github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/socket_bluetooth.txt (about) 1 # Copyright 2017 syzkaller project authors. All rights reserved. 2 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 # AF_BLUETOOTH support. 5 6 include <linux/socket.h> 7 include <linux/net.h> 8 include <linux/isdn/capilli.h> 9 include <net/bluetooth/bluetooth.h> 10 include <net/bluetooth/hci_sock.h> 11 include <net/bluetooth/l2cap.h> 12 include <net/bluetooth/cmtp/cmtp.h> 13 include <net/bluetooth/bnep/bnep.h> 14 include <net/bluetooth/hidp/hidp.h> 15 include <net/bluetooth/sco.h> 16 include <net/bluetooth/hci.h> 17 include <net/bluetooth/rfcomm.h> 18 include <asm/ioctls.h> 19 20 resource sock_bt[sock] 21 resource sock_bt_hci[sock_bt] 22 23 syz_init_net_socket$bt_hci(fam const[AF_BLUETOOTH], type const[SOCK_RAW], proto const[BTPROTO_HCI]) sock_bt_hci 24 bind$bt_hci(fd sock_bt_hci, addr ptr[in, sockaddr_hci], addrlen len[addr]) 25 ioctl$sock_bt_hci(fd sock_bt_hci, cmd flags[bt_hci_ioctl], arg buffer[inout]) 26 ioctl$HCIINQUIRY(fd sock_bt_hci, cmd const[HCIINQUIRY], arg ptr[in, hci_inquiry_req]) 27 setsockopt$bt_hci_HCI_DATA_DIR(fd sock_bt_hci, level const[0], opt const[HCI_DATA_DIR], arg ptr[in, int32], arglen len[arg]) 28 setsockopt$bt_hci_HCI_TIME_STAMP(fd sock_bt_hci, level const[0], opt const[HCI_TIME_STAMP], arg ptr[in, int32], arglen len[arg]) 29 setsockopt$bt_hci_HCI_FILTER(fd sock_bt_hci, level const[0], opt const[HCI_FILTER], arg ptr[in, hci_ufilter], arglen len[arg]) 30 getsockopt$bt_hci(fd sock, level const[0], opt flags[bt_hci_sockopt], arg buffer[out], arglen ptr[inout, len[arg, int32]]) 31 write$bt_hci(fd sock_bt_hci, data ptr[in, vhci_command_pkt], size bytesize[data]) 32 33 define HCI_EXTERNAL_CONFIG 0x40 34 define HCI_RAW_DEVICE 0x80 35 36 resource sock_bt_sco[sock_bt] 37 38 syz_init_net_socket$bt_sco(fam const[AF_BLUETOOTH], type const[SOCK_SEQPACKET], proto const[BTPROTO_SCO]) sock_bt_sco 39 bind$bt_sco(fd sock_bt_sco, addr ptr[in, sockaddr_sco], addrlen len[addr]) 40 connect$bt_sco(fd sock_bt_sco, addr ptr[in, sockaddr_sco], addrlen len[addr]) 41 getsockopt$bt_sco_SCO_OPTIONS(fd sock_bt_sco, level const[SOL_SCO], opt const[SCO_OPTIONS], arg buffer[out], arglen ptr[inout, len[arg, int32]]) 42 getsockopt$bt_sco_SCO_CONNINFO(fd sock_bt_sco, level const[SOL_SCO], opt const[SCO_CONNINFO], arg buffer[out], arglen ptr[inout, len[arg, int32]]) 43 44 resource sock_bt_l2cap[sock_bt] 45 46 syz_init_net_socket$bt_l2cap(fam const[AF_BLUETOOTH], type flags[bt_l2cap_type], proto const[BTPROTO_L2CAP]) sock_bt_l2cap 47 bind$bt_l2cap(fd sock_bt_l2cap, addr ptr[in, sockaddr_l2], addrlen len[addr]) 48 connect$bt_l2cap(fd sock_bt_l2cap, addr ptr[in, sockaddr_l2], addrlen len[addr]) 49 accept4$bt_l2cap(fd sock_bt_l2cap, peer ptr[out, sockaddr_l2, opt], peerlen ptr[inout, len[peer, int32]], flags flags[accept_flags]) sock_bt_l2cap 50 setsockopt$bt_l2cap_L2CAP_OPTIONS(fd sock_bt_l2cap, level const[SOL_L2CAP], opt const[L2CAP_OPTIONS], arg ptr[in, l2cap_options], arglen len[arg]) 51 getsockopt$bt_l2cap_L2CAP_OPTIONS(fd sock_bt_l2cap, level const[SOL_L2CAP], opt const[L2CAP_OPTIONS], arg ptr[out, l2cap_options], arglen ptr[inout, len[arg, int32]]) 52 setsockopt$bt_l2cap_L2CAP_LM(fd sock_bt_l2cap, level const[SOL_L2CAP], opt const[L2CAP_LM], arg ptr[in, flags[bt_l2cap_lm, int32]], arglen len[arg]) 53 getsockopt$bt_l2cap_L2CAP_LM(fd sock_bt_l2cap, level const[SOL_L2CAP], opt const[L2CAP_LM], arg ptr[out, int32], arglen ptr[inout, len[arg, int32]]) 54 setsockopt$bt_l2cap_L2CAP_CONNINFO(fd sock_bt_l2cap, level const[SOL_L2CAP], opt const[L2CAP_CONNINFO], arg ptr[in, l2cap_conninfo], arglen len[arg]) 55 getsockopt$bt_l2cap_L2CAP_CONNINFO(fd sock_bt_l2cap, level const[SOL_L2CAP], opt const[L2CAP_CONNINFO], arg ptr[out, l2cap_conninfo], arglen ptr[inout, len[arg, int32]]) 56 57 resource sock_bt_rfcomm[sock_bt] 58 59 socket$bt_rfcomm(fam const[AF_BLUETOOTH], type flags[bt_rfcomm_type], proto const[BTPROTO_RFCOMM]) sock_bt_rfcomm 60 bind$bt_rfcomm(fd sock_bt_rfcomm, addr ptr[in, sockaddr_rc], addrlen len[addr]) 61 connect$bt_rfcomm(fd sock_bt_rfcomm, addr ptr[in, sockaddr_rc], addrlen len[addr]) 62 setsockopt$bt_rfcomm_RFCOMM_LM(fd sock_bt_rfcomm, level const[SOL_RFCOMM], opt const[RFCOMM_LM], arg ptr[in, flags[bt_l2cap_lm, int32]], arglen len[arg]) 63 getsockopt$bt_rfcomm_RFCOMM_LM(fd sock_bt_rfcomm, level const[SOL_RFCOMM], opt const[RFCOMM_LM], arg ptr[out, int32], arglen ptr[inout, len[arg, int32]]) 64 getsockopt$bt_rfcomm_RFCOMM_CONNINFO(fd sock_bt_rfcomm, level const[SOL_RFCOMM], opt const[RFCOMM_CONNINFO], arg buffer[out], arglen ptr[inout, len[arg, int32]]) 65 66 resource sock_bt_hidp[sock_bt] 67 68 socket$bt_hidp(fam const[AF_BLUETOOTH], type const[SOCK_RAW], proto const[BTPROTO_HIDP]) sock_bt_hidp 69 ioctl$sock_bt_hidp_HIDPCONNADD(fd sock_bt_hidp, cmd const[HIDPCONNADD], arg ptr[in, hidp_connadd_req]) 70 ioctl$sock_bt_hidp_HIDPCONNDEL(fd sock_bt_hidp, cmd const[HIDPCONNDEL], arg ptr[in, hidp_conndel_req]) 71 ioctl$sock_bt_hidp_HIDPGETCONNLIST(fd sock_bt_hidp, cmd const[HIDPGETCONNLIST], arg ptr[in, hidp_connlist_req]) 72 ioctl$sock_bt_hidp_HIDPGETCONNINFO(fd sock_bt_hidp, cmd const[HIDPGETCONNINFO], arg ptr[in, hidp_conninfo]) 73 74 resource sock_bt_cmtp[sock_bt] 75 76 socket$bt_cmtp(fam const[AF_BLUETOOTH], type const[SOCK_RAW], proto const[BTPROTO_CMTP]) sock_bt_cmtp 77 ioctl$sock_bt_cmtp_CMTPCONNADD(fd sock_bt_cmtp, cmd const[CMTPCONNADD], arg ptr[in, cmtp_connadd_req]) 78 ioctl$sock_bt_cmtp_CMTPCONNDEL(fd sock_bt_cmtp, cmd const[CMTPCONNDEL], arg ptr[in, cmtp_conndel_req]) 79 ioctl$sock_bt_cmtp_CMTPGETCONNLIST(fd sock_bt_cmtp, cmd const[CMTPGETCONNLIST], arg ptr[in, cmtp_connlist_req]) 80 ioctl$sock_bt_cmtp_CMTPGETCONNINFO(fd sock_bt_cmtp, cmd const[CMTPGETCONNINFO], arg ptr[in, cmtp_conninfo]) 81 82 resource sock_bt_bnep[sock_bt] 83 84 socket$bt_bnep(fam const[AF_BLUETOOTH], type const[SOCK_RAW], proto const[BTPROTO_BNEP]) sock_bt_bnep 85 ioctl$sock_bt_bnep_BNEPCONNADD(fd sock_bt_bnep, cmd const[BNEPCONNADD], arg ptr[in, bnep_connadd_req]) 86 ioctl$sock_bt_bnep_BNEPCONNDEL(fd sock_bt_bnep, cmd const[BNEPCONNDEL], arg ptr[in, bnep_conndel_req]) 87 ioctl$sock_bt_bnep_BNEPGETCONNLIST(fd sock_bt_bnep, cmd const[BNEPGETCONNLIST], arg ptr[in, bnep_connlist_req]) 88 ioctl$sock_bt_bnep_BNEPGETCONNINFO(fd sock_bt_bnep, cmd const[BNEPGETCONNINFO], arg ptr[in, bnep_conninfo]) 89 ioctl$sock_bt_bnep_BNEPGETSUPPFEAT(fd sock_bt_bnep, cmd const[BNEPGETSUPPFEAT], arg ptr[in, int32]) 90 91 setsockopt$bt_BT_SECURITY(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_SECURITY], arg ptr[in, bt_security], arglen len[arg]) 92 getsockopt$bt_BT_SECURITY(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_SECURITY], arg ptr[out, bt_security], arglen len[arg]) 93 setsockopt$bt_BT_DEFER_SETUP(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_DEFER_SETUP], arg ptr[in, bool32], arglen len[arg]) 94 getsockopt$bt_BT_DEFER_SETUP(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_DEFER_SETUP], arg ptr[in, bool32], arglen ptr[in, len[arg, intptr]]) 95 setsockopt$bt_BT_VOICE(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_VOICE], arg ptr[in, flags[bt_voice_settings, int16]], arglen len[arg]) 96 getsockopt$bt_BT_VOICE(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_VOICE], arg ptr[in, int16], arglen ptr[in, len[arg, intptr]]) 97 setsockopt$bt_BT_FLUSHABLE(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_FLUSHABLE], arg ptr[in, int32], arglen len[arg]) 98 getsockopt$bt_BT_FLUSHABLE(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_FLUSHABLE], arg ptr[in, int32], arglen ptr[in, len[arg, intptr]]) 99 setsockopt$bt_BT_POWER(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_POWER], arg ptr[in, int8], arglen len[arg]) 100 getsockopt$bt_BT_POWER(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_POWER], arg ptr[in, int8], arglen ptr[in, len[arg, intptr]]) 101 setsockopt$bt_BT_CHANNEL_POLICY(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_CHANNEL_POLICY], arg ptr[in, int32], arglen len[arg]) 102 getsockopt$bt_BT_CHANNEL_POLICY(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_CHANNEL_POLICY], arg ptr[in, int32], arglen ptr[in, len[arg, intptr]]) 103 setsockopt$bt_BT_SNDMTU(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_SNDMTU], arg ptr[in, int16], arglen len[arg]) 104 getsockopt$bt_BT_SNDMTU(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_SNDMTU], arg ptr[in, int16], arglen ptr[in, len[arg, intptr]]) 105 setsockopt$bt_BT_RCVMTU(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_RCVMTU], arg ptr[in, int16], arglen len[arg]) 106 getsockopt$bt_BT_RCVMTU(fd sock_bt, level const[SOL_BLUETOOTH], opt const[BT_RCVMTU], arg ptr[in, int16], arglen ptr[in, len[arg, intptr]]) 107 108 bt_voice_settings = BT_VOICE_TRANSPARENT, BT_VOICE_CVSD_16BIT 109 110 type hci_dev_t int16[-1:4] 111 112 sockaddr_hci { 113 hci_family const[AF_BLUETOOTH, int16] 114 hci_dev hci_dev_t 115 hci_channel flags[bt_hci_chan, int16] 116 } 117 118 hci_inquiry_req { 119 dev hci_dev_t 120 flags int16 121 lap array[int8, 3] 122 len int8 123 rsp int8 124 } 125 126 hci_ufilter { 127 type int32 128 event array[int32, 2] 129 opcode int16 130 } 131 132 sockaddr_sco { 133 fam const[AF_BLUETOOTH, int16] 134 addr bdaddr_t 135 } 136 137 sockaddr_l2 { 138 l2_family const[AF_BLUETOOTH, int16] 139 l2_psm int16 140 l2_bdaddr bdaddr_t 141 l2_cid int16 142 l2_bdaddr_type flags[bdaddr_type, int8] 143 } 144 145 bdaddr_type = BDADDR_BREDR, BDADDR_LE_PUBLIC, BDADDR_LE_RANDOM 146 147 bdaddr_t [ 148 any array[const[0, int8], 6] 149 none array[const[0xff, int8], 6] 150 fixed bdaddr_fixed 151 ] 152 153 bdaddr_fixed { 154 b array[const[0xaa, int8], 5] 155 a int8[0x10:0x12] 156 } 157 158 bt_security { 159 lev int8 160 keysize int8 161 } 162 163 sockaddr_rc { 164 fam const[AF_BLUETOOTH, int16] 165 addr bdaddr_t 166 chan int8 167 } 168 169 hidp_connadd_req { 170 ctrlsk sock 171 intrsk sock 172 parser int16 173 rdsize len[rddata, int16] 174 rddata ptr[in, array[int8]] 175 country int8 176 subclas int8 177 vendor int16 178 product int16 179 version int16 180 flags flags[hidp_connadd_flags, int32] 181 idleto int32 182 name string[hidp_connadd_names, 128] 183 } 184 185 hidp_connadd_names = "syz0", "syz1" 186 hidp_connadd_flags = HIDP_VIRTUAL_CABLE_UNPLUG_BIT, HIDP_BOOT_PROTOCOL_MODE_BIT 187 188 define HIDP_VIRTUAL_CABLE_UNPLUG_BIT 1<<HIDP_VIRTUAL_CABLE_UNPLUG 189 define HIDP_BOOT_PROTOCOL_MODE_BIT 1<<HIDP_BOOT_PROTOCOL_MODE 190 191 hidp_conndel_req { 192 addr bdaddr_t 193 flags int32 194 } 195 196 hidp_conninfo { 197 addr bdaddr_t 198 flags int32 199 state int16 200 vendor int16 201 product int16 202 ver int16 203 name array[int8, 128] 204 } 205 206 hidp_connlist_req { 207 cnum len[ci, int32] 208 ci ptr[out, array[hidp_conninfo]] 209 } 210 211 cmtp_connadd_req { 212 sock sock 213 flags int32 214 } 215 216 cmtp_conndel_req { 217 addr bdaddr_t 218 flags int32 219 } 220 221 cmtp_conninfo { 222 addr bdaddr_t 223 flags int32 224 state int16 225 num int32 226 } 227 228 cmtp_connlist_req { 229 cnum len[ci, int32] 230 ci ptr[out, array[cmtp_conninfo]] 231 } 232 233 bnep_connadd_req { 234 sock sock 235 flags int32 236 role int16 237 device array[int8] 238 } 239 240 bnep_conndel_req { 241 flags int32 242 dst mac_addr 243 } 244 245 bnep_conninfo { 246 flags int32 247 role int16 248 state int16 249 dst mac_addr 250 device devname 251 } 252 253 bnep_connlist_req { 254 cnum len[ci, int32] 255 ci ptr[out, array[bnep_conninfo]] 256 } 257 258 bt_hci_chan = HCI_CHANNEL_RAW, HCI_CHANNEL_USER, HCI_CHANNEL_MONITOR, HCI_CHANNEL_CONTROL, HCI_CHANNEL_LOGGING 259 bt_hci_ioctl = HCIDEVUP, HCIDEVDOWN, HCIDEVRESET, HCIDEVRESTAT, HCIGETDEVLIST, HCIGETDEVINFO, HCIGETCONNLIST, HCIGETCONNINFO, HCIGETAUTHINFO, HCISETRAW, HCISETSCAN, HCISETAUTH, HCISETENCRYPT, HCISETPTYPE, HCISETLINKPOL, HCISETLINKMODE, HCISETACLMTU, HCISETSCOMTU, HCIBLOCKADDR, HCIUNBLOCKADDR, HCIINQUIRY 260 bt_hci_sockopt = HCI_DATA_DIR, HCI_TIME_STAMP, HCI_FILTER 261 bt_l2cap_type = SOCK_SEQPACKET, SOCK_STREAM, SOCK_DGRAM, SOCK_RAW 262 bt_l2cap_lm = L2CAP_LM_MASTER, L2CAP_LM_AUTH, L2CAP_LM_ENCRYPT, L2CAP_LM_TRUSTED, L2CAP_LM_RELIABLE, L2CAP_LM_SECURE, L2CAP_LM_FIPS 263 bt_rfcomm_type = SOCK_STREAM, SOCK_RAW 264 265 resource fd_6lowpan_enable[fd] 266 resource fd_6lowpan_control[fd] 267 268 openat$6lowpan_enable(fd const[AT_FDCWD], file ptr[in, string["/sys/kernel/debug/bluetooth/6lowpan_enable"]], flags const[O_RDWR], mode const[0]) fd_6lowpan_enable 269 openat$6lowpan_control(fd const[AT_FDCWD], file ptr[in, string["/sys/kernel/debug/bluetooth/6lowpan_control"]], flags const[O_RDWR], mode const[0]) fd_6lowpan_control 270 271 write$6lowpan_enable(fd fd_6lowpan_enable, data ptr[in, stringnoz[lowpan_enable_values]], len bytesize[data]) 272 write$6lowpan_control(fd fd_6lowpan_control, data ptr[in, stringnoz[lowpan_control_values]], len bytesize[data]) 273 274 lowpan_enable_values = "0", "1" 275 lowpan_control_values = "connect aa:aa:aa:aa:aa:10 0", "connect aa:aa:aa:aa:aa:10 1", "connect aa:aa:aa:aa:aa:10 2", "connect aa:aa:aa:aa:aa:11 0", "connect aa:aa:aa:aa:aa:11 1", "connect aa:aa:aa:aa:aa:11 2", "disconnect aa:aa:aa:aa:aa:10 0", "disconnect aa:aa:aa:aa:aa:10 1", "disconnect aa:aa:aa:aa:aa:10 2", "disconnect aa:aa:aa:aa:aa:11 0", "disconnect aa:aa:aa:aa:aa:11 1", "disconnect aa:aa:aa:aa:aa:11 2"