Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER)
[linux-3.10.git] / net / bluetooth / hci_sock.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI sockets. */
26
27 #include <linux/export.h>
28 #include <asm/unaligned.h>
29
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/hci_mon.h>
33
34 static atomic_t monitor_promisc = ATOMIC_INIT(0);
35
36 /* ----- HCI socket interface ----- */
37
38 static inline int hci_test_bit(int nr, void *addr)
39 {
40         return *((__u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31));
41 }
42
43 /* Security filter */
44 static struct hci_sec_filter hci_sec_filter = {
45         /* Packet types */
46         0x10,
47         /* Events */
48         { 0x1000d9fe, 0x0000b00c },
49         /* Commands */
50         {
51                 { 0x0 },
52                 /* OGF_LINK_CTL */
53                 { 0xbe000006, 0x00000001, 0x00000000, 0x00 },
54                 /* OGF_LINK_POLICY */
55                 { 0x00005200, 0x00000000, 0x00000000, 0x00 },
56                 /* OGF_HOST_CTL */
57                 { 0xaab00200, 0x2b402aaa, 0x05220154, 0x00 },
58                 /* OGF_INFO_PARAM */
59                 { 0x000002be, 0x00000000, 0x00000000, 0x00 },
60                 /* OGF_STATUS_PARAM */
61                 { 0x000000ea, 0x00000000, 0x00000000, 0x00 }
62         }
63 };
64
65 static struct bt_sock_list hci_sk_list = {
66         .lock = __RW_LOCK_UNLOCKED(hci_sk_list.lock)
67 };
68
69 /* Send frame to RAW socket */
70 void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
71 {
72         struct sock *sk;
73         struct hlist_node *node;
74         struct sk_buff *skb_copy = NULL;
75
76         BT_DBG("hdev %p len %d", hdev, skb->len);
77
78         read_lock(&hci_sk_list.lock);
79
80         sk_for_each(sk, node, &hci_sk_list.head) {
81                 struct hci_filter *flt;
82                 struct sk_buff *nskb;
83
84                 if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
85                         continue;
86
87                 /* Don't send frame to the socket it came from */
88                 if (skb->sk == sk)
89                         continue;
90
91                 if (hci_pi(sk)->channel != HCI_CHANNEL_RAW)
92                         continue;
93
94                 /* Apply filter */
95                 flt = &hci_pi(sk)->filter;
96
97                 if (!test_bit((bt_cb(skb)->pkt_type == HCI_VENDOR_PKT) ?
98                               0 : (bt_cb(skb)->pkt_type & HCI_FLT_TYPE_BITS),
99                               &flt->type_mask))
100                         continue;
101
102                 if (bt_cb(skb)->pkt_type == HCI_EVENT_PKT) {
103                         int evt = (*(__u8 *)skb->data & HCI_FLT_EVENT_BITS);
104
105                         if (!hci_test_bit(evt, &flt->event_mask))
106                                 continue;
107
108                         if (flt->opcode &&
109                             ((evt == HCI_EV_CMD_COMPLETE &&
110                               flt->opcode !=
111                               get_unaligned((__le16 *)(skb->data + 3))) ||
112                              (evt == HCI_EV_CMD_STATUS &&
113                               flt->opcode !=
114                               get_unaligned((__le16 *)(skb->data + 4)))))
115                                 continue;
116                 }
117
118                 if (!skb_copy) {
119                         /* Create a private copy with headroom */
120                         skb_copy = __pskb_copy(skb, 1, GFP_ATOMIC);
121                         if (!skb_copy)
122                                 continue;
123
124                         /* Put type byte before the data */
125                         memcpy(skb_push(skb_copy, 1), &bt_cb(skb)->pkt_type, 1);
126                 }
127
128                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
129                 if (!nskb)
130                         continue;
131
132                 if (sock_queue_rcv_skb(sk, nskb))
133                         kfree_skb(nskb);
134         }
135
136         read_unlock(&hci_sk_list.lock);
137
138         kfree_skb(skb_copy);
139 }
140
141 /* Send frame to control socket */
142 void hci_send_to_control(struct sk_buff *skb, struct sock *skip_sk)
143 {
144         struct sock *sk;
145         struct hlist_node *node;
146
147         BT_DBG("len %d", skb->len);
148
149         read_lock(&hci_sk_list.lock);
150
151         sk_for_each(sk, node, &hci_sk_list.head) {
152                 struct sk_buff *nskb;
153
154                 /* Skip the original socket */
155                 if (sk == skip_sk)
156                         continue;
157
158                 if (sk->sk_state != BT_BOUND)
159                         continue;
160
161                 if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL)
162                         continue;
163
164                 nskb = skb_clone(skb, GFP_ATOMIC);
165                 if (!nskb)
166                         continue;
167
168                 if (sock_queue_rcv_skb(sk, nskb))
169                         kfree_skb(nskb);
170         }
171
172         read_unlock(&hci_sk_list.lock);
173 }
174
175 /* Send frame to monitor socket */
176 void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
177 {
178         struct sock *sk;
179         struct hlist_node *node;
180         struct sk_buff *skb_copy = NULL;
181         __le16 opcode;
182
183         if (!atomic_read(&monitor_promisc))
184                 return;
185
186         BT_DBG("hdev %p len %d", hdev, skb->len);
187
188         switch (bt_cb(skb)->pkt_type) {
189         case HCI_COMMAND_PKT:
190                 opcode = __constant_cpu_to_le16(HCI_MON_COMMAND_PKT);
191                 break;
192         case HCI_EVENT_PKT:
193                 opcode = __constant_cpu_to_le16(HCI_MON_EVENT_PKT);
194                 break;
195         case HCI_ACLDATA_PKT:
196                 if (bt_cb(skb)->incoming)
197                         opcode = __constant_cpu_to_le16(HCI_MON_ACL_RX_PKT);
198                 else
199                         opcode = __constant_cpu_to_le16(HCI_MON_ACL_TX_PKT);
200                 break;
201         case HCI_SCODATA_PKT:
202                 if (bt_cb(skb)->incoming)
203                         opcode = __constant_cpu_to_le16(HCI_MON_SCO_RX_PKT);
204                 else
205                         opcode = __constant_cpu_to_le16(HCI_MON_SCO_TX_PKT);
206                 break;
207         default:
208                 return;
209         }
210
211         read_lock(&hci_sk_list.lock);
212
213         sk_for_each(sk, node, &hci_sk_list.head) {
214                 struct sk_buff *nskb;
215
216                 if (sk->sk_state != BT_BOUND)
217                         continue;
218
219                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
220                         continue;
221
222                 if (!skb_copy) {
223                         struct hci_mon_hdr *hdr;
224
225                         /* Create a private copy with headroom */
226                         skb_copy = __pskb_copy(skb, HCI_MON_HDR_SIZE,
227                                                GFP_ATOMIC);
228                         if (!skb_copy)
229                                 continue;
230
231                         /* Put header before the data */
232                         hdr = (void *) skb_push(skb_copy, HCI_MON_HDR_SIZE);
233                         hdr->opcode = opcode;
234                         hdr->index = cpu_to_le16(hdev->id);
235                         hdr->len = cpu_to_le16(skb->len);
236                 }
237
238                 nskb = skb_clone(skb_copy, GFP_ATOMIC);
239                 if (!nskb)
240                         continue;
241
242                 if (sock_queue_rcv_skb(sk, nskb))
243                         kfree_skb(nskb);
244         }
245
246         read_unlock(&hci_sk_list.lock);
247
248         kfree_skb(skb_copy);
249 }
250
251 static void send_monitor_event(struct sk_buff *skb)
252 {
253         struct sock *sk;
254         struct hlist_node *node;
255
256         BT_DBG("len %d", skb->len);
257
258         read_lock(&hci_sk_list.lock);
259
260         sk_for_each(sk, node, &hci_sk_list.head) {
261                 struct sk_buff *nskb;
262
263                 if (sk->sk_state != BT_BOUND)
264                         continue;
265
266                 if (hci_pi(sk)->channel != HCI_CHANNEL_MONITOR)
267                         continue;
268
269                 nskb = skb_clone(skb, GFP_ATOMIC);
270                 if (!nskb)
271                         continue;
272
273                 if (sock_queue_rcv_skb(sk, nskb))
274                         kfree_skb(nskb);
275         }
276
277         read_unlock(&hci_sk_list.lock);
278 }
279
280 static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)
281 {
282         struct hci_mon_hdr *hdr;
283         struct hci_mon_new_index *ni;
284         struct sk_buff *skb;
285         __le16 opcode;
286
287         switch (event) {
288         case HCI_DEV_REG:
289                 skb = bt_skb_alloc(HCI_MON_NEW_INDEX_SIZE, GFP_ATOMIC);
290                 if (!skb)
291                         return NULL;
292
293                 ni = (void *) skb_put(skb, HCI_MON_NEW_INDEX_SIZE);
294                 ni->type = hdev->dev_type;
295                 ni->bus = hdev->bus;
296                 bacpy(&ni->bdaddr, &hdev->bdaddr);
297                 memcpy(ni->name, hdev->name, 8);
298
299                 opcode = __constant_cpu_to_le16(HCI_MON_NEW_INDEX);
300                 break;
301
302         case HCI_DEV_UNREG:
303                 skb = bt_skb_alloc(0, GFP_ATOMIC);
304                 if (!skb)
305                         return NULL;
306
307                 opcode = __constant_cpu_to_le16(HCI_MON_DEL_INDEX);
308                 break;
309
310         default:
311                 return NULL;
312         }
313
314         __net_timestamp(skb);
315
316         hdr = (void *) skb_push(skb, HCI_MON_HDR_SIZE);
317         hdr->opcode = opcode;
318         hdr->index = cpu_to_le16(hdev->id);
319         hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE);
320
321         return skb;
322 }
323
324 static void send_monitor_replay(struct sock *sk)
325 {
326         struct hci_dev *hdev;
327
328         read_lock(&hci_dev_list_lock);
329
330         list_for_each_entry(hdev, &hci_dev_list, list) {
331                 struct sk_buff *skb;
332
333                 skb = create_monitor_event(hdev, HCI_DEV_REG);
334                 if (!skb)
335                         continue;
336
337                 if (sock_queue_rcv_skb(sk, skb))
338                         kfree_skb(skb);
339         }
340
341         read_unlock(&hci_dev_list_lock);
342 }
343
344 /* Generate internal stack event */
345 static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
346 {
347         struct hci_event_hdr *hdr;
348         struct hci_ev_stack_internal *ev;
349         struct sk_buff *skb;
350
351         skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
352         if (!skb)
353                 return;
354
355         hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
356         hdr->evt  = HCI_EV_STACK_INTERNAL;
357         hdr->plen = sizeof(*ev) + dlen;
358
359         ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
360         ev->type = type;
361         memcpy(ev->data, data, dlen);
362
363         bt_cb(skb)->incoming = 1;
364         __net_timestamp(skb);
365
366         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
367         skb->dev = (void *) hdev;
368         hci_send_to_sock(hdev, skb);
369         kfree_skb(skb);
370 }
371
372 void hci_sock_dev_event(struct hci_dev *hdev, int event)
373 {
374         struct hci_ev_si_device ev;
375
376         BT_DBG("hdev %s event %d", hdev->name, event);
377
378         /* Send event to monitor */
379         if (atomic_read(&monitor_promisc)) {
380                 struct sk_buff *skb;
381
382                 skb = create_monitor_event(hdev, event);
383                 if (skb) {
384                         send_monitor_event(skb);
385                         kfree_skb(skb);
386                 }
387         }
388
389         /* Send event to sockets */
390         ev.event  = event;
391         ev.dev_id = hdev->id;
392         hci_si_event(NULL, HCI_EV_SI_DEVICE, sizeof(ev), &ev);
393
394         if (event == HCI_DEV_UNREG) {
395                 struct sock *sk;
396                 struct hlist_node *node;
397
398                 /* Detach sockets from device */
399                 read_lock(&hci_sk_list.lock);
400                 sk_for_each(sk, node, &hci_sk_list.head) {
401                         bh_lock_sock_nested(sk);
402                         if (hci_pi(sk)->hdev == hdev) {
403                                 hci_pi(sk)->hdev = NULL;
404                                 sk->sk_err = EPIPE;
405                                 sk->sk_state = BT_OPEN;
406                                 sk->sk_state_change(sk);
407
408                                 hci_dev_put(hdev);
409                         }
410                         bh_unlock_sock(sk);
411                 }
412                 read_unlock(&hci_sk_list.lock);
413         }
414 }
415
416 static int hci_sock_release(struct socket *sock)
417 {
418         struct sock *sk = sock->sk;
419         struct hci_dev *hdev;
420
421         BT_DBG("sock %p sk %p", sock, sk);
422
423         if (!sk)
424                 return 0;
425
426         hdev = hci_pi(sk)->hdev;
427
428         if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR)
429                 atomic_dec(&monitor_promisc);
430
431         bt_sock_unlink(&hci_sk_list, sk);
432
433         if (hdev) {
434                 atomic_dec(&hdev->promisc);
435                 hci_dev_put(hdev);
436         }
437
438         sock_orphan(sk);
439
440         skb_queue_purge(&sk->sk_receive_queue);
441         skb_queue_purge(&sk->sk_write_queue);
442
443         sock_put(sk);
444         return 0;
445 }
446
447 static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
448 {
449         bdaddr_t bdaddr;
450         int err;
451
452         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
453                 return -EFAULT;
454
455         hci_dev_lock(hdev);
456
457         err = hci_blacklist_add(hdev, &bdaddr, 0);
458
459         hci_dev_unlock(hdev);
460
461         return err;
462 }
463
464 static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
465 {
466         bdaddr_t bdaddr;
467         int err;
468
469         if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
470                 return -EFAULT;
471
472         hci_dev_lock(hdev);
473
474         err = hci_blacklist_del(hdev, &bdaddr, 0);
475
476         hci_dev_unlock(hdev);
477
478         return err;
479 }
480
481 /* Ioctls that require bound socket */
482 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
483                                 unsigned long arg)
484 {
485         struct hci_dev *hdev = hci_pi(sk)->hdev;
486
487         if (!hdev)
488                 return -EBADFD;
489
490         switch (cmd) {
491         case HCISETRAW:
492                 if (!capable(CAP_NET_ADMIN))
493                         return -EACCES;
494
495                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
496                         return -EPERM;
497
498                 if (arg)
499                         set_bit(HCI_RAW, &hdev->flags);
500                 else
501                         clear_bit(HCI_RAW, &hdev->flags);
502
503                 return 0;
504
505         case HCIGETCONNINFO:
506                 return hci_get_conn_info(hdev, (void __user *) arg);
507
508         case HCIGETAUTHINFO:
509                 return hci_get_auth_info(hdev, (void __user *) arg);
510
511         case HCIBLOCKADDR:
512                 if (!capable(CAP_NET_ADMIN))
513                         return -EACCES;
514                 return hci_sock_blacklist_add(hdev, (void __user *) arg);
515
516         case HCIUNBLOCKADDR:
517                 if (!capable(CAP_NET_ADMIN))
518                         return -EACCES;
519                 return hci_sock_blacklist_del(hdev, (void __user *) arg);
520
521         default:
522                 if (hdev->ioctl)
523                         return hdev->ioctl(hdev, cmd, arg);
524                 return -EINVAL;
525         }
526 }
527
528 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
529                           unsigned long arg)
530 {
531         struct sock *sk = sock->sk;
532         void __user *argp = (void __user *) arg;
533         int err;
534
535         BT_DBG("cmd %x arg %lx", cmd, arg);
536
537         switch (cmd) {
538         case HCIGETDEVLIST:
539                 return hci_get_dev_list(argp);
540
541         case HCIGETDEVINFO:
542                 return hci_get_dev_info(argp);
543
544         case HCIGETCONNLIST:
545                 return hci_get_conn_list(argp);
546
547         case HCIDEVUP:
548                 if (!capable(CAP_NET_ADMIN))
549                         return -EACCES;
550                 return hci_dev_open(arg);
551
552         case HCIDEVDOWN:
553                 if (!capable(CAP_NET_ADMIN))
554                         return -EACCES;
555                 return hci_dev_close(arg);
556
557         case HCIDEVRESET:
558                 if (!capable(CAP_NET_ADMIN))
559                         return -EACCES;
560                 return hci_dev_reset(arg);
561
562         case HCIDEVRESTAT:
563                 if (!capable(CAP_NET_ADMIN))
564                         return -EACCES;
565                 return hci_dev_reset_stat(arg);
566
567         case HCISETSCAN:
568         case HCISETAUTH:
569         case HCISETENCRYPT:
570         case HCISETPTYPE:
571         case HCISETLINKPOL:
572         case HCISETLINKMODE:
573         case HCISETACLMTU:
574         case HCISETSCOMTU:
575                 if (!capable(CAP_NET_ADMIN))
576                         return -EACCES;
577                 return hci_dev_cmd(cmd, argp);
578
579         case HCIINQUIRY:
580                 return hci_inquiry(argp);
581
582         default:
583                 lock_sock(sk);
584                 err = hci_sock_bound_ioctl(sk, cmd, arg);
585                 release_sock(sk);
586                 return err;
587         }
588 }
589
590 static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
591                          int addr_len)
592 {
593         struct sockaddr_hci haddr;
594         struct sock *sk = sock->sk;
595         struct hci_dev *hdev = NULL;
596         int len, err = 0;
597
598         BT_DBG("sock %p sk %p", sock, sk);
599
600         if (!addr)
601                 return -EINVAL;
602
603         memset(&haddr, 0, sizeof(haddr));
604         len = min_t(unsigned int, sizeof(haddr), addr_len);
605         memcpy(&haddr, addr, len);
606
607         if (haddr.hci_family != AF_BLUETOOTH)
608                 return -EINVAL;
609
610         lock_sock(sk);
611
612         if (sk->sk_state == BT_BOUND) {
613                 err = -EALREADY;
614                 goto done;
615         }
616
617         switch (haddr.hci_channel) {
618         case HCI_CHANNEL_RAW:
619                 if (hci_pi(sk)->hdev) {
620                         err = -EALREADY;
621                         goto done;
622                 }
623
624                 if (haddr.hci_dev != HCI_DEV_NONE) {
625                         hdev = hci_dev_get(haddr.hci_dev);
626                         if (!hdev) {
627                                 err = -ENODEV;
628                                 goto done;
629                         }
630
631                         atomic_inc(&hdev->promisc);
632                 }
633
634                 hci_pi(sk)->hdev = hdev;
635                 break;
636
637         case HCI_CHANNEL_CONTROL:
638                 if (haddr.hci_dev != HCI_DEV_NONE) {
639                         err = -EINVAL;
640                         goto done;
641                 }
642
643                 if (!capable(CAP_NET_ADMIN)) {
644                         err = -EPERM;
645                         goto done;
646                 }
647
648                 break;
649
650         case HCI_CHANNEL_MONITOR:
651                 if (haddr.hci_dev != HCI_DEV_NONE) {
652                         err = -EINVAL;
653                         goto done;
654                 }
655
656                 if (!capable(CAP_NET_RAW)) {
657                         err = -EPERM;
658                         goto done;
659                 }
660
661                 send_monitor_replay(sk);
662
663                 atomic_inc(&monitor_promisc);
664                 break;
665
666         default:
667                 err = -EINVAL;
668                 goto done;
669         }
670
671
672         hci_pi(sk)->channel = haddr.hci_channel;
673         sk->sk_state = BT_BOUND;
674
675 done:
676         release_sock(sk);
677         return err;
678 }
679
680 static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
681                             int *addr_len, int peer)
682 {
683         struct sockaddr_hci *haddr = (struct sockaddr_hci *) addr;
684         struct sock *sk = sock->sk;
685         struct hci_dev *hdev = hci_pi(sk)->hdev;
686
687         BT_DBG("sock %p sk %p", sock, sk);
688
689         if (!hdev)
690                 return -EBADFD;
691
692         lock_sock(sk);
693
694         *addr_len = sizeof(*haddr);
695         haddr->hci_family = AF_BLUETOOTH;
696         haddr->hci_dev    = hdev->id;
697
698         release_sock(sk);
699         return 0;
700 }
701
702 static void hci_sock_cmsg(struct sock *sk, struct msghdr *msg,
703                           struct sk_buff *skb)
704 {
705         __u32 mask = hci_pi(sk)->cmsg_mask;
706
707         if (mask & HCI_CMSG_DIR) {
708                 int incoming = bt_cb(skb)->incoming;
709                 put_cmsg(msg, SOL_HCI, HCI_CMSG_DIR, sizeof(incoming),
710                          &incoming);
711         }
712
713         if (mask & HCI_CMSG_TSTAMP) {
714 #ifdef CONFIG_COMPAT
715                 struct compat_timeval ctv;
716 #endif
717                 struct timeval tv;
718                 void *data;
719                 int len;
720
721                 skb_get_timestamp(skb, &tv);
722
723                 data = &tv;
724                 len = sizeof(tv);
725 #ifdef CONFIG_COMPAT
726                 if (!COMPAT_USE_64BIT_TIME &&
727                     (msg->msg_flags & MSG_CMSG_COMPAT)) {
728                         ctv.tv_sec = tv.tv_sec;
729                         ctv.tv_usec = tv.tv_usec;
730                         data = &ctv;
731                         len = sizeof(ctv);
732                 }
733 #endif
734
735                 put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
736         }
737 }
738
739 static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
740                             struct msghdr *msg, size_t len, int flags)
741 {
742         int noblock = flags & MSG_DONTWAIT;
743         struct sock *sk = sock->sk;
744         struct sk_buff *skb;
745         int copied, err;
746
747         BT_DBG("sock %p, sk %p", sock, sk);
748
749         if (flags & (MSG_OOB))
750                 return -EOPNOTSUPP;
751
752         if (sk->sk_state == BT_CLOSED)
753                 return 0;
754
755         skb = skb_recv_datagram(sk, flags, noblock, &err);
756         if (!skb)
757                 return err;
758
759         msg->msg_namelen = 0;
760
761         copied = skb->len;
762         if (len < copied) {
763                 msg->msg_flags |= MSG_TRUNC;
764                 copied = len;
765         }
766
767         skb_reset_transport_header(skb);
768         err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
769
770         switch (hci_pi(sk)->channel) {
771         case HCI_CHANNEL_RAW:
772                 hci_sock_cmsg(sk, msg, skb);
773                 break;
774         case HCI_CHANNEL_CONTROL:
775         case HCI_CHANNEL_MONITOR:
776                 sock_recv_timestamp(msg, sk, skb);
777                 break;
778         }
779
780         skb_free_datagram(sk, skb);
781
782         return err ? : copied;
783 }
784
785 static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
786                             struct msghdr *msg, size_t len)
787 {
788         struct sock *sk = sock->sk;
789         struct hci_dev *hdev;
790         struct sk_buff *skb;
791         int err;
792
793         BT_DBG("sock %p sk %p", sock, sk);
794
795         if (msg->msg_flags & MSG_OOB)
796                 return -EOPNOTSUPP;
797
798         if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
799                 return -EINVAL;
800
801         if (len < 4 || len > HCI_MAX_FRAME_SIZE)
802                 return -EINVAL;
803
804         lock_sock(sk);
805
806         switch (hci_pi(sk)->channel) {
807         case HCI_CHANNEL_RAW:
808                 break;
809         case HCI_CHANNEL_CONTROL:
810                 err = mgmt_control(sk, msg, len);
811                 goto done;
812         case HCI_CHANNEL_MONITOR:
813                 err = -EOPNOTSUPP;
814                 goto done;
815         default:
816                 err = -EINVAL;
817                 goto done;
818         }
819
820         hdev = hci_pi(sk)->hdev;
821         if (!hdev) {
822                 err = -EBADFD;
823                 goto done;
824         }
825
826         if (!test_bit(HCI_UP, &hdev->flags)) {
827                 err = -ENETDOWN;
828                 goto done;
829         }
830
831         skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
832         if (!skb)
833                 goto done;
834
835         if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
836                 err = -EFAULT;
837                 goto drop;
838         }
839
840         bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
841         skb_pull(skb, 1);
842         skb->dev = (void *) hdev;
843
844         if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
845                 u16 opcode = get_unaligned_le16(skb->data);
846                 u16 ogf = hci_opcode_ogf(opcode);
847                 u16 ocf = hci_opcode_ocf(opcode);
848
849                 if (((ogf > HCI_SFLT_MAX_OGF) ||
850                      !hci_test_bit(ocf & HCI_FLT_OCF_BITS,
851                                    &hci_sec_filter.ocf_mask[ogf])) &&
852                     !capable(CAP_NET_RAW)) {
853                         err = -EPERM;
854                         goto drop;
855                 }
856
857                 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) {
858                         skb_queue_tail(&hdev->raw_q, skb);
859                         queue_work(hdev->workqueue, &hdev->tx_work);
860                 } else {
861                         skb_queue_tail(&hdev->cmd_q, skb);
862                         queue_work(hdev->workqueue, &hdev->cmd_work);
863                 }
864         } else {
865                 if (!capable(CAP_NET_RAW)) {
866                         err = -EPERM;
867                         goto drop;
868                 }
869
870                 skb_queue_tail(&hdev->raw_q, skb);
871                 queue_work(hdev->workqueue, &hdev->tx_work);
872         }
873
874         err = len;
875
876 done:
877         release_sock(sk);
878         return err;
879
880 drop:
881         kfree_skb(skb);
882         goto done;
883 }
884
885 static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
886                                char __user *optval, unsigned int len)
887 {
888         struct hci_ufilter uf = { .opcode = 0 };
889         struct sock *sk = sock->sk;
890         int err = 0, opt = 0;
891
892         BT_DBG("sk %p, opt %d", sk, optname);
893
894         lock_sock(sk);
895
896         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
897                 err = -EINVAL;
898                 goto done;
899         }
900
901         switch (optname) {
902         case HCI_DATA_DIR:
903                 if (get_user(opt, (int __user *)optval)) {
904                         err = -EFAULT;
905                         break;
906                 }
907
908                 if (opt)
909                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
910                 else
911                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_DIR;
912                 break;
913
914         case HCI_TIME_STAMP:
915                 if (get_user(opt, (int __user *)optval)) {
916                         err = -EFAULT;
917                         break;
918                 }
919
920                 if (opt)
921                         hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
922                 else
923                         hci_pi(sk)->cmsg_mask &= ~HCI_CMSG_TSTAMP;
924                 break;
925
926         case HCI_FILTER:
927                 {
928                         struct hci_filter *f = &hci_pi(sk)->filter;
929
930                         uf.type_mask = f->type_mask;
931                         uf.opcode    = f->opcode;
932                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
933                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
934                 }
935
936                 len = min_t(unsigned int, len, sizeof(uf));
937                 if (copy_from_user(&uf, optval, len)) {
938                         err = -EFAULT;
939                         break;
940                 }
941
942                 if (!capable(CAP_NET_RAW)) {
943                         uf.type_mask &= hci_sec_filter.type_mask;
944                         uf.event_mask[0] &= *((u32 *) hci_sec_filter.event_mask + 0);
945                         uf.event_mask[1] &= *((u32 *) hci_sec_filter.event_mask + 1);
946                 }
947
948                 {
949                         struct hci_filter *f = &hci_pi(sk)->filter;
950
951                         f->type_mask = uf.type_mask;
952                         f->opcode    = uf.opcode;
953                         *((u32 *) f->event_mask + 0) = uf.event_mask[0];
954                         *((u32 *) f->event_mask + 1) = uf.event_mask[1];
955                 }
956                 break;
957
958         default:
959                 err = -ENOPROTOOPT;
960                 break;
961         }
962
963 done:
964         release_sock(sk);
965         return err;
966 }
967
968 static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
969                                char __user *optval, int __user *optlen)
970 {
971         struct hci_ufilter uf;
972         struct sock *sk = sock->sk;
973         int len, opt, err = 0;
974
975         BT_DBG("sk %p, opt %d", sk, optname);
976
977         if (get_user(len, optlen))
978                 return -EFAULT;
979
980         lock_sock(sk);
981
982         if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
983                 err = -EINVAL;
984                 goto done;
985         }
986
987         switch (optname) {
988         case HCI_DATA_DIR:
989                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_DIR)
990                         opt = 1;
991                 else
992                         opt = 0;
993
994                 if (put_user(opt, optval))
995                         err = -EFAULT;
996                 break;
997
998         case HCI_TIME_STAMP:
999                 if (hci_pi(sk)->cmsg_mask & HCI_CMSG_TSTAMP)
1000                         opt = 1;
1001                 else
1002                         opt = 0;
1003
1004                 if (put_user(opt, optval))
1005                         err = -EFAULT;
1006                 break;
1007
1008         case HCI_FILTER:
1009                 {
1010                         struct hci_filter *f = &hci_pi(sk)->filter;
1011
1012                         memset(&uf, 0, sizeof(uf));
1013                         uf.type_mask = f->type_mask;
1014                         uf.opcode    = f->opcode;
1015                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
1016                         uf.event_mask[1] = *((u32 *) f->event_mask + 1);
1017                 }
1018
1019                 len = min_t(unsigned int, len, sizeof(uf));
1020                 if (copy_to_user(optval, &uf, len))
1021                         err = -EFAULT;
1022                 break;
1023
1024         default:
1025                 err = -ENOPROTOOPT;
1026                 break;
1027         }
1028
1029 done:
1030         release_sock(sk);
1031         return err;
1032 }
1033
1034 static const struct proto_ops hci_sock_ops = {
1035         .family         = PF_BLUETOOTH,
1036         .owner          = THIS_MODULE,
1037         .release        = hci_sock_release,
1038         .bind           = hci_sock_bind,
1039         .getname        = hci_sock_getname,
1040         .sendmsg        = hci_sock_sendmsg,
1041         .recvmsg        = hci_sock_recvmsg,
1042         .ioctl          = hci_sock_ioctl,
1043         .poll           = datagram_poll,
1044         .listen         = sock_no_listen,
1045         .shutdown       = sock_no_shutdown,
1046         .setsockopt     = hci_sock_setsockopt,
1047         .getsockopt     = hci_sock_getsockopt,
1048         .connect        = sock_no_connect,
1049         .socketpair     = sock_no_socketpair,
1050         .accept         = sock_no_accept,
1051         .mmap           = sock_no_mmap
1052 };
1053
1054 static struct proto hci_sk_proto = {
1055         .name           = "HCI",
1056         .owner          = THIS_MODULE,
1057         .obj_size       = sizeof(struct hci_pinfo)
1058 };
1059
1060 static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
1061                            int kern)
1062 {
1063         struct sock *sk;
1064
1065         BT_DBG("sock %p", sock);
1066
1067         if (sock->type != SOCK_RAW)
1068                 return -ESOCKTNOSUPPORT;
1069
1070         sock->ops = &hci_sock_ops;
1071
1072         sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto);
1073         if (!sk)
1074                 return -ENOMEM;
1075
1076         sock_init_data(sock, sk);
1077
1078         sock_reset_flag(sk, SOCK_ZAPPED);
1079
1080         sk->sk_protocol = protocol;
1081
1082         sock->state = SS_UNCONNECTED;
1083         sk->sk_state = BT_OPEN;
1084
1085         bt_sock_link(&hci_sk_list, sk);
1086         return 0;
1087 }
1088
1089 static const struct net_proto_family hci_sock_family_ops = {
1090         .family = PF_BLUETOOTH,
1091         .owner  = THIS_MODULE,
1092         .create = hci_sock_create,
1093 };
1094
1095 int __init hci_sock_init(void)
1096 {
1097         int err;
1098
1099         err = proto_register(&hci_sk_proto, 0);
1100         if (err < 0)
1101                 return err;
1102
1103         err = bt_sock_register(BTPROTO_HCI, &hci_sock_family_ops);
1104         if (err < 0)
1105                 goto error;
1106
1107         BT_INFO("HCI socket layer initialized");
1108
1109         return 0;
1110
1111 error:
1112         BT_ERR("HCI socket registration failed");
1113         proto_unregister(&hci_sk_proto);
1114         return err;
1115 }
1116
1117 void hci_sock_cleanup(void)
1118 {
1119         if (bt_sock_unregister(BTPROTO_HCI) < 0)
1120                 BT_ERR("HCI socket unregistration failed");
1121
1122         proto_unregister(&hci_sk_proto);
1123 }