Skip to content

Commit e6b2190

Browse files
committed
Merge tag 'for-net-2024-04-24' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth
Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - qca: set power_ctrl_enabled on NULL returned by gpiod_get_optional() - hci_sync: Using hci_cmd_sync_submit when removing Adv Monitor - qca: fix invalid device address check - hci_sync: Use advertised PHYs on hci_le_ext_create_conn_sync - Fix type of len in {l2cap,sco}_sock_getsockopt_old() - btusb: mediatek: Fix double free of skb in coredump - btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 - btusb: Fix triggering coredump implementation for QCA * tag 'for-net-2024-04-24' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: qca: set power_ctrl_enabled on NULL returned by gpiod_get_optional() Bluetooth: hci_sync: Using hci_cmd_sync_submit when removing Adv Monitor Bluetooth: qca: fix NULL-deref on non-serdev setup Bluetooth: qca: fix NULL-deref on non-serdev suspend Bluetooth: btusb: mediatek: Fix double free of skb in coredump Bluetooth: MGMT: Fix failing to MGMT_OP_ADD_UUID/MGMT_OP_REMOVE_UUID Bluetooth: qca: fix invalid device address check Bluetooth: hci_event: Fix sending HCI_OP_READ_ENC_KEY_SIZE Bluetooth: btusb: Fix triggering coredump implementation for QCA Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 Bluetooth: hci_sync: Use advertised PHYs on hci_le_ext_create_conn_sync Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() ==================== Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]>
2 parents 7301177 + 3d05fc8 commit e6b2190

File tree

12 files changed

+124
-49
lines changed

12 files changed

+124
-49
lines changed

drivers/bluetooth/btmtk.c

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -380,8 +380,10 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
380380
switch (data->cd_info.state) {
381381
case HCI_DEVCOREDUMP_IDLE:
382382
err = hci_devcd_init(hdev, MTK_COREDUMP_SIZE);
383-
if (err < 0)
383+
if (err < 0) {
384+
kfree_skb(skb);
384385
break;
386+
}
385387
data->cd_info.cnt = 0;
386388

387389
/* It is supposed coredump can be done within 5 seconds */
@@ -407,9 +409,6 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
407409
break;
408410
}
409411

410-
if (err < 0)
411-
kfree_skb(skb);
412-
413412
return err;
414413
}
415414
EXPORT_SYMBOL_GPL(btmtk_process_coredump);

drivers/bluetooth/btqca.c

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@
1515

1616
#define VERSION "0.1"
1717

18+
#define QCA_BDADDR_DEFAULT (&(bdaddr_t) {{ 0xad, 0x5a, 0x00, 0x00, 0x00, 0x00 }})
19+
1820
int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver,
1921
enum qca_btsoc_type soc_type)
2022
{
@@ -612,6 +614,38 @@ int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr)
612614
}
613615
EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome);
614616

617+
static int qca_check_bdaddr(struct hci_dev *hdev)
618+
{
619+
struct hci_rp_read_bd_addr *bda;
620+
struct sk_buff *skb;
621+
int err;
622+
623+
if (bacmp(&hdev->public_addr, BDADDR_ANY))
624+
return 0;
625+
626+
skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
627+
HCI_INIT_TIMEOUT);
628+
if (IS_ERR(skb)) {
629+
err = PTR_ERR(skb);
630+
bt_dev_err(hdev, "Failed to read device address (%d)", err);
631+
return err;
632+
}
633+
634+
if (skb->len != sizeof(*bda)) {
635+
bt_dev_err(hdev, "Device address length mismatch");
636+
kfree_skb(skb);
637+
return -EIO;
638+
}
639+
640+
bda = (struct hci_rp_read_bd_addr *)skb->data;
641+
if (!bacmp(&bda->bdaddr, QCA_BDADDR_DEFAULT))
642+
set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks);
643+
644+
kfree_skb(skb);
645+
646+
return 0;
647+
}
648+
615649
static void qca_generate_hsp_nvm_name(char *fwname, size_t max_size,
616650
struct qca_btsoc_version ver, u8 rom_ver, u16 bid)
617651
{
@@ -818,6 +852,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
818852
break;
819853
}
820854

855+
err = qca_check_bdaddr(hdev);
856+
if (err)
857+
return err;
858+
821859
bt_dev_info(hdev, "QCA setup on UART is completed");
822860

823861
return 0;

drivers/bluetooth/btusb.c

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -542,6 +542,8 @@ static const struct usb_device_id quirks_table[] = {
542542
/* Realtek 8852BE Bluetooth devices */
543543
{ USB_DEVICE(0x0cb8, 0xc559), .driver_info = BTUSB_REALTEK |
544544
BTUSB_WIDEBAND_SPEECH },
545+
{ USB_DEVICE(0x0bda, 0x4853), .driver_info = BTUSB_REALTEK |
546+
BTUSB_WIDEBAND_SPEECH },
545547
{ USB_DEVICE(0x0bda, 0x887b), .driver_info = BTUSB_REALTEK |
546548
BTUSB_WIDEBAND_SPEECH },
547549
{ USB_DEVICE(0x0bda, 0xb85b), .driver_info = BTUSB_REALTEK |
@@ -3480,13 +3482,12 @@ static void btusb_dump_hdr_qca(struct hci_dev *hdev, struct sk_buff *skb)
34803482

34813483
static void btusb_coredump_qca(struct hci_dev *hdev)
34823484
{
3485+
int err;
34833486
static const u8 param[] = { 0x26 };
3484-
struct sk_buff *skb;
34853487

3486-
skb = __hci_cmd_sync(hdev, 0xfc0c, 1, param, HCI_CMD_TIMEOUT);
3487-
if (IS_ERR(skb))
3488-
bt_dev_err(hdev, "%s: triggle crash failed (%ld)", __func__, PTR_ERR(skb));
3489-
kfree_skb(skb);
3488+
err = __hci_cmd_send(hdev, 0xfc0c, 1, param);
3489+
if (err < 0)
3490+
bt_dev_err(hdev, "%s: triggle crash failed (%d)", __func__, err);
34903491
}
34913492

34923493
/*

drivers/bluetooth/hci_qca.c

Lines changed: 20 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1672,6 +1672,9 @@ static bool qca_wakeup(struct hci_dev *hdev)
16721672
struct hci_uart *hu = hci_get_drvdata(hdev);
16731673
bool wakeup;
16741674

1675+
if (!hu->serdev)
1676+
return true;
1677+
16751678
/* BT SoC attached through the serial bus is handled by the serdev driver.
16761679
* So we need to use the device handle of the serdev driver to get the
16771680
* status of device may wakeup.
@@ -1905,8 +1908,6 @@ static int qca_setup(struct hci_uart *hu)
19051908
case QCA_WCN6750:
19061909
case QCA_WCN6855:
19071910
case QCA_WCN7850:
1908-
set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks);
1909-
19101911
qcadev = serdev_device_get_drvdata(hu->serdev);
19111912
if (qcadev->bdaddr_property_broken)
19121913
set_bit(HCI_QUIRK_BDADDR_PROPERTY_BROKEN, &hdev->quirks);
@@ -1957,8 +1958,10 @@ static int qca_setup(struct hci_uart *hu)
19571958
qca_debugfs_init(hdev);
19581959
hu->hdev->hw_error = qca_hw_error;
19591960
hu->hdev->cmd_timeout = qca_cmd_timeout;
1960-
if (device_can_wakeup(hu->serdev->ctrl->dev.parent))
1961-
hu->hdev->wakeup = qca_wakeup;
1961+
if (hu->serdev) {
1962+
if (device_can_wakeup(hu->serdev->ctrl->dev.parent))
1963+
hu->hdev->wakeup = qca_wakeup;
1964+
}
19621965
} else if (ret == -ENOENT) {
19631966
/* No patch/nvm-config found, run with original fw/config */
19641967
set_bit(QCA_ROM_FW, &qca->flags);
@@ -2329,16 +2332,21 @@ static int qca_serdev_probe(struct serdev_device *serdev)
23292332
(data->soc_type == QCA_WCN6750 ||
23302333
data->soc_type == QCA_WCN6855)) {
23312334
dev_err(&serdev->dev, "failed to acquire BT_EN gpio\n");
2332-
power_ctrl_enabled = false;
2335+
return PTR_ERR(qcadev->bt_en);
23332336
}
23342337

2338+
if (!qcadev->bt_en)
2339+
power_ctrl_enabled = false;
2340+
23352341
qcadev->sw_ctrl = devm_gpiod_get_optional(&serdev->dev, "swctrl",
23362342
GPIOD_IN);
23372343
if (IS_ERR(qcadev->sw_ctrl) &&
23382344
(data->soc_type == QCA_WCN6750 ||
23392345
data->soc_type == QCA_WCN6855 ||
2340-
data->soc_type == QCA_WCN7850))
2341-
dev_warn(&serdev->dev, "failed to acquire SW_CTRL gpio\n");
2346+
data->soc_type == QCA_WCN7850)) {
2347+
dev_err(&serdev->dev, "failed to acquire SW_CTRL gpio\n");
2348+
return PTR_ERR(qcadev->sw_ctrl);
2349+
}
23422350

23432351
qcadev->susclk = devm_clk_get_optional(&serdev->dev, NULL);
23442352
if (IS_ERR(qcadev->susclk)) {
@@ -2357,10 +2365,13 @@ static int qca_serdev_probe(struct serdev_device *serdev)
23572365
qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable",
23582366
GPIOD_OUT_LOW);
23592367
if (IS_ERR(qcadev->bt_en)) {
2360-
dev_warn(&serdev->dev, "failed to acquire enable gpio\n");
2361-
power_ctrl_enabled = false;
2368+
dev_err(&serdev->dev, "failed to acquire enable gpio\n");
2369+
return PTR_ERR(qcadev->bt_en);
23622370
}
23632371

2372+
if (!qcadev->bt_en)
2373+
power_ctrl_enabled = false;
2374+
23642375
qcadev->susclk = devm_clk_get_optional(&serdev->dev, NULL);
23652376
if (IS_ERR(qcadev->susclk)) {
23662377
dev_warn(&serdev->dev, "failed to acquire clk\n");

include/net/bluetooth/hci_core.h

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -738,6 +738,8 @@ struct hci_conn {
738738
__u8 le_per_adv_data[HCI_MAX_PER_AD_TOT_LEN];
739739
__u16 le_per_adv_data_len;
740740
__u16 le_per_adv_data_offset;
741+
__u8 le_adv_phy;
742+
__u8 le_adv_sec_phy;
741743
__u8 le_tx_phy;
742744
__u8 le_rx_phy;
743745
__s8 rssi;
@@ -1512,7 +1514,7 @@ struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
15121514
enum conn_reasons conn_reason);
15131515
struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
15141516
u8 dst_type, bool dst_resolved, u8 sec_level,
1515-
u16 conn_timeout, u8 role);
1517+
u16 conn_timeout, u8 role, u8 phy, u8 sec_phy);
15161518
void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status);
15171519
struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
15181520
u8 sec_level, u8 auth_type,
@@ -1905,6 +1907,10 @@ void hci_conn_del_sysfs(struct hci_conn *conn);
19051907
#define privacy_mode_capable(dev) (use_ll_privacy(dev) && \
19061908
(hdev->commands[39] & 0x04))
19071909

1910+
#define read_key_size_capable(dev) \
1911+
((dev)->commands[20] & 0x10 && \
1912+
!test_bit(HCI_QUIRK_BROKEN_READ_ENC_KEY_SIZE, &hdev->quirks))
1913+
19081914
/* Use enhanced synchronous connection if command is supported and its quirk
19091915
* has not been set.
19101916
*/

net/bluetooth/hci_conn.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1263,7 +1263,7 @@ u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
12631263

12641264
struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
12651265
u8 dst_type, bool dst_resolved, u8 sec_level,
1266-
u16 conn_timeout, u8 role)
1266+
u16 conn_timeout, u8 role, u8 phy, u8 sec_phy)
12671267
{
12681268
struct hci_conn *conn;
12691269
struct smp_irk *irk;
@@ -1326,6 +1326,8 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
13261326
conn->dst_type = dst_type;
13271327
conn->sec_level = BT_SECURITY_LOW;
13281328
conn->conn_timeout = conn_timeout;
1329+
conn->le_adv_phy = phy;
1330+
conn->le_adv_sec_phy = sec_phy;
13291331

13301332
err = hci_connect_le_sync(hdev, conn);
13311333
if (err) {
@@ -2273,7 +2275,7 @@ struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst,
22732275
le = hci_connect_le(hdev, dst, dst_type, false,
22742276
BT_SECURITY_LOW,
22752277
HCI_LE_CONN_TIMEOUT,
2276-
HCI_ROLE_SLAVE);
2278+
HCI_ROLE_SLAVE, 0, 0);
22772279
else
22782280
le = hci_connect_le_scan(hdev, dst, dst_type,
22792281
BT_SECURITY_LOW,

net/bluetooth/hci_event.c

Lines changed: 14 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -3218,7 +3218,7 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
32183218
if (key) {
32193219
set_bit(HCI_CONN_ENCRYPT, &conn->flags);
32203220

3221-
if (!(hdev->commands[20] & 0x10)) {
3221+
if (!read_key_size_capable(hdev)) {
32223222
conn->enc_key_size = HCI_LINK_KEY_SIZE;
32233223
} else {
32243224
cp.handle = cpu_to_le16(conn->handle);
@@ -3666,8 +3666,7 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
36663666
* controller really supports it. If it doesn't, assume
36673667
* the default size (16).
36683668
*/
3669-
if (!(hdev->commands[20] & 0x10) ||
3670-
test_bit(HCI_QUIRK_BROKEN_READ_ENC_KEY_SIZE, &hdev->quirks)) {
3669+
if (!read_key_size_capable(hdev)) {
36713670
conn->enc_key_size = HCI_LINK_KEY_SIZE;
36723671
goto notify;
36733672
}
@@ -6038,7 +6037,7 @@ static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
60386037
static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
60396038
bdaddr_t *addr,
60406039
u8 addr_type, bool addr_resolved,
6041-
u8 adv_type)
6040+
u8 adv_type, u8 phy, u8 sec_phy)
60426041
{
60436042
struct hci_conn *conn;
60446043
struct hci_conn_params *params;
@@ -6093,7 +6092,7 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
60936092

60946093
conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
60956094
BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6096-
HCI_ROLE_MASTER);
6095+
HCI_ROLE_MASTER, phy, sec_phy);
60976096
if (!IS_ERR(conn)) {
60986097
/* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
60996098
* by higher layer that tried to connect, if no then
@@ -6128,8 +6127,9 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
61286127

61296128
static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
61306129
u8 bdaddr_type, bdaddr_t *direct_addr,
6131-
u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6132-
bool ext_adv, bool ctl_time, u64 instant)
6130+
u8 direct_addr_type, u8 phy, u8 sec_phy, s8 rssi,
6131+
u8 *data, u8 len, bool ext_adv, bool ctl_time,
6132+
u64 instant)
61336133
{
61346134
struct discovery_state *d = &hdev->discovery;
61356135
struct smp_irk *irk;
@@ -6217,7 +6217,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
62176217
* for advertising reports) and is already verified to be RPA above.
62186218
*/
62196219
conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6220-
type);
6220+
type, phy, sec_phy);
62216221
if (!ext_adv && conn && type == LE_ADV_IND &&
62226222
len <= max_adv_len(hdev)) {
62236223
/* Store report for later inclusion by
@@ -6363,7 +6363,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
63636363
if (info->length <= max_adv_len(hdev)) {
63646364
rssi = info->data[info->length];
63656365
process_adv_report(hdev, info->type, &info->bdaddr,
6366-
info->bdaddr_type, NULL, 0, rssi,
6366+
info->bdaddr_type, NULL, 0,
6367+
HCI_ADV_PHY_1M, 0, rssi,
63676368
info->data, info->length, false,
63686369
false, instant);
63696370
} else {
@@ -6448,6 +6449,8 @@ static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
64486449
if (legacy_evt_type != LE_ADV_INVALID) {
64496450
process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
64506451
info->bdaddr_type, NULL, 0,
6452+
info->primary_phy,
6453+
info->secondary_phy,
64516454
info->rssi, info->data, info->length,
64526455
!(evt_type & LE_EXT_ADV_LEGACY_PDU),
64536456
false, instant);
@@ -6730,8 +6733,8 @@ static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
67306733

67316734
process_adv_report(hdev, info->type, &info->bdaddr,
67326735
info->bdaddr_type, &info->direct_addr,
6733-
info->direct_addr_type, info->rssi, NULL, 0,
6734-
false, false, instant);
6736+
info->direct_addr_type, HCI_ADV_PHY_1M, 0,
6737+
info->rssi, NULL, 0, false, false, instant);
67356738
}
67366739

67376740
hci_dev_unlock(hdev);

net/bluetooth/hci_sync.c

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6346,23 +6346,26 @@ static int hci_le_ext_create_conn_sync(struct hci_dev *hdev,
63466346

63476347
plen = sizeof(*cp);
63486348

6349-
if (scan_1m(hdev)) {
6349+
if (scan_1m(hdev) && (conn->le_adv_phy == HCI_ADV_PHY_1M ||
6350+
conn->le_adv_sec_phy == HCI_ADV_PHY_1M)) {
63506351
cp->phys |= LE_SCAN_PHY_1M;
63516352
set_ext_conn_params(conn, p);
63526353

63536354
p++;
63546355
plen += sizeof(*p);
63556356
}
63566357

6357-
if (scan_2m(hdev)) {
6358+
if (scan_2m(hdev) && (conn->le_adv_phy == HCI_ADV_PHY_2M ||
6359+
conn->le_adv_sec_phy == HCI_ADV_PHY_2M)) {
63586360
cp->phys |= LE_SCAN_PHY_2M;
63596361
set_ext_conn_params(conn, p);
63606362

63616363
p++;
63626364
plen += sizeof(*p);
63636365
}
63646366

6365-
if (scan_coded(hdev)) {
6367+
if (scan_coded(hdev) && (conn->le_adv_phy == HCI_ADV_PHY_CODED ||
6368+
conn->le_adv_sec_phy == HCI_ADV_PHY_CODED)) {
63666369
cp->phys |= LE_SCAN_PHY_CODED;
63676370
set_ext_conn_params(conn, p);
63686371

net/bluetooth/l2cap_core.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7018,7 +7018,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
70187018
if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
70197019
hcon = hci_connect_le(hdev, dst, dst_type, false,
70207020
chan->sec_level, timeout,
7021-
HCI_ROLE_SLAVE);
7021+
HCI_ROLE_SLAVE, 0, 0);
70227022
else
70237023
hcon = hci_connect_le_scan(hdev, dst, dst_type,
70247024
chan->sec_level, timeout,

net/bluetooth/l2cap_sock.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -439,7 +439,8 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
439439
struct l2cap_chan *chan = l2cap_pi(sk)->chan;
440440
struct l2cap_options opts;
441441
struct l2cap_conninfo cinfo;
442-
int len, err = 0;
442+
int err = 0;
443+
size_t len;
443444
u32 opt;
444445

445446
BT_DBG("sk %p", sk);
@@ -486,7 +487,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
486487

487488
BT_DBG("mode 0x%2.2x", chan->mode);
488489

489-
len = min_t(unsigned int, len, sizeof(opts));
490+
len = min(len, sizeof(opts));
490491
if (copy_to_user(optval, (char *) &opts, len))
491492
err = -EFAULT;
492493

@@ -536,7 +537,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
536537
cinfo.hci_handle = chan->conn->hcon->handle;
537538
memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
538539

539-
len = min_t(unsigned int, len, sizeof(cinfo));
540+
len = min(len, sizeof(cinfo));
540541
if (copy_to_user(optval, (char *) &cinfo, len))
541542
err = -EFAULT;
542543

0 commit comments

Comments
 (0)