1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/*
3
 *
4
 *  Bluetooth virtual HCI driver
5
 *
6
 *  Copyright (C) 2000-2001  Qualcomm Incorporated
7
 *  Copyright (C) 2002-2003  Maxim Krasnyansky <[email protected]>
8
 *  Copyright (C) 2004-2006  Marcel Holtmann <[email protected]>
9
 */
10

11
#include <linux/module.h>
12
#include <linux/unaligned.h>
13

14
#include <linux/atomic.h>
15
#include <linux/kernel.h>
16
#include <linux/init.h>
17
#include <linux/slab.h>
18
#include <linux/types.h>
19
#include <linux/errno.h>
20
#include <linux/sched.h>
21
#include <linux/poll.h>
22

23
#include <linux/skbuff.h>
24
#include <linux/miscdevice.h>
25
#include <linux/debugfs.h>
26

27
#include <net/bluetooth/bluetooth.h>
28
#include <net/bluetooth/hci_core.h>
29

30
#define VERSION "1.5"
31

32
static bool amp;
33

34
struct vhci_data {
35
	struct hci_dev *hdev;
36

37
	wait_queue_head_t read_wait;
38
	struct sk_buff_head readq;
39

40
	struct mutex open_mutex;
41
	struct delayed_work open_timeout;
42
	struct work_struct suspend_work;
43

44
	bool suspended;
45
	bool wakeup;
46
	__u16 msft_opcode;
47
	bool aosp_capable;
48
	atomic_t initialized;
49
};
50

51
static int vhci_open_dev(struct hci_dev *hdev)
52
{
53
	return 0;
54
}
55

56
static int vhci_close_dev(struct hci_dev *hdev)
57
{
58
	struct vhci_data *data = hci_get_drvdata(hdev);
59

60
	skb_queue_purge(&data->readq);
61

62
	return 0;
63
}
64

65
static int vhci_flush(struct hci_dev *hdev)
66
{
67
	struct vhci_data *data = hci_get_drvdata(hdev);
68

69
	skb_queue_purge(&data->readq);
70

71
	return 0;
72
}
73

74
static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
75
{
76
	struct vhci_data *data = hci_get_drvdata(hdev);
77

78
	memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
79

80
	skb_queue_tail(&data->readq, skb);
81

82
	if (atomic_read(&data->initialized))
83
		wake_up_interruptible(&data->read_wait);
84
	return 0;
85
}
86

87
static int vhci_get_data_path_id(struct hci_dev *hdev, u8 *data_path_id)
88
{
89
	*data_path_id = 0;
90
	return 0;
91
}
92

93
static int vhci_get_codec_config_data(struct hci_dev *hdev, __u8 type,
94
				      struct bt_codec *codec, __u8 *vnd_len,
95
				      __u8 **vnd_data)
96
{
97
	if (type != ESCO_LINK)
98
		return -EINVAL;
99

100
	*vnd_len = 0;
101
	*vnd_data = NULL;
102
	return 0;
103
}
104

105
static bool vhci_wakeup(struct hci_dev *hdev)
106
{
107
	struct vhci_data *data = hci_get_drvdata(hdev);
108

109
	return data->wakeup;
110
}
111

112
static ssize_t force_suspend_read(struct file *file, char __user *user_buf,
113
				  size_t count, loff_t *ppos)
114
{
115
	struct vhci_data *data = file->private_data;
116
	char buf[3];
117

118
	buf[0] = data->suspended ? 'Y' : 'N';
119
	buf[1] = '\n';
120
	buf[2] = '\0';
121
	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
122
}
123

124
static void vhci_suspend_work(struct work_struct *work)
125
{
126
	struct vhci_data *data = container_of(work, struct vhci_data,
127
					      suspend_work);
128

129
	if (data->suspended)
130
		hci_suspend_dev(data->hdev);
131
	else
132
		hci_resume_dev(data->hdev);
133
}
134

135
static ssize_t force_suspend_write(struct file *file,
136
				   const char __user *user_buf,
137
				   size_t count, loff_t *ppos)
138
{
139
	struct vhci_data *data = file->private_data;
140
	bool enable;
141
	int err;
142

143
	err = kstrtobool_from_user(user_buf, count, &enable);
144
	if (err)
145
		return err;
146

147
	if (data->suspended == enable)
148
		return -EALREADY;
149

150
	data->suspended = enable;
151

152
	schedule_work(&data->suspend_work);
153

154
	return count;
155
}
156

157
static const struct file_operations force_suspend_fops = {
158
	.open		= simple_open,
159
	.read		= force_suspend_read,
160
	.write		= force_suspend_write,
161
	.llseek		= default_llseek,
162
};
163

164
static ssize_t force_wakeup_read(struct file *file, char __user *user_buf,
165
				 size_t count, loff_t *ppos)
166
{
167
	struct vhci_data *data = file->private_data;
168
	char buf[3];
169

170
	buf[0] = data->wakeup ? 'Y' : 'N';
171
	buf[1] = '\n';
172
	buf[2] = '\0';
173
	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
174
}
175

176
static ssize_t force_wakeup_write(struct file *file,
177
				  const char __user *user_buf, size_t count,
178
				  loff_t *ppos)
179
{
180
	struct vhci_data *data = file->private_data;
181
	bool enable;
182
	int err;
183

184
	err = kstrtobool_from_user(user_buf, count, &enable);
185
	if (err)
186
		return err;
187

188
	if (data->wakeup == enable)
189
		return -EALREADY;
190

191
	data->wakeup = enable;
192

193
	return count;
194
}
195

196
static const struct file_operations force_wakeup_fops = {
197
	.open		= simple_open,
198
	.read		= force_wakeup_read,
199
	.write		= force_wakeup_write,
200
	.llseek		= default_llseek,
201
};
202

203
static int msft_opcode_set(void *data, u64 val)
204
{
205
	struct vhci_data *vhci = data;
206

207
	if (val > 0xffff || hci_opcode_ogf(val) != 0x3f)
208
		return -EINVAL;
209

210
	if (vhci->msft_opcode)
211
		return -EALREADY;
212

213
	vhci->msft_opcode = val;
214

215
	return 0;
216
}
217

218
static int msft_opcode_get(void *data, u64 *val)
219
{
220
	struct vhci_data *vhci = data;
221

222
	*val = vhci->msft_opcode;
223

224
	return 0;
225
}
226

227
DEFINE_DEBUGFS_ATTRIBUTE(msft_opcode_fops, msft_opcode_get, msft_opcode_set,
228
			 "%llu\n");
229

230
static ssize_t aosp_capable_read(struct file *file, char __user *user_buf,
231
				 size_t count, loff_t *ppos)
232
{
233
	struct vhci_data *vhci = file->private_data;
234
	char buf[3];
235

236
	buf[0] = vhci->aosp_capable ? 'Y' : 'N';
237
	buf[1] = '\n';
238
	buf[2] = '\0';
239
	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
240
}
241

242
static ssize_t aosp_capable_write(struct file *file,
243
				  const char __user *user_buf, size_t count,
244
				  loff_t *ppos)
245
{
246
	struct vhci_data *vhci = file->private_data;
247
	bool enable;
248
	int err;
249

250
	err = kstrtobool_from_user(user_buf, count, &enable);
251
	if (err)
252
		return err;
253

254
	if (!enable)
255
		return -EINVAL;
256

257
	if (vhci->aosp_capable)
258
		return -EALREADY;
259

260
	vhci->aosp_capable = enable;
261

262
	return count;
263
}
264

265
static const struct file_operations aosp_capable_fops = {
266
	.open		= simple_open,
267
	.read		= aosp_capable_read,
268
	.write		= aosp_capable_write,
269
	.llseek		= default_llseek,
270
};
271

272
static int vhci_setup(struct hci_dev *hdev)
273
{
274
	struct vhci_data *vhci = hci_get_drvdata(hdev);
275

276
	if (vhci->msft_opcode)
277
		hci_set_msft_opcode(hdev, vhci->msft_opcode);
278

279
	if (vhci->aosp_capable)
280
		hci_set_aosp_capable(hdev);
281

282
	return 0;
283
}
284

285
static void vhci_coredump(struct hci_dev *hdev)
286
{
287
	/* No need to do anything */
288
}
289

290
static void vhci_coredump_hdr(struct hci_dev *hdev, struct sk_buff *skb)
291
{
292
	const char *buf;
293

294
	buf = "Controller Name: vhci_ctrl\n";
295
	skb_put_data(skb, buf, strlen(buf));
296

297
	buf = "Firmware Version: vhci_fw\n";
298
	skb_put_data(skb, buf, strlen(buf));
299

300
	buf = "Driver: vhci_drv\n";
301
	skb_put_data(skb, buf, strlen(buf));
302

303
	buf = "Vendor: vhci\n";
304
	skb_put_data(skb, buf, strlen(buf));
305
}
306

307
#define MAX_COREDUMP_LINE_LEN	40
308

309
struct devcoredump_test_data {
310
	enum devcoredump_state state;
311
	unsigned int timeout;
312
	char data[MAX_COREDUMP_LINE_LEN];
313
};
314

315
static inline void force_devcd_timeout(struct hci_dev *hdev,
316
				       unsigned int timeout)
317
{
318
#ifdef CONFIG_DEV_COREDUMP
319
	hdev->dump.timeout = secs_to_jiffies(timeout);
320
#endif
321
}
322

323
static ssize_t force_devcd_write(struct file *file, const char __user *user_buf,
324
				 size_t count, loff_t *ppos)
325
{
326
	struct vhci_data *data = file->private_data;
327
	struct hci_dev *hdev = data->hdev;
328
	struct sk_buff *skb = NULL;
329
	struct devcoredump_test_data dump_data;
330
	size_t data_size;
331
	int ret;
332

333
	if (count < offsetof(struct devcoredump_test_data, data) ||
334
	    count > sizeof(dump_data))
335
		return -EINVAL;
336

337
	if (copy_from_user(&dump_data, user_buf, count))
338
		return -EFAULT;
339

340
	data_size = count - offsetof(struct devcoredump_test_data, data);
341
	skb = alloc_skb(data_size, GFP_ATOMIC);
342
	if (!skb)
343
		return -ENOMEM;
344
	skb_put_data(skb, &dump_data.data, data_size);
345

346
	hci_devcd_register(hdev, vhci_coredump, vhci_coredump_hdr, NULL);
347

348
	/* Force the devcoredump timeout */
349
	if (dump_data.timeout)
350
		force_devcd_timeout(hdev, dump_data.timeout);
351

352
	ret = hci_devcd_init(hdev, skb->len);
353
	if (ret) {
354
		BT_ERR("Failed to generate devcoredump");
355
		kfree_skb(skb);
356
		return ret;
357
	}
358

359
	hci_devcd_append(hdev, skb);
360

361
	switch (dump_data.state) {
362
	case HCI_DEVCOREDUMP_DONE:
363
		hci_devcd_complete(hdev);
364
		break;
365
	case HCI_DEVCOREDUMP_ABORT:
366
		hci_devcd_abort(hdev);
367
		break;
368
	case HCI_DEVCOREDUMP_TIMEOUT:
369
		/* Do nothing */
370
		break;
371
	default:
372
		return -EINVAL;
373
	}
374

375
	return count;
376
}
377

378
static const struct file_operations force_devcoredump_fops = {
379
	.open		= simple_open,
380
	.write		= force_devcd_write,
381
};
382

383
static void vhci_debugfs_init(struct vhci_data *data)
384
{
385
	struct hci_dev *hdev = data->hdev;
386

387
	debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
388
			    &force_suspend_fops);
389

390
	debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
391
			    &force_wakeup_fops);
392

393
	if (IS_ENABLED(CONFIG_BT_MSFTEXT))
394
		debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
395
				    &msft_opcode_fops);
396

397
	if (IS_ENABLED(CONFIG_BT_AOSPEXT))
398
		debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
399
				    &aosp_capable_fops);
400

401
	debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
402
			    &force_devcoredump_fops);
403
}
404

405
static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
406
{
407
	struct hci_dev *hdev;
408
	struct sk_buff *skb;
409

410
	if (data->hdev)
411
		return -EBADFD;
412

413
	/* bits 2-5 are reserved (must be zero) */
414
	if (opcode & 0x3c)
415
		return -EINVAL;
416

417
	skb = bt_skb_alloc(4, GFP_KERNEL);
418
	if (!skb)
419
		return -ENOMEM;
420

421
	hdev = hci_alloc_dev();
422
	if (!hdev) {
423
		kfree_skb(skb);
424
		return -ENOMEM;
425
	}
426

427
	data->hdev = hdev;
428

429
	hdev->bus = HCI_VIRTUAL;
430
	hci_set_drvdata(hdev, data);
431

432
	hdev->open  = vhci_open_dev;
433
	hdev->close = vhci_close_dev;
434
	hdev->flush = vhci_flush;
435
	hdev->send  = vhci_send_frame;
436
	hdev->get_data_path_id = vhci_get_data_path_id;
437
	hdev->get_codec_config_data = vhci_get_codec_config_data;
438
	hdev->wakeup = vhci_wakeup;
439
	hdev->setup = vhci_setup;
440
	hci_set_quirk(hdev, HCI_QUIRK_NON_PERSISTENT_SETUP);
441
	hci_set_quirk(hdev, HCI_QUIRK_SYNC_FLOWCTL_SUPPORTED);
442

443
	/* bit 6 is for external configuration */
444
	if (opcode & 0x40)
445
		hci_set_quirk(hdev, HCI_QUIRK_EXTERNAL_CONFIG);
446

447
	/* bit 7 is for raw device */
448
	if (opcode & 0x80)
449
		hci_set_quirk(hdev, HCI_QUIRK_RAW_DEVICE);
450

451
	if (hci_register_dev(hdev) < 0) {
452
		BT_ERR("Can't register HCI device");
453
		hci_free_dev(hdev);
454
		data->hdev = NULL;
455
		kfree_skb(skb);
456
		return -EBUSY;
457
	}
458

459
	if (!IS_ERR_OR_NULL(hdev->debugfs))
460
		vhci_debugfs_init(data);
461

462
	hci_skb_pkt_type(skb) = HCI_VENDOR_PKT;
463

464
	skb_put_u8(skb, 0xff);
465
	skb_put_u8(skb, opcode);
466
	put_unaligned_le16(hdev->id, skb_put(skb, 2));
467
	skb_queue_head(&data->readq, skb);
468
	atomic_inc(&data->initialized);
469

470
	wake_up_interruptible(&data->read_wait);
471
	return 0;
472
}
473

474
static int vhci_create_device(struct vhci_data *data, __u8 opcode)
475
{
476
	int err;
477

478
	mutex_lock(&data->open_mutex);
479
	err = __vhci_create_device(data, opcode);
480
	mutex_unlock(&data->open_mutex);
481

482
	return err;
483
}
484

485
static inline ssize_t vhci_get_user(struct vhci_data *data,
486
				    struct iov_iter *from)
487
{
488
	size_t len = iov_iter_count(from);
489
	struct sk_buff *skb;
490
	__u8 pkt_type, opcode;
491
	int ret;
492

493
	if (len < 2 || len > HCI_MAX_FRAME_SIZE)
494
		return -EINVAL;
495

496
	skb = bt_skb_alloc(len, GFP_KERNEL);
497
	if (!skb)
498
		return -ENOMEM;
499

500
	if (!copy_from_iter_full(skb_put(skb, len), len, from)) {
501
		kfree_skb(skb);
502
		return -EFAULT;
503
	}
504

505
	pkt_type = *((__u8 *) skb->data);
506
	skb_pull(skb, 1);
507

508
	switch (pkt_type) {
509
	case HCI_EVENT_PKT:
510
	case HCI_ACLDATA_PKT:
511
	case HCI_SCODATA_PKT:
512
	case HCI_ISODATA_PKT:
513
		if (!data->hdev) {
514
			kfree_skb(skb);
515
			return -ENODEV;
516
		}
517

518
		hci_skb_pkt_type(skb) = pkt_type;
519

520
		ret = hci_recv_frame(data->hdev, skb);
521
		break;
522

523
	case HCI_VENDOR_PKT:
524
		cancel_delayed_work_sync(&data->open_timeout);
525

526
		opcode = *((__u8 *) skb->data);
527
		skb_pull(skb, 1);
528

529
		if (skb->len > 0) {
530
			kfree_skb(skb);
531
			return -EINVAL;
532
		}
533

534
		kfree_skb(skb);
535

536
		ret = vhci_create_device(data, opcode);
537
		break;
538

539
	default:
540
		kfree_skb(skb);
541
		return -EINVAL;
542
	}
543

544
	return (ret < 0) ? ret : len;
545
}
546

547
static inline ssize_t vhci_put_user(struct vhci_data *data,
548
				    struct sk_buff *skb,
549
				    char __user *buf, int count)
550
{
551
	char __user *ptr = buf;
552
	int len;
553

554
	len = min_t(unsigned int, skb->len, count);
555

556
	if (copy_to_user(ptr, skb->data, len))
557
		return -EFAULT;
558

559
	if (!data->hdev)
560
		return len;
561

562
	data->hdev->stat.byte_tx += len;
563

564
	switch (hci_skb_pkt_type(skb)) {
565
	case HCI_COMMAND_PKT:
566
		data->hdev->stat.cmd_tx++;
567
		break;
568
	case HCI_ACLDATA_PKT:
569
		data->hdev->stat.acl_tx++;
570
		break;
571
	case HCI_SCODATA_PKT:
572
		data->hdev->stat.sco_tx++;
573
		break;
574
	}
575

576
	return len;
577
}
578

579
static ssize_t vhci_read(struct file *file,
580
			 char __user *buf, size_t count, loff_t *pos)
581
{
582
	struct vhci_data *data = file->private_data;
583
	struct sk_buff *skb;
584
	ssize_t ret = 0;
585

586
	while (count) {
587
		skb = skb_dequeue(&data->readq);
588
		if (skb) {
589
			ret = vhci_put_user(data, skb, buf, count);
590
			if (ret < 0)
591
				skb_queue_head(&data->readq, skb);
592
			else
593
				kfree_skb(skb);
594
			break;
595
		}
596

597
		if (file->f_flags & O_NONBLOCK) {
598
			ret = -EAGAIN;
599
			break;
600
		}
601

602
		ret = wait_event_interruptible(data->read_wait,
603
					       !skb_queue_empty(&data->readq));
604
		if (ret < 0)
605
			break;
606
	}
607

608
	return ret;
609
}
610

611
static ssize_t vhci_write(struct kiocb *iocb, struct iov_iter *from)
612
{
613
	struct file *file = iocb->ki_filp;
614
	struct vhci_data *data = file->private_data;
615

616
	return vhci_get_user(data, from);
617
}
618

619
static __poll_t vhci_poll(struct file *file, poll_table *wait)
620
{
621
	struct vhci_data *data = file->private_data;
622

623
	poll_wait(file, &data->read_wait, wait);
624

625
	if (!skb_queue_empty(&data->readq))
626
		return EPOLLIN | EPOLLRDNORM;
627

628
	return EPOLLOUT | EPOLLWRNORM;
629
}
630

631
static void vhci_open_timeout(struct work_struct *work)
632
{
633
	struct vhci_data *data = container_of(work, struct vhci_data,
634
					      open_timeout.work);
635

636
	vhci_create_device(data, 0x00);
637
}
638

639
static int vhci_open(struct inode *inode, struct file *file)
640
{
641
	struct vhci_data *data;
642

643
	data = kzalloc(sizeof(*data), GFP_KERNEL);
644
	if (!data)
645
		return -ENOMEM;
646

647
	skb_queue_head_init(&data->readq);
648
	init_waitqueue_head(&data->read_wait);
649

650
	mutex_init(&data->open_mutex);
651
	INIT_DELAYED_WORK(&data->open_timeout, vhci_open_timeout);
652
	INIT_WORK(&data->suspend_work, vhci_suspend_work);
653

654
	file->private_data = data;
655
	nonseekable_open(inode, file);
656

657
	schedule_delayed_work(&data->open_timeout, secs_to_jiffies(1));
658

659
	return 0;
660
}
661

662
static void vhci_debugfs_remove(struct hci_dev *hdev)
663
{
664
	debugfs_lookup_and_remove("force_suspend", hdev->debugfs);
665

666
	debugfs_lookup_and_remove("force_wakeup", hdev->debugfs);
667

668
	if (IS_ENABLED(CONFIG_BT_MSFTEXT))
669
		debugfs_lookup_and_remove("msft_opcode", hdev->debugfs);
670

671
	if (IS_ENABLED(CONFIG_BT_AOSPEXT))
672
		debugfs_lookup_and_remove("aosp_capable", hdev->debugfs);
673

674
	debugfs_lookup_and_remove("force_devcoredump", hdev->debugfs);
675
}
676

677
static int vhci_release(struct inode *inode, struct file *file)
678
{
679
	struct vhci_data *data = file->private_data;
680
	struct hci_dev *hdev;
681

682
	cancel_delayed_work_sync(&data->open_timeout);
683
	flush_work(&data->suspend_work);
684

685
	hdev = data->hdev;
686

687
	if (hdev) {
688
		if (!IS_ERR_OR_NULL(hdev->debugfs))
689
			vhci_debugfs_remove(hdev);
690
		hci_unregister_dev(hdev);
691
		hci_free_dev(hdev);
692
	}
693

694
	skb_queue_purge(&data->readq);
695
	file->private_data = NULL;
696
	kfree(data);
697

698
	return 0;
699
}
700

701
static const struct file_operations vhci_fops = {
702
	.owner		= THIS_MODULE,
703
	.read		= vhci_read,
704
	.write_iter	= vhci_write,
705
	.poll		= vhci_poll,
706
	.open		= vhci_open,
707
	.release	= vhci_release,
708
};
709

710
static struct miscdevice vhci_miscdev = {
711
	.name	= "vhci",
712
	.fops	= &vhci_fops,
713
	.minor	= VHCI_MINOR,
714
};
715
module_misc_device(vhci_miscdev);
716

717
module_param(amp, bool, 0644);
718
MODULE_PARM_DESC(amp, "Create AMP controller device");
719

720
MODULE_AUTHOR("Marcel Holtmann <[email protected]>");
721
MODULE_DESCRIPTION("Bluetooth virtual HCI driver ver " VERSION);
722
MODULE_VERSION(VERSION);
723
MODULE_LICENSE("GPL");
724
MODULE_ALIAS("devname:vhci");
725
MODULE_ALIAS_MISCDEV(VHCI_MINOR);
726

727