diff options
Diffstat (limited to 'net/bluetooth/hci_sock.c')
| -rw-r--r-- | net/bluetooth/hci_sock.c | 396 | 
1 files changed, 388 insertions, 8 deletions
| diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index 96f04b7b9556..48f9471e7c85 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -26,6 +26,7 @@  #include <linux/export.h>  #include <linux/utsname.h> +#include <linux/sched.h>  #include <asm/unaligned.h>  #include <net/bluetooth/bluetooth.h> @@ -38,6 +39,8 @@  static LIST_HEAD(mgmt_chan_list);  static DEFINE_MUTEX(mgmt_chan_list_lock); +static DEFINE_IDA(sock_cookie_ida); +  static atomic_t monitor_promisc = ATOMIC_INIT(0);  /* ----- HCI socket interface ----- */ @@ -52,6 +55,8 @@ struct hci_pinfo {  	__u32             cmsg_mask;  	unsigned short    channel;  	unsigned long     flags; +	__u32             cookie; +	char              comm[TASK_COMM_LEN];  };  void hci_sock_set_flag(struct sock *sk, int nr) @@ -74,6 +79,38 @@ unsigned short hci_sock_get_channel(struct sock *sk)  	return hci_pi(sk)->channel;  } +u32 hci_sock_get_cookie(struct sock *sk) +{ +	return hci_pi(sk)->cookie; +} + +static bool hci_sock_gen_cookie(struct sock *sk) +{ +	int id = hci_pi(sk)->cookie; + +	if (!id) { +		id = ida_simple_get(&sock_cookie_ida, 1, 0, GFP_KERNEL); +		if (id < 0) +			id = 0xffffffff; + +		hci_pi(sk)->cookie = id; +		get_task_comm(hci_pi(sk)->comm, current); +		return true; +	} + +	return false; +} + +static void hci_sock_free_cookie(struct sock *sk) +{ +	int id = hci_pi(sk)->cookie; + +	if (id) { +		hci_pi(sk)->cookie = 0xffffffff; +		ida_simple_remove(&sock_cookie_ida, id); +	} +} +  static inline int hci_test_bit(int nr, const void *addr)  {  	return *((const __u32 *) addr + (nr >> 5)) & ((__u32) 1 << (nr & 31)); @@ -305,6 +342,60 @@ void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)  	kfree_skb(skb_copy);  } +void hci_send_monitor_ctrl_event(struct hci_dev *hdev, u16 event, +				 void *data, u16 data_len, ktime_t tstamp, +				 int flag, struct sock *skip_sk) +{ +	struct sock *sk; +	__le16 index; + +	if (hdev) +		index = cpu_to_le16(hdev->id); +	else +		index = cpu_to_le16(MGMT_INDEX_NONE); + +	read_lock(&hci_sk_list.lock); + +	sk_for_each(sk, &hci_sk_list.head) { +		struct hci_mon_hdr *hdr; +		struct sk_buff *skb; + +		if (hci_pi(sk)->channel != HCI_CHANNEL_CONTROL) +			continue; + +		/* Ignore socket without the flag set */ +		if (!hci_sock_test_flag(sk, flag)) +			continue; + +		/* Skip the original socket */ +		if (sk == skip_sk) +			continue; + +		skb = bt_skb_alloc(6 + data_len, GFP_ATOMIC); +		if (!skb) +			continue; + +		put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); +		put_unaligned_le16(event, skb_put(skb, 2)); + +		if (data) +			memcpy(skb_put(skb, data_len), data, data_len); + +		skb->tstamp = tstamp; + +		hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE); +		hdr->opcode = cpu_to_le16(HCI_MON_CTRL_EVENT); +		hdr->index = index; +		hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); + +		hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, +				    HCI_SOCK_TRUSTED, NULL); +		kfree_skb(skb); +	} + +	read_unlock(&hci_sk_list.lock); +} +  static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)  {  	struct hci_mon_hdr *hdr; @@ -384,6 +475,129 @@ static struct sk_buff *create_monitor_event(struct hci_dev *hdev, int event)  	return skb;  } +static struct sk_buff *create_monitor_ctrl_open(struct sock *sk) +{ +	struct hci_mon_hdr *hdr; +	struct sk_buff *skb; +	u16 format; +	u8 ver[3]; +	u32 flags; + +	/* No message needed when cookie is not present */ +	if (!hci_pi(sk)->cookie) +		return NULL; + +	switch (hci_pi(sk)->channel) { +	case HCI_CHANNEL_RAW: +		format = 0x0000; +		ver[0] = BT_SUBSYS_VERSION; +		put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1); +		break; +	case HCI_CHANNEL_USER: +		format = 0x0001; +		ver[0] = BT_SUBSYS_VERSION; +		put_unaligned_le16(BT_SUBSYS_REVISION, ver + 1); +		break; +	case HCI_CHANNEL_CONTROL: +		format = 0x0002; +		mgmt_fill_version_info(ver); +		break; +	default: +		/* No message for unsupported format */ +		return NULL; +	} + +	skb = bt_skb_alloc(14 + TASK_COMM_LEN , GFP_ATOMIC); +	if (!skb) +		return NULL; + +	flags = hci_sock_test_flag(sk, HCI_SOCK_TRUSTED) ? 0x1 : 0x0; + +	put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); +	put_unaligned_le16(format, skb_put(skb, 2)); +	memcpy(skb_put(skb, sizeof(ver)), ver, sizeof(ver)); +	put_unaligned_le32(flags, skb_put(skb, 4)); +	*skb_put(skb, 1) = TASK_COMM_LEN; +	memcpy(skb_put(skb, TASK_COMM_LEN), hci_pi(sk)->comm, TASK_COMM_LEN); + +	__net_timestamp(skb); + +	hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE); +	hdr->opcode = cpu_to_le16(HCI_MON_CTRL_OPEN); +	if (hci_pi(sk)->hdev) +		hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); +	else +		hdr->index = cpu_to_le16(HCI_DEV_NONE); +	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); + +	return skb; +} + +static struct sk_buff *create_monitor_ctrl_close(struct sock *sk) +{ +	struct hci_mon_hdr *hdr; +	struct sk_buff *skb; + +	/* No message needed when cookie is not present */ +	if (!hci_pi(sk)->cookie) +		return NULL; + +	switch (hci_pi(sk)->channel) { +	case HCI_CHANNEL_RAW: +	case HCI_CHANNEL_USER: +	case HCI_CHANNEL_CONTROL: +		break; +	default: +		/* No message for unsupported format */ +		return NULL; +	} + +	skb = bt_skb_alloc(4, GFP_ATOMIC); +	if (!skb) +		return NULL; + +	put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); + +	__net_timestamp(skb); + +	hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE); +	hdr->opcode = cpu_to_le16(HCI_MON_CTRL_CLOSE); +	if (hci_pi(sk)->hdev) +		hdr->index = cpu_to_le16(hci_pi(sk)->hdev->id); +	else +		hdr->index = cpu_to_le16(HCI_DEV_NONE); +	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); + +	return skb; +} + +static struct sk_buff *create_monitor_ctrl_command(struct sock *sk, u16 index, +						   u16 opcode, u16 len, +						   const void *buf) +{ +	struct hci_mon_hdr *hdr; +	struct sk_buff *skb; + +	skb = bt_skb_alloc(6 + len, GFP_ATOMIC); +	if (!skb) +		return NULL; + +	put_unaligned_le32(hci_pi(sk)->cookie, skb_put(skb, 4)); +	put_unaligned_le16(opcode, skb_put(skb, 2)); + +	if (buf) +		memcpy(skb_put(skb, len), buf, len); + +	__net_timestamp(skb); + +	hdr = (void *)skb_push(skb, HCI_MON_HDR_SIZE); +	hdr->opcode = cpu_to_le16(HCI_MON_CTRL_COMMAND); +	hdr->index = cpu_to_le16(index); +	hdr->len = cpu_to_le16(skb->len - HCI_MON_HDR_SIZE); + +	return skb; +} +  static void __printf(2, 3)  send_monitor_note(struct sock *sk, const char *fmt, ...)  { @@ -458,6 +672,26 @@ static void send_monitor_replay(struct sock *sk)  	read_unlock(&hci_dev_list_lock);  } +static void send_monitor_control_replay(struct sock *mon_sk) +{ +	struct sock *sk; + +	read_lock(&hci_sk_list.lock); + +	sk_for_each(sk, &hci_sk_list.head) { +		struct sk_buff *skb; + +		skb = create_monitor_ctrl_open(sk); +		if (!skb) +			continue; + +		if (sock_queue_rcv_skb(mon_sk, skb)) +			kfree_skb(skb); +	} + +	read_unlock(&hci_sk_list.lock); +} +  /* Generate internal stack event */  static void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)  { @@ -585,6 +819,7 @@ static int hci_sock_release(struct socket *sock)  {  	struct sock *sk = sock->sk;  	struct hci_dev *hdev; +	struct sk_buff *skb;  	BT_DBG("sock %p sk %p", sock, sk); @@ -593,8 +828,24 @@ static int hci_sock_release(struct socket *sock)  	hdev = hci_pi(sk)->hdev; -	if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR) +	switch (hci_pi(sk)->channel) { +	case HCI_CHANNEL_MONITOR:  		atomic_dec(&monitor_promisc); +		break; +	case HCI_CHANNEL_RAW: +	case HCI_CHANNEL_USER: +	case HCI_CHANNEL_CONTROL: +		/* Send event to monitor */ +		skb = create_monitor_ctrl_close(sk); +		if (skb) { +			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, +					    HCI_SOCK_TRUSTED, NULL); +			kfree_skb(skb); +		} + +		hci_sock_free_cookie(sk); +		break; +	}  	bt_sock_unlink(&hci_sk_list, sk); @@ -721,6 +972,27 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,  		goto done;  	} +	/* When calling an ioctl on an unbound raw socket, then ensure +	 * that the monitor gets informed. Ensure that the resulting event +	 * is only send once by checking if the cookie exists or not. The +	 * socket cookie will be only ever generated once for the lifetime +	 * of a given socket. +	 */ +	if (hci_sock_gen_cookie(sk)) { +		struct sk_buff *skb; + +		if (capable(CAP_NET_ADMIN)) +			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); + +		/* Send event to monitor */ +		skb = create_monitor_ctrl_open(sk); +		if (skb) { +			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, +					    HCI_SOCK_TRUSTED, NULL); +			kfree_skb(skb); +		} +	} +  	release_sock(sk);  	switch (cmd) { @@ -784,6 +1056,7 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,  	struct sockaddr_hci haddr;  	struct sock *sk = sock->sk;  	struct hci_dev *hdev = NULL; +	struct sk_buff *skb;  	int len, err = 0;  	BT_DBG("sock %p sk %p", sock, sk); @@ -822,7 +1095,35 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,  			atomic_inc(&hdev->promisc);  		} +		hci_pi(sk)->channel = haddr.hci_channel; + +		if (!hci_sock_gen_cookie(sk)) { +			/* In the case when a cookie has already been assigned, +			 * then there has been already an ioctl issued against +			 * an unbound socket and with that triggerd an open +			 * notification. Send a close notification first to +			 * allow the state transition to bounded. +			 */ +			skb = create_monitor_ctrl_close(sk); +			if (skb) { +				hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, +						    HCI_SOCK_TRUSTED, NULL); +				kfree_skb(skb); +			} +		} + +		if (capable(CAP_NET_ADMIN)) +			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); +  		hci_pi(sk)->hdev = hdev; + +		/* Send event to monitor */ +		skb = create_monitor_ctrl_open(sk); +		if (skb) { +			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, +					    HCI_SOCK_TRUSTED, NULL); +			kfree_skb(skb); +		}  		break;  	case HCI_CHANNEL_USER: @@ -884,9 +1185,38 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,  			}  		} -		atomic_inc(&hdev->promisc); +		hci_pi(sk)->channel = haddr.hci_channel; + +		if (!hci_sock_gen_cookie(sk)) { +			/* In the case when a cookie has already been assigned, +			 * this socket will transition from a raw socket into +			 * an user channel socket. For a clean transition, send +			 * the close notification first. +			 */ +			skb = create_monitor_ctrl_close(sk); +			if (skb) { +				hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, +						    HCI_SOCK_TRUSTED, NULL); +				kfree_skb(skb); +			} +		} + +		/* The user channel is restricted to CAP_NET_ADMIN +		 * capabilities and with that implicitly trusted. +		 */ +		hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);  		hci_pi(sk)->hdev = hdev; + +		/* Send event to monitor */ +		skb = create_monitor_ctrl_open(sk); +		if (skb) { +			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, +					    HCI_SOCK_TRUSTED, NULL); +			kfree_skb(skb); +		} + +		atomic_inc(&hdev->promisc);  		break;  	case HCI_CHANNEL_MONITOR: @@ -900,6 +1230,8 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,  			goto done;  		} +		hci_pi(sk)->channel = haddr.hci_channel; +  		/* The monitor interface is restricted to CAP_NET_RAW  		 * capabilities and with that implicitly trusted.  		 */ @@ -908,9 +1240,10 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,  		send_monitor_note(sk, "Linux version %s (%s)",  				  init_utsname()->release,  				  init_utsname()->machine); -		send_monitor_note(sk, "Bluetooth subsystem version %s", -				  BT_SUBSYS_VERSION); +		send_monitor_note(sk, "Bluetooth subsystem version %u.%u", +				  BT_SUBSYS_VERSION, BT_SUBSYS_REVISION);  		send_monitor_replay(sk); +		send_monitor_control_replay(sk);  		atomic_inc(&monitor_promisc);  		break; @@ -925,6 +1258,8 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,  			err = -EPERM;  			goto done;  		} + +		hci_pi(sk)->channel = haddr.hci_channel;  		break;  	default: @@ -946,6 +1281,8 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,  		if (capable(CAP_NET_ADMIN))  			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); +		hci_pi(sk)->channel = haddr.hci_channel; +  		/* At the moment the index and unconfigured index events  		 * are enabled unconditionally. Setting them on each  		 * socket when binding keeps this functionality. They @@ -956,16 +1293,40 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,  		 * received by untrusted users. Example for such events  		 * are changes to settings, class of device, name etc.  		 */ -		if (haddr.hci_channel == HCI_CHANNEL_CONTROL) { +		if (hci_pi(sk)->channel == HCI_CHANNEL_CONTROL) { +			if (!hci_sock_gen_cookie(sk)) { +				/* In the case when a cookie has already been +				 * assigned, this socket will transtion from +				 * a raw socket into a control socket. To +				 * allow for a clean transtion, send the +				 * close notification first. +				 */ +				skb = create_monitor_ctrl_close(sk); +				if (skb) { +					hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, +							    HCI_SOCK_TRUSTED, NULL); +					kfree_skb(skb); +				} +			} + +			/* Send event to monitor */ +			skb = create_monitor_ctrl_open(sk); +			if (skb) { +				hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, +						    HCI_SOCK_TRUSTED, NULL); +				kfree_skb(skb); +			} +  			hci_sock_set_flag(sk, HCI_MGMT_INDEX_EVENTS);  			hci_sock_set_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS); -			hci_sock_set_flag(sk, HCI_MGMT_GENERIC_EVENTS); +			hci_sock_set_flag(sk, HCI_MGMT_OPTION_EVENTS); +			hci_sock_set_flag(sk, HCI_MGMT_SETTING_EVENTS); +			hci_sock_set_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS); +			hci_sock_set_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);  		}  		break;  	} - -	hci_pi(sk)->channel = haddr.hci_channel;  	sk->sk_state = BT_BOUND;  done: @@ -1133,6 +1494,19 @@ static int hci_mgmt_cmd(struct hci_mgmt_chan *chan, struct sock *sk,  		goto done;  	} +	if (chan->channel == HCI_CHANNEL_CONTROL) { +		struct sk_buff *skb; + +		/* Send event to monitor */ +		skb = create_monitor_ctrl_command(sk, index, opcode, len, +						  buf + sizeof(*hdr)); +		if (skb) { +			hci_send_to_channel(HCI_CHANNEL_MONITOR, skb, +					    HCI_SOCK_TRUSTED, NULL); +			kfree_skb(skb); +		} +	} +  	if (opcode >= chan->handler_count ||  	    chan->handlers[opcode].func == NULL) {  		BT_DBG("Unknown op %u", opcode); @@ -1440,6 +1814,9 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,  	BT_DBG("sk %p, opt %d", sk, optname); +	if (level != SOL_HCI) +		return -ENOPROTOOPT; +  	lock_sock(sk);  	if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) { @@ -1523,6 +1900,9 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname,  	BT_DBG("sk %p, opt %d", sk, optname); +	if (level != SOL_HCI) +		return -ENOPROTOOPT; +  	if (get_user(len, optlen))  		return -EFAULT; |