1. 11 Nov, 2020 9 commits
  2. 10 Nov, 2020 2 commits
    • Max Chou's avatar
      Bluetooth: btusb: btrtl: Add support for RTL8852A · 0d484db6
      Max Chou authored
      Add the support for RTL8852A BT controller on USB interface.
      The necessary firmware will be submitted to linux-firmware project.
      
      The device info from /sys/kernel/debug/usb/devices as below.
      
      T:  Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#= 10 Spd=12   MxCh= 0
      D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=0bda ProdID=c852 Rev= 0.00
      S:  Manufacturer=Realtek
      S:  Product=Bluetooth Radio
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      Signed-off-by: default avatarMax Chou <max.chou@realtek.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      0d484db6
    • Chris Chiu's avatar
      Bluetooth: btusb: Add support for 13d3:3560 MediaTek MT7615E device · 3a567b95
      Chris Chiu authored
      The ASUS X532EQ laptop contains AzureWave AW-CB434NF WiFi/BT combo
      module with an associated MT7615E BT chip using a USB ID of 13d3:3560.
      
      T:  Bus=03 Lev=01 Prnt=01 Port=09 Cnt=02 Dev#=  3 Spd=480  MxCh= 0
      D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=13d3 ProdID=3560 Rev= 1.00
      S:  Manufacturer=MediaTek Inc.
      S:  Product=Wireless_Device
      S:  SerialNumber=000000000
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      A:  FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=125us
      E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      I:  If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  63 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  63 Ivl=1ms
      Signed-off-by: default avatarChris Chiu <chiu@endlessos.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      3a567b95
  3. 09 Nov, 2020 12 commits
    • Anant Thazhemadam's avatar
      Bluetooth: hci_h5: fix memory leak in h5_close · 855af2d7
      Anant Thazhemadam authored
      When h5_close() is called, h5 is directly freed when !hu->serdev.
      However, h5->rx_skb is not freed, which causes a memory leak.
      
      Freeing h5->rx_skb and setting it to NULL, fixes this memory leak.
      
      Fixes: ce945552 ("Bluetooth: hci_h5: Add support for serdev enumerated devices")
      Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
      Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
      Signed-off-by: default avatarAnant Thazhemadam <anant.thazhemadam@gmail.com>
      Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      855af2d7
    • Ole Bjørn Midtbø's avatar
      Bluetooth: hidp: use correct wait queue when removing ctrl_wait · cca342d9
      Ole Bjørn Midtbø authored
      A different wait queue was used when removing ctrl_wait than when adding
      it. This effectively made the remove operation without locking compared
      to other operations on the wait queue ctrl_wait was part of. This caused
      issues like below where dead000000000100 is LIST_POISON1 and
      dead000000000200 is LIST_POISON2.
      
       list_add corruption. next->prev should be prev (ffffffc1b0a33a08), \
      	but was dead000000000200. (next=ffffffc03ac77de0).
       ------------[ cut here ]------------
       CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G           O    4.4.238+ #9
       ...
       ---[ end trace 0adc2158f0646eac ]---
       Call trace:
       [<ffffffc000443f78>] __list_add+0x38/0xb0
       [<ffffffc0000f0d04>] add_wait_queue+0x4c/0x68
       [<ffffffc00020eecc>] __pollwait+0xec/0x100
       [<ffffffc000d1556c>] bt_sock_poll+0x74/0x200
       [<ffffffc000bdb8a8>] sock_poll+0x110/0x128
       [<ffffffc000210378>] do_sys_poll+0x220/0x480
       [<ffffffc0002106f0>] SyS_poll+0x80/0x138
       [<ffffffc00008510c>] __sys_trace_return+0x0/0x4
      
       Unable to handle kernel paging request at virtual address dead000000000100
       ...
       CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G        W  O    4.4.238+ #9
       ...
       Call trace:
        [<ffffffc0000f079c>] __wake_up_common+0x7c/0xa8
        [<ffffffc0000f0818>] __wake_up+0x50/0x70
        [<ffffffc000be11b0>] sock_def_wakeup+0x58/0x60
        [<ffffffc000de5e10>] l2cap_sock_teardown_cb+0x200/0x224
        [<ffffffc000d3f2ac>] l2cap_chan_del+0xa4/0x298
        [<ffffffc000d45ea0>] l2cap_conn_del+0x118/0x198
        [<ffffffc000d45f8c>] l2cap_disconn_cfm+0x6c/0x78
        [<ffffffc000d29934>] hci_event_packet+0x564/0x2e30
        [<ffffffc000d19b0c>] hci_rx_work+0x10c/0x360
        [<ffffffc0000c2218>] process_one_work+0x268/0x460
        [<ffffffc0000c2678>] worker_thread+0x268/0x480
        [<ffffffc0000c94e0>] kthread+0x118/0x128
        [<ffffffc000085070>] ret_from_fork+0x10/0x20
        ---[ end trace 0adc2158f0646ead ]---
      Signed-off-by: default avatarOle Bjørn Midtbø <omidtbo@cisco.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      cca342d9
    • Claire Chang's avatar
      Bluetooth: Move force_bredr_smp debugfs into hci_debugfs_create_bredr · 82493316
      Claire Chang authored
      Avoid multiple attempts to create the debugfs entry, force_bredr_smp,
      by moving it from the SMP registration to the BR/EDR controller init
      section. hci_debugfs_create_bredr is only called when HCI_SETUP and
      HCI_CONFIG is not set.
      Signed-off-by: default avatarClaire Chang <tientzu@chromium.org>
      Reviewed-by: default avatarAlain Michaud <alainm@chromium.org>
      Reviewed-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      82493316
    • Sathish Narasimman's avatar
      Bluetooth: Fix: LL PRivacy BLE device fails to connect · 1fb17dfc
      Sathish Narasimman authored
      When adding device to white list the device is added to resolving list
      also. It has to be added only when HCI_ENABLE_LL_PRIVACY flag is set.
      HCI_ENABLE_LL_PRIVACY flag has to be tested before adding/deleting devices
      to resolving list. use_ll_privacy macro is used only to check if controller
      supports LL_Privacy.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=209745
      
      Fixes: 0eee35bd ("Bluetooth: Update resolving list when updating whitelist")
      Signed-off-by: default avatarSathish Narasimman <sathish.narasimman@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      1fb17dfc
    • Kai-Heng Feng's avatar
      Bluetooth: btrtl: Ask 8821C to drop old firmware · 1996d9ca
      Kai-Heng Feng authored
      Some platforms keep USB power even when they are powered off and in S5,
      this makes Realtek 8821C keep its firmware even after a cold boot, and
      make 8821C never load new firmware.
      
      So use vendor specific HCI command to ask 8821C drop its firmware after
      system shutdown.
      
      Newer firmware doesn't have this issue so we only use this trick for old
      8821C firmware version.
      Suggested-by: default avatarMax Chou <max.chou@realtek.com>
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      1996d9ca
    • Max Chou's avatar
      Bluetooth: btrtl: Refine the ic_id_table for clearer and more regular · 6f9ff246
      Max Chou authored
      Enhance the ic_id_table that it's able to maintain regularly.
      To judge which chip should be initialized by LMP subversion, HCI revision,
       HCI version and HCI bus which were given in the ic_id_table.
      Also, refine the incorrect LMP subversion of ROM for RTL8723D and
      RTL8723A.
      Suggested-by: default avatarAlex Lu <alex_lu@realsil.com.cn>
      Signed-off-by: default avatarMax Chou <max.chou@realtek.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      6f9ff246
    • Max Chou's avatar
      Bluetooth: btusb: Add the more support IDs for Realtek RTL8822CE · 73280f13
      Max Chou authored
      Add the more IDs to usb_device_id table for Realtek RTL8822CE and
      also support the wideband speech capability for all RTL8822CE devices.
      
      -Device(04c5:161f) from /sys/kernel/debug/usb/devices
      T:  Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#=  3 Spd=12   MxCh= 0
      D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=04c5 ProdID=161f Rev= 0.00
      S:  Manufacturer=Realtek
      S:  Product=Bluetooth Radio
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      
      -Device(0b05:18ef) from /sys/kernel/debug/usb/devices
      T:  Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#=  4 Spd=12   MxCh= 0
      D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=0b05 ProdID=18ef Rev= 0.00
      S:  Manufacturer=Realtek
      S:  Product=Bluetooth Radio
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      
      -Device(13d3:3549) from /sys/kernel/debug/usb/devices
      T:  Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#=  3 Spd=12   MxCh= 0
      D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=13d3 ProdID=3549 Rev= 0.00
      S:  Manufacturer=Realtek
      S:  Product=Bluetooth Radio
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      
      -Device(13d3:3553) from /sys/kernel/debug/usb/devices
      T:  Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#=  3 Spd=12   MxCh= 0
      D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=13d3 ProdID=3553 Rev= 0.00
      S:  Manufacturer=Realtek
      S:  Product=Bluetooth Radio
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      
      -Device(13d3:3555) from /sys/kernel/debug/usb/devices
      T:  Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#=  3 Spd=12   MxCh= 0
      D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=13d3 ProdID=3555 Rev= 0.00
      S:  Manufacturer=Realtek
      S:  Product=Bluetooth Radio
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      
      -Device(2ff8:3051) from /sys/kernel/debug/usb/devices
      T:  Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#=  3 Spd=12   MxCh= 0
      D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=2ff8 ProdID=3051 Rev= 0.00
      S:  Manufacturer=Realtek
      S:  Product=Bluetooth Radio
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      Signed-off-by: default avatarMax Chou <max.chou@realtek.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      73280f13
    • Daniel Winkler's avatar
      Bluetooth: Resume advertising after LE connection · 2943d8ed
      Daniel Winkler authored
      When an LE connection request is made, advertising is disabled and never
      resumed. When a client has an active advertisement, this is disruptive.
      This change adds resume logic for client-configured (non-directed)
      advertisements after the connection attempt.
      
      The patch was tested by registering an advertisement, initiating an LE
      connection from a remote peer, and verifying that the advertisement is
      re-activated after the connection is established. This is performed on
      Hatch and Kukui Chromebooks.
      Signed-off-by: default avatarDaniel Winkler <danielwinkler@google.com>
      Reviewed-by: default avatarAbhishek Pandit-Subedi <abhishekpandit@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      2943d8ed
    • Peilin Ye's avatar
      Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() · f7e0e8b2
      Peilin Ye authored
      `num_reports` is not being properly checked. A malformed event packet with
      a large `num_reports` number makes hci_le_direct_adv_report_evt() read out
      of bounds. Fix it.
      
      Cc: stable@vger.kernel.org
      Fixes: 2f010b55 ("Bluetooth: Add support for handling LE Direct Advertising Report events")
      Reported-and-tested-by: syzbot+24ebd650e20bd263ca01@syzkaller.appspotmail.com
      Link: https://syzkaller.appspot.com/bug?extid=24ebd650e20bd263ca01Signed-off-by: default avatarPeilin Ye <yepeilin.cs@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      f7e0e8b2
    • Anant Thazhemadam's avatar
      Bluetooth: hci_h5: close serdev device and free hu in h5_close · 70f259a3
      Anant Thazhemadam authored
      When h5_close() gets called, the memory allocated for the hu gets
      freed only if hu->serdev doesn't exist. This leads to a memory leak.
      So when h5_close() is requested, close the serdev device instance and
      free the memory allocated to the hu entirely instead.
      
      Fixes: https://syzkaller.appspot.com/bug?extid=6ce141c55b2f7aafd1c4
      Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
      Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
      Signed-off-by: default avatarAnant Thazhemadam <anant.thazhemadam@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      70f259a3
    • Anmol Karn's avatar
      Bluetooth: Fix null pointer dereference in hci_event_packet() · 6dfccd13
      Anmol Karn authored
      AMP_MGR is getting derefernced in hci_phy_link_complete_evt(), when called
      from hci_event_packet() and there is a possibility, that hcon->amp_mgr may
      not be found when accessing after initialization of hcon.
      
      - net/bluetooth/hci_event.c:4945
      The bug seems to get triggered in this line:
      
      bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
      
      Fix it by adding a NULL check for the hcon->amp_mgr before checking the ev-status.
      
      Fixes: d5e91192 ("Bluetooth: AMP: Process Physical Link Complete evt")
      Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
      Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272fSigned-off-by: default avatarAnmol Karn <anmol.karan123@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      6dfccd13
    • Abhishek Pandit-Subedi's avatar
      Bluetooth: btqca: Add valid le states quirk · 54780138
      Abhishek Pandit-Subedi authored
      WCN3991 supports connectable advertisements so we need to add the valid
      le states quirk so the 'central-peripheral' role is exposed in
      userspace.
      Signed-off-by: default avatarAbhishek Pandit-Subedi <abhishekpandit@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      54780138
  4. 08 Nov, 2020 1 commit
  5. 07 Nov, 2020 16 commits
    • Wang Qing's avatar
      ef9ac209
    • Wang Qing's avatar
    • Jakub Kicinski's avatar
      Merge branch 'net-ipa-constrain-gsi-interrupts' · 2d152760
      Jakub Kicinski authored
      Alex Elder says:
      
      ====================
      net: ipa: constrain GSI interrupts
      
      The goal of this series is to more tightly control when GSI
      interrupts are enabled.  This is a long-ish series, so I'll
      describe it in parts.
      
      The first patch is actually unrelated...  I forgot to include
      it in my previous series (which exposed the GSI layer to the
      IPA version).  It is a trivial comments-only update patch.
      
      The second patch defers registering the GSI interrupt handler
      until *after* all of the resources that handler touches have
      been initialized.  In practice, we don't see this interrupt
      that early, but this precludes an obvious problem.
      
      The next two patches are simple changes.  The first just
      trivially renames a field.  The second switches from using
      constant mask values to using an enumerated type of bit
      positions to represent each GSI interrupt type.
      
      The rest implement the "real work."  First, all interrupts
      are disabled at initialization time.  Next, we keep track of
      a bitmask of enabled GSI interrupt types, updating it each
      time we enable or disable one of them.  From there we have
      a set of patches that one-by-one enable each interrupt type
      only during the period it is required.  This includes allowing
      a channel to generate IEOB interrupts only when it has been
      enabled.  And finally, the last patch simplifies some code
      now that all GSI interrupt types are handled uniformly.
      ====================
      
      Link: https://lore.kernel.org/r/20201105181407.8006-1-elder@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2d152760
    • Alex Elder's avatar
      net: ipa: pass a value to gsi_irq_type_update() · 8194be79
      Alex Elder authored
      Now that all of the GSI interrupts are handled uniformly,
      change gsi_irq_type_update() so it takes a value.  Have the
      function assign that value to the cached mask of enabled GSI
      IRQ types before writing it to hardware.
      
      Note that gsi_irq_teardown() will only be called after
      gsi_irq_disable(), so it's not necessary for the former
      to disable all IRQ types.  Get rid of that.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8194be79
    • Alex Elder's avatar
      net: ipa: only enable GSI general IRQs when needed · 352f26a8
      Alex Elder authored
      Most GSI general errors are unrecoverable without a full reset.
      Despite that, we want to receive these errors so we can at least
      report what happened before whatever undefined behavior ensues.
      
      Explicitly disable all such interrupts in gsi_irq_setup(), then
      enable those we want in gsi_irq_enable().  List the interrupt types
      we are interested in (everything but breakpoint) explicitly rather
      than using GSI_CNTXT_GSI_IRQ_ALL, and remove that symbol's
      definition.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      352f26a8
    • Alex Elder's avatar
      net: ipa: explicitly disallow inter-EE interrupts · 46f748cc
      Alex Elder authored
      It is possible for other execution environments (EEs, like the modem)
      to request changes to local (AP) channel or event ring state.  We do
      not support this feature.
      
      In gsi_irq_setup(), explicitly zero the mask that defines which
      channels are permitted to generate inter-EE channel state change
      interrupts.  Do the same for the event ring mask.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      46f748cc
    • Alex Elder's avatar
      net: ipa: only enable GSI IEOB IRQs when needed · 06c86328
      Alex Elder authored
      A GSI channel must be started in order to use it to perform a
      transfer data (or command) transaction.  And the only time we'll see
      an IEOB interrupt is if we send a transaction to a started channel.
      Therefore we do not need to have the IEOB interrupt type enabled
      until at least one channel has been started.  And once the last
      started channel has been stopped, we can disable the IEOB interrupt
      type again.
      
      We already enable the IEOB interrupt for a particular channel only
      when it is started.  Extend that by having the IEOB interrupt *type*
      be enabled only when at least one channel is in STARTED state.
      
      Disallow all channels from triggering the IEOB interrupt in
      gsi_irq_setup().  We only enable an channel's interrupt when
      needed, so there is no longer any need to zero the channel mask
      in gsi_irq_disable().
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      06c86328
    • Alex Elder's avatar
      net: ipa: only enable generic command completion IRQ when needed · d6c9e3f5
      Alex Elder authored
      The completion of a generic EE GSI command is signaled by a global
      interrupt of type GP_INT1.  The only other used type for a global
      interrupt is a hardware error report.
      
      First, disallow all global interrupt types in gsi_irq_setup().  We
      want to know about hardware errors, so re-enable the interrupt type
      in gsi_irq_enable(), to allow hardware errors to be reported.
      Disable that interrupt type again in gsi_irq_disable().
      
      We only issue generic EE commands one at a time, and there's no
      reason to keep the completion interrupt enabled when no generic
      EE command is pending.  We furthermore have no need to enable the
      GP_INT2 or GP_INT3 interrupt types (which aren't used).
      
      The change in gsi_irq_enable() makes GSI_CNTXT_GLOB_IRQ_ALL unused,
      so get rid of it.  Have gsi_generic_command() enable the GP_INT1
      interrupt type (in addition to the ERROR_INT type) only while a
      generic command is pending.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d6c9e3f5
    • Alex Elder's avatar
      net: ipa: only enable GSI event control IRQs when needed · b4175f87
      Alex Elder authored
      A GSI event ring causes an event control interrupt to fire whenever
      its state changes (between NOT_ALLOCATED and ALLOCATED).  No event
      ring should ever change state except when we request it to.
      
      Currently, we permit *all* events rings to generate event control
      interrupts--even those that are never used.  And we enable event
      control interrupts essentially at all times, from setup to teardown.
      
      Instead, only enable the event control interrupt type for the
      duration of an event ring command, and when doing so, only allow
      the event ring being operated upon to cause the interrupt to fire.
      Disallow all event rings from issuing the event control interrupt
      in gsi_irq_setup().
      
      Because an event ring's interrupt is only enabled when needed,
      there is no longer any need to zero the event channel mask in
      gsi_irq_disable().
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b4175f87
    • Alex Elder's avatar
      net: ipa: only enable GSI channel control IRQs when needed · b054d4f9
      Alex Elder authored
      A GSI channel causes a channel control interrupt to fire whenever
      its state changes (between NOT_ALLOCATED, ALLOCATED, STARTED, etc.).
      We do not support inter-EE channel commands (initiated by other EEs),
      so no channel should ever change state except when we request it to.
      
      Currently, we permit *all* channels to generate channel control
      interrupts--even those that are never used.  And we enable channel
      control interrupts essentially at all times, from setup to teardown.
      
      Instead, disable all channel control interrupts initially in
      gsi_irq_setup(), and only enable the channel control interrupt
      type for the duration of a channel command.  When doing so, only
      allow the channel being operated upon to cause the interrupt to
      fire.
      
      Because a channel's interrupt is now enabled only when needed (one
      channel at a time), there is no longer any need to zero the channel
      mask in gsi_irq_disable().
      
      Add new gsi_irq_type_enable() and gsi_irq_type_disable() as helper
      functions to control whether a given GSI interrupt type is enabled.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b054d4f9
    • Alex Elder's avatar
      net: ipa: cache last-saved GSI IRQ enabled type · 3ca97ffd
      Alex Elder authored
      Keep track of the set of GSI interrupt types that are currently
      enabled by recording the mask value to write (or last written) to
      the TYPE_IRQ_MSK register.
      
      Create a new helper function gsi_irq_type_update() to handle
      actually writing the register.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3ca97ffd
    • Alex Elder's avatar
      net: ipa: disable all GSI interrupt types initially · 97eb94c8
      Alex Elder authored
      Introduce gsi_irq_setup() and gsi_irq_teardown() to disable all
      GSI interrupts when first setting up GSI hardware, and to clean
      things up when we're done.
      
      Re-enable all GSI interrupt types in gsi_irq_enable(), but do
      so only after each of the type-specific interrupt masks has
      been configured.  Similarly, disable all interrupt types in
      gsi_irq_disable()--first--before zeroing out the type-specific
      masks.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      97eb94c8
    • Alex Elder's avatar
      net: ipa: define GSI interrupt types with an enum · f9b28804
      Alex Elder authored
      Define the GSI interrupt types with an enumerated type whose values
      are the bit positions representing each interrupt type.  Include a
      short comment describing how each interrupt type is used.
      
      Build up the enabled interrupt mask explicitly in gsi_irq_enable(),
      and get rid of the definition of GSI_CNTXT_TYPE_IRQ_MSK_ALL.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f9b28804
    • Alex Elder's avatar
      net: ipa: rename gsi->event_enable_bitmap · a054539d
      Alex Elder authored
      Rename the "event_enable_bitmap" field of the GSI structure to be
      "ieob_enabled_bitmap".  An upcoming patch will cache the last value
      stored for another interrupt mask and this is a more direct naming
      convention to follow.
      
      Add a few comments to explain the bitmap fields in the GSI structure.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a054539d
    • Alex Elder's avatar
      net: ipa: request GSI IRQ later · 0b8d6761
      Alex Elder authored
      Introduce gsi_irq_init() and gsi_irq_exit(), to encapsulate looking
      up the GSI IRQ and registering its handler.  Call gsi_irq_init() a
      little later in gsi_init(), and initialize the completion earlier.
      The IRQ handler accesses both the GSI virtual memory pointer and the
      completion, and this way these things will have been initialized
      before the gsi_irq() can ever be called.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0b8d6761
    • Alex Elder's avatar
      net: ipa: refer to IPA versions, not GSI · 4a04d65c
      Alex Elder authored
      The GSI code is now exposed to IPA version numbers, and we handle
      version-specific behavior based on the IPA version.
      
      Modify some comments that talk about GSI versions so they reference
      IPA versions instead.  Correct version number errors in a couple of
      these comments.
      
      The (comment) mapping between IPA and GSI versions in the definition
      of the ipa_version enumerated type remains.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4a04d65c