_OPEN);
742
		if (!skb)
743
			continue;
744

745
		if (sock_queue_rcv_skb(sk, skb))
746
			kfree_skb(skb);
747

748
		if (test_bit(HCI_UP, &hdev->flags))
749
			skb = create_monitor_event(hdev, HCI_DEV_UP);
750
		else if (hci_dev_test_flag(hdev, HCI_SETUP))
751
			skb = create_monitor_event(hdev, HCI_DEV_SETUP);
752
		else
753
			skb = NULL;
754

755
		if (skb) {
756
			if (sock_queue_rcv_skb(sk, skb))
757
				kfree_skb(skb);
758
		}
759
	}
760

761
	read_unlock(&hci_dev_list_lock);
762
}
763

764
static void send_monitor_control_replay(struct sock *mon_sk)
765
{
766
	struct sock *sk;
767

768
	read_lock(&hci_sk_list.lock);
769

770
	sk_for_each(sk, &hci_sk_list.head) {
771
		struct sk_buff *skb;
772

773
		skb = create_monitor_ctrl_open(sk);
774
		if (!skb)
775
			continue;
776

777
		if (sock_queue_rcv_skb(mon_sk, skb))
778
			kfree_skb(skb);
779
	}
780

781
	read_unlock(&hci_sk_list.lock);
782
}
783

784
/* Generate internal stack event */
785
static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
786
{
787
	struct hci_event_hdr *hdr;
788
	struct hci_ev_stack_internal *ev;
789
	struct sk_buff *skb;
790

791
	skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
792
	if (!skb)
793
		return;
794

795
	hdr = skb_put(skb, HCI_EVENT_HDR_SIZE);
796
	hdr->evt  = HCI_EV_STACK_INTERNAL;
797
	hdr->plen = sizeof(*ev) + dlen;
798

799
	ev = skb_put(skb, sizeof(*ev) + dlen);
800
	ev->type = type;
801
	memcpy(ev->data, data, dlen);
802

803
	bt_cb(skb)->incoming = 1;
804
	__net_timestamp(skb);
805

806
	hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
807
	hci_send_to_sock(hdev, skb);
808
	kfree_skb(skb);
809
}
810

811
void hci_sock_dev_event(struct hci_dev *hdev, int event)
812
{
813
	BT_DBG("hdev %s event %d", hdev->name, event);
814

815
	if (atomic_read(&monitor_promisc)) {
816
		struct sk_buff *skb;
817

818
		/* Send event to monitor */
819
		skb = create_monitor_event(hdev, event);
820
		if (skb) {
821
			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
822
					    HCI_SOCK_TRUSTED, NULL);
823
			kfree_skb(skb);
824
		}
825
	}
826

827
	if (event <= HCI_DEV_DOWN) {
828
		struct hci_ev_si_device ev;
829

830
		/* Send event to sockets */
831
		ev.event  = event;
832
		ev.dev_id = hdev->id;
833
		hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
834
	}
835

836
	if (event == HCI_DEV_UNREG) {
837
		struct sock *sk;
838

839
		/* Wake up sockets using this dead device */
840
		read_lock(&hci_sk_list.lock);
841
		sk_for_each(sk, &hci_sk_list.head) {
842
			if (hci_pi(sk)->hdev == hdev) {
843
				sk->sk_err = EPIPE;
844
				sk->sk_state_change(sk);
845
			}
846
		}
847
		read_unlock(&hci_sk_list.lock);
848
	}
849
}
850

851
static struct hci_mgmt_chan *__hci_mgmt_chan_find(unsigned short channel)
852
{
853
	struct hci_mgmt_chan *c;
854

855
	list_for_each_entry(c, &mgmt_chan_list, list) {
856
		if (c->channel == channel)
857
			return c;
858
	}
859

860
	return NULL;
861
}
862

863
static struct hci_mgmt_chan *hci_mgmt_chan_find(unsigned short channel)
864
{
865
	struct hci_mgmt_chan *c;
866

867
	mutex_lock(&mgmt_chan_list_lock);
868
	c = __hci_mgmt_chan_find(channel);
869
	mutex_unlock(&mgmt_chan_list_lock);
870

871
	return c;
872
}
873

874
int hci_mgmt_chan_register(struct hci_mgmt_chan *c)
875
{
876
	if (c->channel < HCI_CHANNEL_CONTROL)
877
		return -EINVAL;
878

879
	mutex_lock(&mgmt_chan_list_lock);
880
	if (__hci_mgmt_chan_find(c->channel)) {
881
		mutex_unlock(&mgmt_chan_list_lock);
882
		return -EALREADY;
883
	}
884

885
	list_add_tail(&c->list, &mgmt_chan_list);
886

887
	mutex_unlock(&mgmt_chan_list_lock);
888

889
	return 0;
890
}
891
EXPORT_SYMBOL(hci_mgmt_chan_register);
892

893
void hci_mgmt_chan_unregister(struct hci_mgmt_chan *c)
894
{
895
	mutex_lock(&mgmt_chan_list_lock);
896
	list_del(&c->list);
897
	mutex_unlock(&mgmt_chan_list_lock);
898
}
899
EXPORT_SYMBOL(hci_mgmt_chan_unregister);
900

901
static int hci_sock_release(struct socket *sock)
902
{
903
	struct sock *sk = sock->sk;
904
	struct hci_dev *hdev;
905
	struct sk_buff *skb;
906

907
	BT_DBG("sock %p sk %p", sock, sk);
908

909
	if (!sk)
910
		return 0;
911

912
	lock_sock(sk);
913

914
	switch (hci_pi(sk)->channel) {
915
	case HCI_CHANNEL_MONITOR:
916
		atomic_dec(&monitor_promisc);
917
		break;
918
	case HCI_CHANNEL_RAW:
919
	case HCI_CHANNEL_USER:
920
	case HCI_CHANNEL_CONTROL:
921
		/* Send event to monitor */
922
		skb = create_monitor_ctrl_close(sk);
923
		if (skb) {
924
			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
925
					    HCI_SOCK_TRUSTED, NULL);
926
			kfree_skb(skb);
927
		}
928

929
		hci_sock_free_cookie(sk);
930
		break;
931
	}
932

933
	bt_sock_unlink(&hci_sk_list, sk);
934

935
	hdev = hci_pi(sk)->hdev;
936
	if (hdev) {
937
		if (hci_pi(sk)->channel == HCI_CHANNEL_USER &&
938
		    !hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
939
			/* When releasing a user channel exclusive access,
940
			 * call hci_dev_do_close directly instead of calling
941
			 * hci_dev_close to ensure the exclusive access will
942
			 * be released and the controller brought back down.
943
			 *
944
			 * The checking of HCI_AUTO_OFF is not needed in this
945
			 * case since it will have been cleared already when
946
			 * opening the user channel.
947
			 *
948
			 * Make sure to also check that we haven't already
949
			 * unregistered since all the cleanup will have already
950
			 * been complete and hdev will get released when we put
951
			 * below.
952
			 */
953
			hci_dev_do_close(hdev);
954
			hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
955
			mgmt_index_added(hdev);
956
		}
957

958
		atomic_dec(&hdev->promisc);
959
		hci_dev_put(hdev);
960
	}
961

962
	sock_orphan(sk);
963
	release_sock(sk);
964
	sock_put(sk);
965
	return 0;
966
}
967

968
static int hci_sock_reject_list_add(struct hci_dev *hdev, void __user *arg)
969
{
970
	bdaddr_t bdaddr;
971
	int err;
972

973
	if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
974
		return -EFAULT;
975

976
	hci_dev_lock(hdev);
977

978
	err = hci_bdaddr_list_add(&hdev->reject_list, &bdaddr, BDADDR_BREDR);
979

980
	hci_dev_unlock(hdev);
981

982
	return err;
983
}
984

985
static int hci_sock_reject_list_del(struct hci_dev *hdev, void __user *arg)
986
{
987
	bdaddr_t bdaddr;
988
	int err;
989

990
	if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
991
		return -EFAULT;
992

993
	hci_dev_lock(hdev);
994

995
	err = hci_bdaddr_list_del(&hdev->reject_list, &bdaddr, BDADDR_BREDR);
996

997
	hci_dev_unlock(hdev);
998

999
	return err;
1000
}
1001

1002
/* Ioctls that require bound socket */
1003
static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
1004
				unsigned long arg)
1005
{
1006
	struct hci_dev *hdev = hci_hdev_from_sock(sk);
1007

1008
	if (IS_ERR(hdev))
1009
		return PTR_ERR(hdev);
1010

1011
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
1012
		return -EBUSY;
1013

1014
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1015
		return -EOPNOTSUPP;
1016

1017
	switch (cmd) {
1018
	case HCISETRAW:
1019
		if (!capable(CAP_NET_ADMIN))
1020
			return -EPERM;
1021
		return -EOPNOTSUPP;
1022

1023
	case HCIGETCONNINFO:
1024
		return hci_get_conn_info(hdev, (void __user *)arg);
1025

1026
	case HCIGETAUTHINFO:
1027
		return hci_get_auth_info(hdev, (void __user *)arg);
1028

1029
	case HCIBLOCKADDR:
1030
		if (!capable(CAP_NET_ADMIN))
1031
			return -EPERM;
1032
		return hci_sock_reject_list_add(hdev, (void __user *)arg);
1033

1034
	case HCIUNBLOCKADDR:
1035
		if (!capable(CAP_NET_ADMIN))
1036
			return -EPERM;
1037
		return hci_sock_reject_list_del(hdev, (void __user *)arg);
1038
	}
1039

1040
	return -ENOIOCTLCMD;
1041
}
1042

1043
static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
1044
			  unsigned long arg)
1045
{
1046
	void __user *argp = (void __user *)arg;
1047
	struct sock *sk = sock->sk;
1048
	int err;
1049

1050
	BT_DBG("cmd %x arg %lx", cmd, arg);
1051

1052
	/* Make sure the cmd is valid before doing anything */
1053
	switch (cmd) {
1054
	case HCIGETDEVLIST:
1055
	case HCIGETDEVINFO:
1056
	case HCIGETCONNLIST:
1057
	case HCIDEVUP:
1058
	case HCIDEVDOWN:
1059
	case HCIDEVRESET:
1060
	case HCIDEVRESTAT:
1061
	case HCISETSCAN:
1062
	case HCISETAUTH:
1063
	case HCISETENCRYPT:
1064
	case HCISETPTYPE:
1065
	case HCISETLINKPOL:
1066
	case HCISETLINKMODE:
1067
	case HCISETACLMTU:
1068
	case HCISETSCOMTU:
1069
	case HCIINQUIRY:
1070
	case HCISETRAW:
1071
	case HCIGETCONNINFO:
1072
	case HCIGETAUTHINFO:
1073
	case HCIBLOCKADDR:
1074
	case HCIUNBLOCKADDR:
1075
		break;
1076
	default:
1077
		return -ENOIOCTLCMD;
1078
	}
1079

1080
	lock_sock(sk);
1081

1082
	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1083
		err = -EBADFD;
1084
		goto done;
1085
	}
1086

1087
	/* When calling an ioctl on an unbound raw socket, then ensure
1088
	 * that the monitor gets informed. Ensure that the resulting event
1089
	 * is only send once by checking if the cookie exists or not. The
1090
	 * socket cookie will be only ever generated once for the lifetime
1091
	 * of a given socket.
1092
	 */
1093
	if (hci_sock_gen_cookie(sk)) {
1094
		struct sk_buff *skb;
1095

1096
		/* Perform careful checks before setting the HCI_SOCK_TRUSTED
1097
		 * flag. Make sure that not only the current task but also
1098
		 * the socket opener has the required capability, since
1099
		 * privileged programs can be tricked into making ioctl calls
1100
		 * on HCI sockets, and the socket should not be marked as
1101
		 * trusted simply because the ioctl caller is privileged.
1102
		 */
1103
		if (sk_capable(sk, CAP_NET_ADMIN))
1104
			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1105

1106
		/* Send event to monitor */
1107
		skb = create_monitor_ctrl_open(sk);
1108
		if (skb) {
1109
			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1110
					    HCI_SOCK_TRUSTED, NULL);
1111
			kfree_skb(skb);
1112
		}
1113
	}
1114

1115
	release_sock(sk);
1116

1117
	switch (cmd) {
1118
	case HCIGETDEVLIST:
1119
		return hci_get_dev_list(argp);
1120

1121
	case HCIGETDEVINFO:
1122
		return hci_get_dev_info(argp);
1123

1124
	case HCIGETCONNLIST:
1125
		return hci_get_conn_list(argp);
1126

1127
	case HCIDEVUP:
1128
		if (!capable(CAP_NET_ADMIN))
1129
			return -EPERM;
1130
		return hci_dev_open(arg);
1131

1132
	case HCIDEVDOWN:
1133
		if (!capable(CAP_NET_ADMIN))
1134
			return -EPERM;
1135
		return hci_dev_close(arg);
1136

1137
	case HCIDEVRESET:
1138
		if (!capable(CAP_NET_ADMIN))
1139
			return -EPERM;
1140
		return hci_dev_reset(arg);
1141

1142
	case HCIDEVRESTAT:
1143
		if (!capable(CAP_NET_ADMIN))
1144
			return -EPERM;
1145
		return hci_dev_reset_stat(arg);
1146

1147
	case HCISETSCAN:
1148
	case HCISETAUTH:
1149
	case HCISETENCRYPT:
1150
	case HCISETPTYPE:
1151
	case HCISETLINKPOL:
1152
	case HCISETLINKMODE:
1153
	case HCISETACLMTU:
1154
	case HCISETSCOMTU:
1155
		if (!capable(CAP_NET_ADMIN))
1156
			return -EPERM;
1157
		return hci_dev_cmd(cmd, argp);
1158

1159
	case HCIINQUIRY:
1160
		return hci_inquiry(argp);
1161
	}
1162

1163
	lock_sock(sk);
1164

1165
	err = hci_sock_bound_ioctl(sk, cmd, arg);
1166

1167
done:
1168
	release_sock(sk);
1169
	return err;
1170
}
1171

1172
#ifdef CONFIG_COMPAT
1173
static int hci_sock_compat_ioctl(struct socket *sock, unsigned int cmd,
1174
				 unsigned long arg)
1175
{
1176
	switch (cmd) {
1177
	case HCIDEVUP:
1178
	case HCIDEVDOWN:
1179
	case HCIDEVRESET:
1180
	case HCIDEVRESTAT:
1181
		return hci_sock_ioctl(sock, cmd, arg);
1182
	}
1183

1184
	return hci_sock_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
1185
}
1186
#endif
1187

1188
static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
1189
			 int addr_len)
1190
{
1191
	struct sockaddr_hci haddr;
1192
	struct sock *sk = sock->sk;
1193
	struct hci_dev *hdev = NULL;
1194
	struct sk_buff *skb;
1195
	int len, err = 0;
1196

1197
	BT_DBG("sock %p sk %p", sock, sk);
1198

1199
	if (!addr)
1200
		return -EINVAL;
1201

1202
	memset(&haddr, 0, sizeof(haddr));
1203
	len = min_t(unsigned int, sizeof(haddr), addr_len);
1204
	memcpy(&haddr, addr, len);
1205

1206
	if (haddr.hci_family != AF_BLUETOOTH)
1207
		return -EINVAL;
1208

1209
	lock_sock(sk);
1210

1211
	/* Allow detaching from dead device and attaching to alive device, if
1212
	 * the caller wants to re-bind (instead of close) this socket in
1213
	 * response to hci_sock_dev_event(HCI_DEV_UNREG) notification.
1214
	 */
1215
	hdev = hci_pi(sk)->hdev;
1216
	if (hdev && hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
1217
		hci_pi(sk)->hdev = NULL;
1218
		sk->sk_state = BT_OPEN;
1219
		hci_dev_put(hdev);
1220
	}
1221
	hdev = NULL;
1222

1223
	if (sk->sk_state == BT_BOUND) {
1224
		err = -EALREADY;
1225
		goto done;
1226
	}
1227

1228
	switch (haddr.hci_channel) {
1229
	case HCI_CHANNEL_RAW:
1230
		if (hci_pi(sk)->hdev) {
1231
			err = -EALREADY;
1232
			goto done;
1233
		}
1234

1235
		if (haddr.hci_dev != HCI_DEV_NONE) {
1236
			hdev = hci_dev_get(haddr.hci_dev);
1237
			if (!hdev) {
1238
				err = -ENODEV;
1239
				goto done;
1240
			}
1241

1242
			atomic_inc(&hdev->promisc);
1243
		}
1244

1245
		hci_pi(sk)->channel = haddr.hci_channel;
1246

1247
		if (!hci_sock_gen_cookie(sk)) {
1248
			/* In the case when a cookie has already been assigned,
1249
			 * then there has been already an ioctl issued against
1250
			 * an unbound socket and with that triggered an open
1251
			 * notification. Send a close notification first to
1252
			 * allow the state transition to bounded.
1253
			 */
1254
			skb = create_monitor_ctrl_close(sk);
1255
			if (skb) {
1256
				hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1257
						    HCI_SOCK_TRUSTED, NULL);
1258
				kfree_skb(skb);
1259
			}
1260
		}
1261

1262
		if (capable(CAP_NET_ADMIN))
1263
			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1264

1265
		hci_pi(sk)->hdev = hdev;
1266

1267
		/* Send event to monitor */
1268
		skb = create_monitor_ctrl_open(sk);
1269
		if (skb) {
1270
			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1271
					    HCI_SOCK_TRUSTED, NULL);
1272
			kfree_skb(skb);
1273
		}
1274
		break;
1275

1276
	case HCI_CHANNEL_USER:
1277
		if (hci_pi(sk)->hdev) {
1278
			err = -EALREADY;
1279
			goto done;
1280
		}
1281

1282
		if (haddr.hci_dev == HCI_DEV_NONE) {
1283
			err = -EINVAL;
1284
			goto done;
1285
		}
1286

1287
		if (!capable(CAP_NET_ADMIN)) {
1288
			err = -EPERM;
1289
			goto done;
1290
		}
1291

1292
		hdev = hci_dev_get(haddr.hci_dev);
1293
		if (!hdev) {
1294
			err = -ENODEV;
1295
			goto done;
1296
		}
1297

1298
		if (test_bit(HCI_INIT, &hdev->flags) ||
1299
		    hci_dev_test_flag(hdev, HCI_SETUP) ||
1300
		    hci_dev_test_flag(hdev, HCI_CONFIG) ||
1301
		    (!hci_dev_test_flag(hdev, HCI_AUTO_OFF) &&
1302
		     test_bit(HCI_UP, &hdev->flags))) {
1303
			err = -EBUSY;
1304
			hci_dev_put(hdev);
1305
			goto done;
1306
		}
1307

1308
		if (hci_dev_test_and_set_flag(hdev, HCI_USER_CHANNEL)) {
1309
			err = -EUSERS;
1310
			hci_dev_put(hdev);
1311
			goto done;
1312
		}
1313

1314
		mgmt_index_removed(hdev);
1315

1316
		err = hci_dev_open(hdev->id);
1317
		if (err) {
1318
			if (err == -EALREADY) {
1319
				/* In case the transport is already up and
1320
				 * running, clear the error here.
1321
				 *
1322
				 * This can happen when opening a user
1323
				 * channel and HCI_AUTO_OFF grace period
1324
				 * is still active.
1325
				 */
1326
				err = 0;
1327
			} else {
1328
				hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
1329
				mgmt_index_added(hdev);
1330
				hci_dev_put(hdev);
1331
				goto done;
1332
			}
1333
		}
1334

1335
		hci_pi(sk)->channel = haddr.hci_channel;
1336

1337
		if (!hci_sock_gen_cookie(sk)) {
1338
			/* In the case when a cookie has already been assigned,
1339
			 * this socket will transition from a raw socket into
1340
			 * a user channel socket. For a clean transition, send
1341
			 * the close notification first.
1342
			 */
1343
			skb = create_monitor_ctrl_close(sk);
1344
			if (skb) {
1345
				hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1346
						    HCI_SOCK_TRUSTED, NULL);
1347
				kfree_skb(skb);
1348
			}
1349
		}
1350

1351
		/* The user channel is restricted to CAP_NET_ADMIN
1352
		 * capabilities and with that implicitly trusted.
1353
		 */
1354
		hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1355

1356
		hci_pi(sk)->hdev = hdev;
1357

1358
		/* Send event to monitor */
1359
		skb = create_monitor_ctrl_open(sk);
1360
		if (skb) {
1361
			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1362
					    HCI_SOCK_TRUSTED, NULL);
1363
			kfree_skb(skb);
1364
		}
1365

1366
		atomic_inc(&hdev->promisc);
1367
		break;
1368

1369
	case HCI_CHANNEL_MONITOR:
1370
		if (haddr.hci_dev != HCI_DEV_NONE) {
1371
			err = -EINVAL;
1372
			goto done;
1373
		}
1374

1375
		if (!capable(CAP_NET_RAW)) {
1376
			err = -EPERM;
1377
			goto done;
1378
		}
1379

1380
		hci_pi(sk)->channel = haddr.hci_channel;
1381

1382
		/* The monitor interface is restricted to CAP_NET_RAW
1383
		 * capabilities and with that implicitly trusted.
1384
		 */
1385
		hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1386

1387
		send_monitor_note(sk, "Linux version %s (%s)",
1388
				  init_utsname()->release,
1389
				  init_utsname()->machine);
1390
		send_monitor_note(sk, "Bluetooth subsystem version %u.%u",
1391
				  BT_SUBSYS_VERSION, BT_SUBSYS_REVISION);
1392
		send_monitor_replay(sk);
1393
		send_monitor_control_replay(sk);
1394

1395
		atomic_inc(&monitor_promisc);
1396
		break;
1397

1398
	case HCI_CHANNEL_LOGGING:
1399
		if (haddr.hci_dev != HCI_DEV_NONE) {
1400
			err = -EINVAL;
1401
			goto done;
1402
		}
1403

1404
		if (!capable(CAP_NET_ADMIN)) {
1405
			err = -EPERM;
1406
			goto done;
1407
		}
1408

1409
		hci_pi(sk)->channel = haddr.hci_channel;
1410
		break;
1411

1412
	default:
1413
		if (!hci_mgmt_chan_find(haddr.hci_channel)) {
1414
			err = -EINVAL;
1415
			goto done;
1416
		}
1417

1418
		if (haddr.hci_dev != HCI_DEV_NONE) {
1419
			err = -EINVAL;
1420
			goto done;
1421
		}
1422

1423
		/* Users with CAP_NET_ADMIN capabilities are allowed
1424
		 * access to all management commands and events. For
1425
		 * untrusted users the interface is restricted and
1426
		 * also only untrusted events are sent.
1427
		 */
1428
		if (capable(CAP_NET_ADMIN))
1429
			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
1430

1431
		hci_pi(sk)->channel = haddr.hci_channel;
1432

1433
		/* At the moment the index and unconfigured index events
1434
		 * are enabled unconditionally. Setting them on each
1435
		 * socket when binding keeps this functionality. They
1436
		 * however might be cleared later and then sending of these
1437
		 * events will be disabled, but that is then intentional.
1438
		 *
1439
		 * This also enables generic events that are safe to be
1440
		 * received by untrusted users. Example for such events
1441
		 * are changes to settings, class of device, name etc.
1442
		 */
1443
		if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) {
1444
			if (!hci_sock_gen_cookie(sk)) {
1445
				/* In the case when a cookie has already been
1446
				 * assigned, this socket will transition from
1447
				 * a raw socket into a control socket. To
1448
				 * allow for a clean transition, send the
1449
				 * close notification first.
1450
				 */
1451
				skb = create_monitor_ctrl_close(sk);
1452
				if (skb) {
1453
					hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1454
							    HCI_SOCK_TRUSTED, NULL);
1455
					kfree_skb(skb);
1456
				}
1457
			}
1458

1459
			/* Send event to monitor */
1460
			skb = create_monitor_ctrl_open(sk);
1461
			if (skb) {
1462
				hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
1463
						    HCI_SOCK_TRUSTED, NULL);
1464
				kfree_skb(skb);
1465
			}
1466

1467
			hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS);
1468
			hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
1469
			hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS);
1470
			hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS);
1471
			hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1472
			hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1473
		}
1474
		break;
1475
	}
1476

1477
	/* Default MTU to HCI_MAX_FRAME_SIZE if not set */
1478
	if (!hci_pi(sk)->mtu)
1479
		hci_pi(sk)->mtu = HCI_MAX_FRAME_SIZE;
1480

1481
	sk->sk_state = BT_BOUND;
1482

1483
done:
1484
	release_sock(sk);
1485
	return err;
1486
}
1487

1488
static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
1489
			    int peer)
1490
{
1491
	struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr;
1492
	struct sock *sk = sock->sk;
1493
	struct hci_dev *hdev;
1494
	int err = 0;
1495

1496
	BT_DBG("sock %p sk %p", sock, sk);
1497

1498
	if (peer)
1499
		return -EOPNOTSUPP;
1500

1501
	lock_sock(sk);
1502

1503
	hdev = hci_hdev_from_sock(sk);
1504
	if (IS_ERR(hdev)) {
1505
		err = PTR_ERR(hdev);
1506
		goto done;
1507
	}
1508

1509
	haddr->hci_family = AF_BLUETOOTH;
1510
	haddr->hci_dev    = hdev->id;
1511
	haddr->hci_channel= hci_pi(sk)->channel;
1512
	err = sizeof(*haddr);
1513

1514
done:
1515
	release_sock(sk);
1516
	return err;
1517
}
1518

1519
static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
1520
			  struct sk_buff *skb)
1521
{
1522
	__u8 mask = hci_pi(sk)->cmsg_mask;
1523

1524
	if (mask & HCI_CMSG_DIR) {
1525
		int incoming = bt_cb(skb)->incoming;
1526
		put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
1527
			 &incoming);
1528
	}
1529

1530
	if (mask & HCI_CMSG_TSTAMP) {
1531
#ifdef CONFIG_COMPAT
1532
		struct old_timeval32 ctv;
1533
#endif
1534
		struct __kernel_old_timeval tv;
1535
		void *data;
1536
		int len;
1537

1538
		skb_get_timestamp(skb, &tv);
1539

1540
		data = &tv;
1541
		len = sizeof(tv);
1542
#ifdef CONFIG_COMPAT
1543
		if (!COMPAT_USE_64BIT_TIME &&
1544
		    (msg->msg_flags & MSG_CMSG_COMPAT)) {
1545
			ctv.tv_sec = tv.tv_sec;
1546
			ctv.tv_usec = tv.tv_usec;
1547
			data = &ctv;
1548
			len = sizeof(ctv);
1549
		}
1550
#endif
1551

1552
		put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
1553
	}
1554
}
1555

1556
static int hci_sock_recvmsg(struct socket *sock, struct msghdr *msg,
1557
			    size_t len, int flags)
1558
{
1559
	struct scm_cookie scm;
1560
	struct sock *sk = sock->sk;
1561
	struct sk_buff *skb;
1562
	int copied, err;
1563
	unsigned int skblen;
1564

1565
	BT_DBG("sock %p, sk %p", sock, sk);
1566

1567
	if (flags & MSG_OOB)
1568
		return -EOPNOTSUPP;
1569

1570
	if (hci_pi(sk)->channel == HCI_CHANNEL_LOGGING)
1571
		return -EOPNOTSUPP;
1572

1573
	if (sk->sk_state == BT_CLOSED)
1574
		return 0;
1575

1576
	skb = skb_recv_datagram(sk, flags, &err);
1577
	if (!skb)
1578
		return err;
1579

1580
	skblen = skb->len;
1581
	copied = skb->len;
1582
	if (len < copied) {
1583
		msg->msg_flags |= MSG_TRUNC;
1584
		copied = len;
1585
	}
1586

1587
	skb_reset_transport_header(skb);
1588
	err = skb_copy_datagram_msg(skb, 0, msg, copied);
1589

1590
	switch (hci_pi(sk)->channel) {
1591
	case HCI_CHANNEL_RAW:
1592
		hci_sock_cmsg(sk, msg, skb);
1593
		break;
1594
	case HCI_CHANNEL_USER:
1595
	case HCI_CHANNEL_MONITOR:
1596
		sock_recv_timestamp(msg, sk, skb);
1597
		break;
1598
	default:
1599
		if (hci_mgmt_chan_find(hci_pi(sk)->channel))
1600
			sock_recv_timestamp(msg, sk, skb);
1601
		break;
1602
	}
1603

1604
	memset(&scm, 0, sizeof(scm));
1605
	scm.creds = bt_cb(skb)->creds;
1606

1607
	skb_free_datagram(sk, skb);
1608

1609
	if (flags & MSG_TRUNC)
1610
		copied = skblen;
1611

1612
	scm_recv(sock, msg, &scm, flags);
1613

1614
	return err ? : copied;
1615
}
1616

1617
static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk,
1618
			struct sk_buff *skb)
1619
{
1620
	u8 *cp;
1621
	struct mgmt_hdr *hdr;
1622
	u16 opcode, index, len;
1623
	struct hci_dev *hdev = NULL;
1624
	const struct hci_mgmt_handler *handler;
1625
	bool var_len, no_hdev;
1626
	int err;
1627

1628
	BT_DBG("got %d bytes", skb->len);
1629

1630
	if (skb->len < sizeof(*hdr))
1631
		return -EINVAL;
1632

1633
	hdr = (void *)skb->data;
1634
	opcode = __le16_to_cpu(hdr->opcode);
1635
	index = __le16_to_cpu(hdr->index);
1636
	len = __le16_to_cpu(hdr->len);
1637

1638
	if (len != skb->len - sizeof(*hdr)) {
1639
		err = -EINVAL;
1640
		goto done;
1641
	}
1642

1643
	if (chan->channel == HCI_CHANNEL_CONTROL) {
1644
		struct sk_buff *cmd;
1645

1646
		/* Send event to monitor */
1647
		cmd = create_monitor_ctrl_command(sk, index, opcode, len,
1648
						  skb->data + sizeof(*hdr));
1649
		if (cmd) {
1650
			hci_send_to_channel(HCI_CHANNEL_MONITOR, cmd,
1651
					    HCI_SOCK_TRUSTED, NULL);
1652
			kfree_skb(cmd);
1653
		}
1654
	}
1655

1656
	if (opcode >= chan->handler_count ||
1657
	    chan->handlers[opcode].func == NULL) {
1658
		BT_DBG("Unknown op %u", opcode);
1659
		err = mgmt_cmd_status(sk, index, opcode,
1660
				      MGMT_STATUS_UNKNOWN_COMMAND);
1661
		goto done;
1662
	}
1663

1664
	handler = &chan->handlers[opcode];
1665

1666
	if (!hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) &&
1667
	    !(handler->flags & HCI_MGMT_UNTRUSTED)) {
1668
		err = mgmt_cmd_status(sk, index, opcode,
1669
				      MGMT_STATUS_PERMISSION_DENIED);
1670
		goto done;
1671
	}
1672

1673
	if (index != MGMT_INDEX_NONE) {
1674
		hdev = hci_dev_get(index);
1675
		if (!hdev) {
1676
			err = mgmt_cmd_status(sk, index, opcode,
1677
					      MGMT_STATUS_INVALID_INDEX);
1678
			goto done;
1679
		}
1680

1681
		if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1682
		    hci_dev_test_flag(hdev, HCI_CONFIG) ||
1683
		    hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1684
			err = mgmt_cmd_status(sk, index, opcode,
1685
					      MGMT_STATUS_INVALID_INDEX);
1686
			goto done;
1687
		}
1688

1689
		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1690
		    !(handler->flags & HCI_MGMT_UNCONFIGURED)) {
1691
			err = mgmt_cmd_status(sk, index, opcode,
1692
					      MGMT_STATUS_INVALID_INDEX);
1693
			goto done;
1694
		}
1695
	}
1696

1697
	if (!(handler->flags & HCI_MGMT_HDEV_OPTIONAL)) {
1698
		no_hdev = (handler->flags & HCI_MGMT_NO_HDEV);
1699
		if (no_hdev != !hdev) {
1700
			err = mgmt_cmd_status(sk, index, opcode,
1701
					      MGMT_STATUS_INVALID_INDEX);
1702
			goto done;
1703
		}
1704
	}
1705

1706
	var_len = (handler->flags & HCI_MGMT_VAR_LEN);
1707
	if ((var_len && len < handler->data_len) ||
1708
	    (!var_len && len != handler->data_len)) {
1709
		err = mgmt_cmd_status(sk, index, opcode,
1710
				      MGMT_STATUS_INVALID_PARAMS);
1711
		goto done;
1712
	}
1713

1714
	if (hdev && chan->hdev_init)
1715
		chan->hdev_init(sk, hdev);
1716

1717
	cp = skb->data + sizeof(*hdr);
1718

1719
	err = handler->func(sk, hdev, cp, len);
1720
	if (err < 0)
1721
		goto done;
1722

1723
	err = skb->len;
1724

1725
done:
1726
	if (hdev)
1727
		hci_dev_put(hdev);
1728

1729
	return err;
1730
}
1731

1732
static int hci_logging_frame(struct sock *sk, struct sk_buff *skb,
1733
			     unsigned int flags)
1734
{
1735
	struct hci_mon_hdr *hdr;
1736
	struct hci_dev *hdev;
1737
	u16 index;
1738
	int err;
1739

1740
	/* The logging frame consists at minimum of the standard header,
1741
	 * the priority byte, the ident length byte and at least one string
1742
	 * terminator NUL byte. Anything shorter are invalid packets.
1743
	 */
1744
	if (skb->len < sizeof(*hdr) + 3)
1745
		return -EINVAL;
1746

1747
	hdr = (void *)skb->data;
1748

1749
	if (__le16_to_cpu(hdr->len) != skb->len - sizeof(*hdr))
1750
		return -EINVAL;
1751

1752
	if (__le16_to_cpu(hdr->opcode) == 0x0000) {
1753
		__u8 priority = skb->data[sizeof(*hdr)];
1754
		__u8 ident_len = skb->data[sizeof(*hdr) + 1];
1755

1756
		/* Only the priorities 0-7 are valid and with that any other
1757
		 * value results in an invalid packet.
1758
		 *
1759
		 * The priority byte is followed by an ident length byte and
1760
		 * the NUL terminated ident string. Check that the ident
1761
		 * length is not overflowing the packet and also that the
1762
		 * ident string itself is NUL terminated. In case the ident
1763
		 * length is zero, the length value actually doubles as NUL
1764
		 * terminator identifier.
1765
		 *
1766
		 * The message follows the ident string (if present) and
1767
		 * must be NUL terminated. Otherwise it is not a valid packet.
1768
		 */
1769
		if (priority > 7 || skb->data[skb->len - 1] != 0x00 ||
1770
		    ident_len > skb->len - sizeof(*hdr) - 3 ||
1771
		    skb->data[sizeof(*hdr) + ident_len + 1] != 0x00)
1772
			return -EINVAL;
1773
	} else {
1774
		return -EINVAL;
1775
	}
1776

1777
	index = __le16_to_cpu(hdr->index);
1778

1779
	if (index != MGMT_INDEX_NONE) {
1780
		hdev = hci_dev_get(index);
1781
		if (!hdev)
1782
			return -ENODEV;
1783
	} else {
1784
		hdev = NULL;
1785
	}
1786

1787
	hdr->opcode = cpu_to_le16(HCI_MON_USER_LOGGING);
1788

1789
	hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, HCI_SOCK_TRUSTED, NULL);
1790
	err = skb->len;
1791

1792
	if (hdev)
1793
		hci_dev_put(hdev);
1794

1795
	return err;
1796
}
1797

1798
static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1799
			    size_t len)
1800
{
1801
	struct sock *sk = sock->sk;
1802
	struct hci_mgmt_chan *chan;
1803
	struct hci_dev *hdev;
1804
	struct sk_buff *skb;
1805
	int err;
1806
	const unsigned int flags = msg->msg_flags;
1807

1808
	BT_DBG("sock %p sk %p", sock, sk);
1809

1810
	if (flags & MSG_OOB)
1811
		return -EOPNOTSUPP;
1812

1813
	if (flags & ~(MSG_DONTWAIT | MSG_NOSIGNAL | MSG_ERRQUEUE | MSG_CMSG_COMPAT))
1814
		return -EINVAL;
1815

1816
	if (len < 4 || len > hci_pi(sk)->mtu)
1817
		return -EINVAL;
1818

1819
	skb = bt_skb_sendmsg(sk, msg, len, len, 0, 0);
1820
	if (IS_ERR(skb))
1821
		return PTR_ERR(skb);
1822

1823
	lock_sock(sk);
1824

1825
	switch (hci_pi(sk)->channel) {
1826
	case HCI_CHANNEL_RAW:
1827
	case HCI_CHANNEL_USER:
1828
		break;
1829
	case HCI_CHANNEL_MONITOR:
1830
		err = -EOPNOTSUPP;
1831
		goto drop;
1832
	case HCI_CHANNEL_LOGGING:
1833
		err = hci_logging_frame(sk, skb, flags);
1834
		goto drop;
1835
	default:
1836
		mutex_lock(&mgmt_chan_list_lock);
1837
		chan = __hci_mgmt_chan_find(hci_pi(sk)->channel);
1838
		if (chan)
1839
			err = hci_mgmt_cmd(chan, sk, skb);
1840
		else
1841
			err = -EINVAL;
1842

1843
		mutex_unlock(&mgmt_chan_list_lock);
1844
		goto drop;
1845
	}
1846

1847
	hdev = hci_hdev_from_sock(sk);
1848
	if (IS_ERR(hdev)) {
1849
		err = PTR_ERR(hdev);
1850
		goto drop;
1851
	}
1852

1853
	if (!test_bit(HCI_UP, &hdev->flags)) {
1854
		err = -ENETDOWN;
1855
		goto drop;
1856
	}
1857

1858
	hci_skb_pkt_type(skb) = skb->data[0];
1859
	skb_pull(skb, 1);
1860

1861
	if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
1862
		/* No permission check is needed for user channel
1863
		 * since that gets enforced when binding the socket.
1864
		 *
1865
		 * However check that the packet type is valid.
1866
		 */
1867
		if (hci_skb_pkt_type(skb) != HCI_COMMAND_PKT &&
1868
		    hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1869
		    hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
1870
		    hci_skb_pkt_type(skb) != HCI_ISODATA_PKT &&
1871
		    hci_skb_pkt_type(skb) != HCI_DRV_PKT) {
1872
			err = -EINVAL;
1873
			goto drop;
1874
		}
1875

1876
		skb_queue_tail(&hdev->raw_q, skb);
1877
		queue_work(hdev->workqueue, &hdev->tx_work);
1878
	} else if (hci_skb_pkt_type(skb) == HCI_COMMAND_PKT) {
1879
		u16 opcode = get_unaligned_le16(skb->data);
1880
		u16 ogf = hci_opcode_ogf(opcode);
1881
		u16 ocf = hci_opcode_ocf(opcode);
1882

1883
		if (((ogf > HCI_SFLT_MAX_OGF) ||
1884
		     !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
1885
				   &hci_sec_filter.ocf_mask[ogf])) &&
1886
		    !capable(CAP_NET_RAW)) {
1887
			err = -EPERM;
1888
			goto drop;
1889
		}
1890

1891
		/* Since the opcode has already been extracted here, store
1892
		 * a copy of the value for later use by the drivers.
1893
		 */
1894
		hci_skb_opcode(skb) = opcode;
1895

1896
		if (ogf == 0x3f) {
1897
			skb_queue_tail(&hdev->raw_q, skb);
1898
			queue_work(hdev->workqueue, &hdev->tx_work);
1899
		} else {
1900
			/* Stand-alone HCI commands must be flagged as
1901
			 * single-command requests.
1902
			 */
1903
			bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
1904

1905
			skb_queue_tail(&hdev->cmd_q, skb);
1906
			queue_work(hdev->workqueue, &hdev->cmd_work);
1907
		}
1908
	} else {
1909
		if (!capable(CAP_NET_RAW)) {
1910
			err = -EPERM;
1911
			goto drop;
1912
		}
1913

1914
		if (hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
1915
		    hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
1916
		    hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) {
1917
			err = -EINVAL;
1918
			goto drop;
1919
		}
1920

1921
		skb_queue_tail(&hdev->raw_q, skb);
1922
		queue_work(hdev->workqueue, &hdev->tx_work);
1923
	}
1924

1925
	err = len;
1926

1927
done:
1928
	release_sock(sk);
1929
	return err;
1930

1931
drop:
1932
	kfree_skb(skb);
1933
	goto done;
1934
}
1935

1936
static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
1937
				   sockptr_t optval, unsigned int optlen)
1938
{
1939
	struct hci_ufilter uf = { .opcode = 0 };
1940
	struct sock *sk = sock->sk;
1941
	int err = 0, opt = 0;
1942

1943
	BT_DBG("sk %p, opt %d", sk, optname);
1944

1945
	lock_sock(sk);
1946

1947
	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
1948
		err = -EBADFD;
1949
		goto done;
1950
	}
1951

1952
	switch (optname) {
1953
	case HCI_DATA_DIR:
1954
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1955
		if (err)
1956
			break;
1957

1958
		if (opt)
1959
			hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
1960
		else
1961
			hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
1962
		break;
1963

1964
	case HCI_TIME_STAMP:
1965
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1966
		if (err)
1967
			break;
1968

1969
		if (opt)
1970
			hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
1971
		else
1972
			hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
1973
		break;
1974

1975
	case HCI_FILTER:
1976
		{
1977
			struct hci_filter *f = &hci_pi(sk)->filter;
1978

1979
			uf.type_mask = f->type_mask;
1980
			uf.opcode    = f->opcode;
1981
			uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1982
			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1983
		}
1984

1985
		err = copy_safe_from_sockptr(&uf, sizeof(uf), optval, optlen);
1986
		if (err)
1987
			break;
1988

1989
		if (!capable(CAP_NET_RAW)) {
1990
			uf.type_mask &= hci_sec_filter.type_mask;
1991
			uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
1992
			uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
1993
		}
1994

1995
		{
1996
			struct hci_filter *f = &hci_pi(sk)->filter;
1997

1998
			f->type_mask = uf.type_mask;
1999
			f->opcode    = uf.opcode;
2000
			*((u32 *) f->event_mask + 0) = uf.event_mask[0];
2001
			*((u32 *) f->event_mask + 1) = uf.event_mask[1];
2002
		}
2003
		break;
2004

2005
	default:
2006
		err = -ENOPROTOOPT;
2007
		break;
2008
	}
2009

2010
done:
2011
	release_sock(sk);
2012
	return err;
2013
}
2014

2015
static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
2016
			       sockptr_t optval, unsigned int optlen)
2017
{
2018
	struct sock *sk = sock->sk;
2019
	int err = 0;
2020
	u16 opt;
2021

2022
	BT_DBG("sk %p, opt %d", sk, optname);
2023

2024
	if (level == SOL_HCI)
2025
		return hci_sock_setsockopt_old(sock, level, optname, optval,
2026
					       optlen);
2027

2028
	if (level != SOL_BLUETOOTH)
2029
		return -ENOPROTOOPT;
2030

2031
	lock_sock(sk);
2032

2033
	switch (optname) {
2034
	case BT_SNDMTU:
2035
	case BT_RCVMTU:
2036
		switch (hci_pi(sk)->channel) {
2037
		/* Don't allow changing MTU for channels that are meant for HCI
2038
		 * traffic only.
2039
		 */
2040
		case HCI_CHANNEL_RAW:
2041
		case HCI_CHANNEL_USER:
2042
			err = -ENOPROTOOPT;
2043
			goto done;
2044
		}
2045

2046
		err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
2047
		if (err)
2048
			break;
2049

2050
		hci_pi(sk)->mtu = opt;
2051
		break;
2052

2053
	default:
2054
		err = -ENOPROTOOPT;
2055
		break;
2056
	}
2057

2058
done:
2059
	release_sock(sk);
2060
	return err;
2061
}
2062

2063
static int hci_sock_getsockopt_old(struct socket *sock, int level, int optname,
2064
				   char __user *optval, int __user *optlen)
2065
{
2066
	struct hci_ufilter uf;
2067
	struct sock *sk = sock->sk;
2068
	int len, opt, err = 0;
2069

2070
	BT_DBG("sk %p, opt %d", sk, optname);
2071

2072
	if (get_user(len, optlen))
2073
		return -EFAULT;
2074

2075
	lock_sock(sk);
2076

2077
	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
2078
		err = -EBADFD;
2079
		goto done;
2080
	}
2081

2082
	switch (optname) {
2083
	case HCI_DATA_DIR:
2084
		if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
2085
			opt = 1;
2086
		else
2087
			opt = 0;
2088

2089
		if (put_user(opt, optval))
2090
			err = -EFAULT;
2091
		break;
2092

2093
	case HCI_TIME_STAMP:
2094
		if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
2095
			opt = 1;
2096
		else
2097
			opt = 0;
2098

2099
		if (put_user(opt, optval))
2100
			err = -EFAULT;
2101
		break;
2102

2103
	case HCI_FILTER:
2104
		{
2105
			struct hci_filter *f = &hci_pi(sk)->filter;
2106

2107
			memset(&uf, 0, sizeof(uf));
2108
			uf.type_mask = f->type_mask;
2109
			uf.opcode    = f->opcode;
2110
			uf.event_mask[0] = *((u32 *) f->event_mask + 0);
2111
			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
2112
		}
2113

2114
		len = min_t(unsigned int, len, sizeof(uf));
2115
		if (copy_to_user(optval, &uf, len))
2116
			err = -EFAULT;
2117
		break;
2118

2119
	default:
2120
		err = -ENOPROTOOPT;
2121
		break;
2122
	}
2123

2124
done:
2125
	release_sock(sk);
2126
	return err;
2127
}
2128

2129
static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
2130
			       char __user *optval, int __user *optlen)
2131
{
2132
	struct sock *sk = sock->sk;
2133
	int err = 0;
2134

2135
	BT_DBG("sk %p, opt %d", sk, optname);
2136

2137
	if (level == SOL_HCI)
2138
		return hci_sock_getsockopt_old(sock, level, optname, optval,
2139
					       optlen);
2140

2141
	if (level != SOL_BLUETOOTH)
2142
		return -ENOPROTOOPT;
2143

2144
	lock_sock(sk);
2145

2146
	switch (optname) {
2147
	case BT_SNDMTU:
2148
	case BT_RCVMTU:
2149
		if (put_user(hci_pi(sk)->mtu, (u16 __user *)optval))
2150
			err = -EFAULT;
2151
		break;
2152

2153
	default:
2154
		err = -ENOPROTOOPT;
2155
		break;
2156
	}
2157

2158
	release_sock(sk);
2159
	return err;
2160
}
2161

2162
static void hci_sock_destruct(struct sock *sk)
2163
{
2164
	mgmt_cleanup(sk);
2165
	skb_queue_purge(&sk->sk_receive_queue);
2166
	skb_queue_purge(&sk->sk_write_queue);
2167
}
2168

2169
static const struct proto_ops hci_sock_ops = {
2170
	.family		= PF_BLUETOOTH,
2171
	.owner		= THIS_MODULE,
2172
	.release	= hci_sock_release,
2173
	.bind		= hci_sock_bind,
2174
	.getname	= hci_sock_getname,
2175
	.sendmsg	= hci_sock_sendmsg,
2176
	.recvmsg	= hci_sock_recvmsg,
2177
	.ioctl		= hci_sock_ioctl,
2178
#ifdef CONFIG_COMPAT
2179
	.compat_ioctl	= hci_sock_compat_ioctl,
2180
#endif
2181
	.poll		= datagram_poll,
2182
	.listen		= sock_no_listen,
2183
	.shutdown	= sock_no_shutdown,
2184
	.setsockopt	= hci_sock_setsockopt,
2185
	.getsockopt	= hci_sock_getsockopt,
2186
	.connect	= sock_no_connect,
2187
	.socketpair	= sock_no_socketpair,
2188
	.accept		= sock_no_accept,
2189
	.mmap		= sock_no_mmap
2190
};
2191

2192
static struct proto hci_sk_proto = {
2193
	.name		= "HCI",
2194
	.owner		= THIS_MODULE,
2195
	.obj_size	= sizeof(struct hci_pinfo)
2196
};
2197

2198
static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
2199
			   int kern)
2200
{
2201
	struct sock *sk;
2202

2203
	BT_DBG("sock %p", sock);
2204

2205
	if (sock->type != SOCK_RAW)
2206
		return -ESOCKTNOSUPPORT;
2207

2208
	sock->ops = &hci_sock_ops;
2209

2210
	sk = bt_sock_alloc(net, sock, &hci_sk_proto, protocol, GFP_ATOMIC,
2211
			   kern);
2212
	if (!sk)
2213
		return -ENOMEM;
2214

2215
	sock->state = SS_UNCONNECTED;
2216
	sk->sk_destruct = hci_sock_destruct;
2217

2218
	bt_sock_link(&hci_sk_list, sk);
2219
	return 0;
2220
}
2221

2222
static const struct net_proto_family hci_sock_family_ops = {
2223
	.family	= PF_BLUETOOTH,
2224
	.owner	= THIS_MODULE,
2225
	.create	= hci_sock_create,
2226
};
2227

2228
int __init hci_sock_init(void)
2229
{
2230
	int err;
2231

2232
	BUILD_BUG_ON(sizeof(struct sockaddr_hci) > sizeof(struct sockaddr));
2233

2234
	err = proto_register(&hci_sk_proto, 0);
2235
	if (err < 0)
2236
		return err;
2237

2238
	err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
2239
	if (err < 0) {
2240
		BT_ERR("HCI socket registration failed");
2241
		goto error;
2242
	}
2243

2244
	err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
2245
	if (err < 0) {
2246
		BT_ERR("Failed to create HCI proc file");
2247
		bt_sock_unregister(BTPROTO_HCI);
2248
		goto error;
2249
	}
2250

2251
	BT_INFO("HCI socket layer initialized");
2252

2253
	return 0;
2254

2255
error:
2256
	proto_unregister(&hci_sk_proto);
2257
	return err;
2258
}
2259

2260
void hci_sock_cleanup(void)
2261
{
2262
	bt_procfs_cleanup(&init_net, "hci");
2263
	bt_sock_unregister(BTPROTO_HCI);
2264
	proto_unregister(&hci_sk_proto);
2265
}
2266

2267