tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'for-net-next-2025-09-27' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next

Luiz Augusto von Dentz says:

====================
bluetooth-next pull request for net-next:

core:

- MAINTAINERS: add a sub-entry for the Qualcomm bluetooth driver
- Avoid a couple dozen -Wflex-array-member-not-at-end warnings
- bcsp: receive data only if registered
- HCI: Fix using LE/ACL buffers for ISO packets
- hci_core: Detect if an ISO link has stalled
- ISO: Don't initiate CIS connections if there are no buffers
- ISO: Use sk_sndtimeo as conn_timeout

drivers:

- btusb: Check for unexpected bytes when defragmenting HCI frames
- btusb: Add new VID/PID 13d3/3627 for MT7925
- btusb: Add new VID/PID 13d3/3633 for MT7922
- btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1
- btintel: Add support for BlazarIW core
- btintel_pcie: Add support for _suspend() / _resume()
- btintel_pcie: Define hdev->wakeup() callback
- btintel_pcie: Add Bluetooth core/platform as comments
- btintel_pcie: Add id of Scorpious, Panther Lake-H484
- btintel_pcie: Refactor Device Coredump

* tag 'for-net-next-2025-09-27' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next: (30 commits)
Bluetooth: Avoid a couple dozen -Wflex-array-member-not-at-end warnings
Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements
Bluetooth: ISO: don't leak skb in ISO_CONT RX
Bluetooth: ISO: free rx_skb if not consumed
Bluetooth: ISO: Fix possible UAF on iso_conn_free
Bluetooth: SCO: Fix UAF on sco_conn_free
Bluetooth: bcsp: receive data only if registered
Bluetooth: btusb: Add new VID/PID 13d3/3633 for MT7922
Bluetooth: btusb: Add new VID/PID 13d3/3627 for MT7925
Bluetooth: remove duplicate h4_recv_buf() in header
Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI frames
Bluetooth: hci_core: Print information of hcon on hci_low_sent
Bluetooth: hci_core: Print number of packets in conn->data_q
Bluetooth: Add function and line information to bt_dbg
Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO
Bluetooth: hci_core: Detect if an ISO link has stalled
Bluetooth: ISO: Use sk_sndtimeo as conn_timeout
Bluetooth: HCI: Fix using LE/ACL buffers for ISO packets
Bluetooth: ISO: Don't initiate CIS connections if there are no buffers
MAINTAINERS: add a sub-entry for the Qualcomm bluetooth driver
...
====================

Link: https://patch.msgid.link/20250927154616.1032839-1-luiz.dentz@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski d210ee58 c39d6d4d

+344 -367
+7
MAINTAINERS
··· 20686 20686 F: Documentation/devicetree/bindings/net/qcom,bam-dmux.yaml 20687 20687 F: drivers/net/wwan/qcom_bam_dmux.c 20688 20688 20689 + QUALCOMM BLUETOOTH DRIVER 20690 + L: linux-arm-msm@vger.kernel.org 20691 + S: Maintained 20692 + F: drivers/bluetooth/btqca.[ch] 20693 + F: drivers/bluetooth/btqcomsmd.c 20694 + F: drivers/bluetooth/hci_qca.c 20695 + 20689 20696 QUALCOMM CAMERA SUBSYSTEM DRIVER 20690 20697 M: Robert Foss <rfoss@kernel.org> 20691 20698 M: Todor Tomov <todor.too@gmail.com>
+1 -1
drivers/bluetooth/bpa10x.c
··· 20 20 #include <net/bluetooth/bluetooth.h> 21 21 #include <net/bluetooth/hci_core.h> 22 22 23 - #include "h4_recv.h" 23 + #include "hci_uart.h" 24 24 25 25 #define VERSION "0.11" 26 26
+3
drivers/bluetooth/btintel.c
··· 484 484 case 0x1d: /* BlazarU (BzrU) */ 485 485 case 0x1e: /* BlazarI (Bzr) */ 486 486 case 0x1f: /* Scorpious Peak */ 487 + case 0x22: /* BlazarIW (BzrIW) */ 487 488 break; 488 489 default: 489 490 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)", ··· 3254 3253 case 0x1d: 3255 3254 case 0x1e: 3256 3255 case 0x1f: 3256 + case 0x22: 3257 3257 hci_set_msft_opcode(hdev, 0xFC1E); 3258 3258 break; 3259 3259 default: ··· 3595 3593 case 0x1d: 3596 3594 case 0x1e: 3597 3595 case 0x1f: 3596 + case 0x22: 3598 3597 /* Display version information of TLV type */ 3599 3598 btintel_version_info_tlv(hdev, &ver_tlv); 3600 3599
+180 -146
drivers/bluetooth/btintel_pcie.c
··· 15 15 #include <linux/interrupt.h> 16 16 17 17 #include <linux/unaligned.h> 18 + #include <linux/devcoredump.h> 18 19 19 20 #include <net/bluetooth/bluetooth.h> 20 21 #include <net/bluetooth/hci_core.h> ··· 36 35 37 36 /* Intel Bluetooth PCIe device id table */ 38 37 static const struct pci_device_id btintel_pcie_table[] = { 38 + /* BlazarI, Wildcat Lake */ 39 39 { BTINTEL_PCI_DEVICE(0x4D76, PCI_ANY_ID) }, 40 + /* BlazarI, Lunar Lake */ 40 41 { BTINTEL_PCI_DEVICE(0xA876, PCI_ANY_ID) }, 42 + /* Scorpious, Panther Lake-H484 */ 43 + { BTINTEL_PCI_DEVICE(0xE376, PCI_ANY_ID) }, 44 + /* Scorpious, Panther Lake-H404 */ 41 45 { BTINTEL_PCI_DEVICE(0xE476, PCI_ANY_ID) }, 42 46 { 0 } 43 47 }; ··· 560 554 btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG, reg); 561 555 } 562 556 563 - static int btintel_pcie_add_dmp_data(struct hci_dev *hdev, const void *data, int size) 564 - { 565 - struct sk_buff *skb; 566 - int err; 567 - 568 - skb = alloc_skb(size, GFP_ATOMIC); 569 - if (!skb) 570 - return -ENOMEM; 571 - 572 - skb_put_data(skb, data, size); 573 - err = hci_devcd_append(hdev, skb); 574 - if (err) { 575 - bt_dev_err(hdev, "Failed to append data in the coredump"); 576 - return err; 577 - } 578 - 579 - return 0; 580 - } 581 - 582 557 static int btintel_pcie_get_mac_access(struct btintel_pcie_data *data) 583 558 { 584 559 u32 reg; ··· 604 617 btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG, reg); 605 618 } 606 619 607 - static void btintel_pcie_copy_tlv(struct sk_buff *skb, enum btintel_pcie_tlv_type type, 608 - void *data, int size) 620 + static void *btintel_pcie_copy_tlv(void *dest, enum btintel_pcie_tlv_type type, 621 + void *data, size_t size) 609 622 { 610 623 struct intel_tlv *tlv; 611 624 612 - tlv = skb_put(skb, sizeof(*tlv) + size); 625 + tlv = dest; 613 626 tlv->type = type; 614 627 tlv->len = size; 615 628 memcpy(tlv->val, data, tlv->len); 629 + return dest + sizeof(*tlv) + size; 616 630 } 617 631 618 632 static int btintel_pcie_read_dram_buffers(struct btintel_pcie_data *data) 619 633 { 620 - u32 offset, prev_size, wr_ptr_status, dump_size, i; 634 + u32 offset, prev_size, wr_ptr_status, dump_size, data_len; 621 635 struct btintel_pcie_dbgc *dbgc = &data->dbgc; 622 - u8 buf_idx, dump_time_len, fw_build; 623 636 struct hci_dev *hdev = data->hdev; 637 + u8 *pdata, *p, buf_idx; 624 638 struct intel_tlv *tlv; 625 639 struct timespec64 now; 626 - struct sk_buff *skb; 627 640 struct tm tm_now; 628 - char buf[256]; 629 - u16 hdr_len; 630 - int ret; 641 + char fw_build[128]; 642 + char ts[128]; 643 + char vendor[64]; 644 + char driver[64]; 645 + 646 + if (!IS_ENABLED(CONFIG_DEV_COREDUMP)) 647 + return -EOPNOTSUPP; 648 + 631 649 632 650 wr_ptr_status = btintel_pcie_rd_dev_mem(data, BTINTEL_PCIE_DBGC_CUR_DBGBUFF_STATUS); 633 651 offset = wr_ptr_status & BTINTEL_PCIE_DBG_OFFSET_BIT_MASK; ··· 649 657 else 650 658 return -EINVAL; 651 659 660 + snprintf(vendor, sizeof(vendor), "Vendor: Intel\n"); 661 + snprintf(driver, sizeof(driver), "Driver: %s\n", 662 + data->dmp_hdr.driver_name); 663 + 652 664 ktime_get_real_ts64(&now); 653 665 time64_to_tm(now.tv_sec, 0, &tm_now); 654 - dump_time_len = snprintf(buf, sizeof(buf), "Dump Time: %02d-%02d-%04ld %02d:%02d:%02d", 666 + snprintf(ts, sizeof(ts), "Dump Time: %02d-%02d-%04ld %02d:%02d:%02d", 655 667 tm_now.tm_mday, tm_now.tm_mon + 1, tm_now.tm_year + 1900, 656 668 tm_now.tm_hour, tm_now.tm_min, tm_now.tm_sec); 657 669 658 - fw_build = snprintf(buf + dump_time_len, sizeof(buf) - dump_time_len, 670 + snprintf(fw_build, sizeof(fw_build), 659 671 "Firmware Timestamp: Year %u WW %02u buildtype %u build %u", 660 672 2000 + (data->dmp_hdr.fw_timestamp >> 8), 661 673 data->dmp_hdr.fw_timestamp & 0xff, data->dmp_hdr.fw_build_type, 662 674 data->dmp_hdr.fw_build_num); 663 675 664 - hdr_len = sizeof(*tlv) + sizeof(data->dmp_hdr.cnvi_bt) + 665 - sizeof(*tlv) + sizeof(data->dmp_hdr.write_ptr) + 666 - sizeof(*tlv) + sizeof(data->dmp_hdr.wrap_ctr) + 667 - sizeof(*tlv) + sizeof(data->dmp_hdr.trigger_reason) + 668 - sizeof(*tlv) + sizeof(data->dmp_hdr.fw_git_sha1) + 669 - sizeof(*tlv) + sizeof(data->dmp_hdr.cnvr_top) + 670 - sizeof(*tlv) + sizeof(data->dmp_hdr.cnvi_top) + 671 - sizeof(*tlv) + dump_time_len + 672 - sizeof(*tlv) + fw_build; 676 + data_len = sizeof(*tlv) + sizeof(data->dmp_hdr.cnvi_bt) + 677 + sizeof(*tlv) + sizeof(data->dmp_hdr.write_ptr) + 678 + sizeof(*tlv) + sizeof(data->dmp_hdr.wrap_ctr) + 679 + sizeof(*tlv) + sizeof(data->dmp_hdr.trigger_reason) + 680 + sizeof(*tlv) + sizeof(data->dmp_hdr.fw_git_sha1) + 681 + sizeof(*tlv) + sizeof(data->dmp_hdr.cnvr_top) + 682 + sizeof(*tlv) + sizeof(data->dmp_hdr.cnvi_top) + 683 + sizeof(*tlv) + strlen(ts) + 684 + sizeof(*tlv) + strlen(fw_build) + 685 + sizeof(*tlv) + strlen(vendor) + 686 + sizeof(*tlv) + strlen(driver); 673 687 674 - dump_size = hdr_len + sizeof(hdr_len); 688 + /* 689 + * sizeof(u32) - signature 690 + * sizeof(data_len) - to store tlv data size 691 + * data_len - TLV data 692 + */ 693 + dump_size = sizeof(u32) + sizeof(data_len) + data_len; 675 694 676 - skb = alloc_skb(dump_size, GFP_KERNEL); 677 - if (!skb) 678 - return -ENOMEM; 679 695 680 696 /* Add debug buffers data length to dump size */ 681 697 dump_size += BTINTEL_PCIE_DBGC_BUFFER_SIZE * dbgc->count; 682 698 683 - ret = hci_devcd_init(hdev, dump_size); 684 - if (ret) { 685 - bt_dev_err(hdev, "Failed to init devcoredump, err %d", ret); 686 - kfree_skb(skb); 687 - return ret; 688 - } 699 + pdata = vmalloc(dump_size); 700 + if (!pdata) 701 + return -ENOMEM; 702 + p = pdata; 689 703 690 - skb_put_data(skb, &hdr_len, sizeof(hdr_len)); 704 + *(u32 *)p = BTINTEL_PCIE_MAGIC_NUM; 705 + p += sizeof(u32); 691 706 692 - btintel_pcie_copy_tlv(skb, BTINTEL_CNVI_BT, &data->dmp_hdr.cnvi_bt, 693 - sizeof(data->dmp_hdr.cnvi_bt)); 707 + *(u32 *)p = data_len; 708 + p += sizeof(u32); 694 709 695 - btintel_pcie_copy_tlv(skb, BTINTEL_WRITE_PTR, &data->dmp_hdr.write_ptr, 696 - sizeof(data->dmp_hdr.write_ptr)); 710 + 711 + p = btintel_pcie_copy_tlv(p, BTINTEL_VENDOR, vendor, strlen(vendor)); 712 + p = btintel_pcie_copy_tlv(p, BTINTEL_DRIVER, driver, strlen(driver)); 713 + p = btintel_pcie_copy_tlv(p, BTINTEL_DUMP_TIME, ts, strlen(ts)); 714 + p = btintel_pcie_copy_tlv(p, BTINTEL_FW_BUILD, fw_build, 715 + strlen(fw_build)); 716 + p = btintel_pcie_copy_tlv(p, BTINTEL_CNVI_BT, &data->dmp_hdr.cnvi_bt, 717 + sizeof(data->dmp_hdr.cnvi_bt)); 718 + p = btintel_pcie_copy_tlv(p, BTINTEL_WRITE_PTR, &data->dmp_hdr.write_ptr, 719 + sizeof(data->dmp_hdr.write_ptr)); 720 + p = btintel_pcie_copy_tlv(p, BTINTEL_WRAP_CTR, &data->dmp_hdr.wrap_ctr, 721 + sizeof(data->dmp_hdr.wrap_ctr)); 697 722 698 723 data->dmp_hdr.wrap_ctr = btintel_pcie_rd_dev_mem(data, 699 724 BTINTEL_PCIE_DBGC_DBGBUFF_WRAP_ARND); 700 725 701 - btintel_pcie_copy_tlv(skb, BTINTEL_WRAP_CTR, &data->dmp_hdr.wrap_ctr, 702 - sizeof(data->dmp_hdr.wrap_ctr)); 726 + p = btintel_pcie_copy_tlv(p, BTINTEL_TRIGGER_REASON, &data->dmp_hdr.trigger_reason, 727 + sizeof(data->dmp_hdr.trigger_reason)); 728 + p = btintel_pcie_copy_tlv(p, BTINTEL_FW_SHA, &data->dmp_hdr.fw_git_sha1, 729 + sizeof(data->dmp_hdr.fw_git_sha1)); 730 + p = btintel_pcie_copy_tlv(p, BTINTEL_CNVR_TOP, &data->dmp_hdr.cnvr_top, 731 + sizeof(data->dmp_hdr.cnvr_top)); 732 + p = btintel_pcie_copy_tlv(p, BTINTEL_CNVI_TOP, &data->dmp_hdr.cnvi_top, 733 + sizeof(data->dmp_hdr.cnvi_top)); 703 734 704 - btintel_pcie_copy_tlv(skb, BTINTEL_TRIGGER_REASON, &data->dmp_hdr.trigger_reason, 705 - sizeof(data->dmp_hdr.trigger_reason)); 706 - 707 - btintel_pcie_copy_tlv(skb, BTINTEL_FW_SHA, &data->dmp_hdr.fw_git_sha1, 708 - sizeof(data->dmp_hdr.fw_git_sha1)); 709 - 710 - btintel_pcie_copy_tlv(skb, BTINTEL_CNVR_TOP, &data->dmp_hdr.cnvr_top, 711 - sizeof(data->dmp_hdr.cnvr_top)); 712 - 713 - btintel_pcie_copy_tlv(skb, BTINTEL_CNVI_TOP, &data->dmp_hdr.cnvi_top, 714 - sizeof(data->dmp_hdr.cnvi_top)); 715 - 716 - btintel_pcie_copy_tlv(skb, BTINTEL_DUMP_TIME, buf, dump_time_len); 717 - 718 - btintel_pcie_copy_tlv(skb, BTINTEL_FW_BUILD, buf + dump_time_len, fw_build); 719 - 720 - ret = hci_devcd_append(hdev, skb); 721 - if (ret) 722 - goto exit_err; 723 - 724 - for (i = 0; i < dbgc->count; i++) { 725 - ret = btintel_pcie_add_dmp_data(hdev, dbgc->bufs[i].data, 726 - BTINTEL_PCIE_DBGC_BUFFER_SIZE); 727 - if (ret) 728 - break; 729 - } 730 - 731 - exit_err: 732 - hci_devcd_complete(hdev); 733 - return ret; 735 + memcpy(p, dbgc->bufs[0].data, dbgc->count * BTINTEL_PCIE_DBGC_BUFFER_SIZE); 736 + dev_coredumpv(&hdev->dev, pdata, dump_size, GFP_KERNEL); 737 + return 0; 734 738 } 735 739 736 740 static void btintel_pcie_dump_traces(struct hci_dev *hdev) ··· 746 758 747 759 if (ret) 748 760 bt_dev_err(hdev, "Failed to dump traces: (%d)", ret); 749 - } 750 - 751 - static void btintel_pcie_dump_hdr(struct hci_dev *hdev, struct sk_buff *skb) 752 - { 753 - struct btintel_pcie_data *data = hci_get_drvdata(hdev); 754 - u16 len = skb->len; 755 - u16 *hdrlen_ptr; 756 - char buf[80]; 757 - 758 - hdrlen_ptr = skb_put_zero(skb, sizeof(len)); 759 - 760 - snprintf(buf, sizeof(buf), "Controller Name: 0x%X\n", 761 - INTEL_HW_VARIANT(data->dmp_hdr.cnvi_bt)); 762 - skb_put_data(skb, buf, strlen(buf)); 763 - 764 - snprintf(buf, sizeof(buf), "Firmware Build Number: %u\n", 765 - data->dmp_hdr.fw_build_num); 766 - skb_put_data(skb, buf, strlen(buf)); 767 - 768 - snprintf(buf, sizeof(buf), "Driver: %s\n", data->dmp_hdr.driver_name); 769 - skb_put_data(skb, buf, strlen(buf)); 770 - 771 - snprintf(buf, sizeof(buf), "Vendor: Intel\n"); 772 - skb_put_data(skb, buf, strlen(buf)); 773 - 774 - *hdrlen_ptr = skb->len - len; 775 - } 776 - 777 - static void btintel_pcie_dump_notify(struct hci_dev *hdev, int state) 778 - { 779 - struct btintel_pcie_data *data = hci_get_drvdata(hdev); 780 - 781 - switch (state) { 782 - case HCI_DEVCOREDUMP_IDLE: 783 - data->dmp_hdr.state = HCI_DEVCOREDUMP_IDLE; 784 - break; 785 - case HCI_DEVCOREDUMP_ACTIVE: 786 - data->dmp_hdr.state = HCI_DEVCOREDUMP_ACTIVE; 787 - break; 788 - case HCI_DEVCOREDUMP_TIMEOUT: 789 - case HCI_DEVCOREDUMP_ABORT: 790 - case HCI_DEVCOREDUMP_DONE: 791 - data->dmp_hdr.state = HCI_DEVCOREDUMP_IDLE; 792 - break; 793 - } 794 761 } 795 762 796 763 /* This function enables BT function by setting BTINTEL_PCIE_CSR_FUNC_CTRL_MAC_INIT bit in ··· 1321 1378 struct btintel_pcie_data, rx_work); 1322 1379 struct sk_buff *skb; 1323 1380 1381 + if (test_bit(BTINTEL_PCIE_COREDUMP_INPROGRESS, &data->flags)) { 1382 + btintel_pcie_dump_traces(data->hdev); 1383 + clear_bit(BTINTEL_PCIE_COREDUMP_INPROGRESS, &data->flags); 1384 + } 1385 + 1324 1386 if (test_bit(BTINTEL_PCIE_HWEXP_INPROGRESS, &data->flags)) { 1325 1387 /* Unlike usb products, controller will not send hardware 1326 1388 * exception event on exception. Instead controller writes the ··· 1336 1388 */ 1337 1389 btintel_pcie_read_hwexp(data); 1338 1390 clear_bit(BTINTEL_PCIE_HWEXP_INPROGRESS, &data->flags); 1339 - } 1340 - 1341 - if (test_bit(BTINTEL_PCIE_COREDUMP_INPROGRESS, &data->flags)) { 1342 - btintel_pcie_dump_traces(data->hdev); 1343 - clear_bit(BTINTEL_PCIE_COREDUMP_INPROGRESS, &data->flags); 1344 1391 } 1345 1392 1346 1393 /* Process the sk_buf in queue and send to the HCI layer */ ··· 2092 2149 switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) { 2093 2150 case 0x1e: /* BzrI */ 2094 2151 case 0x1f: /* ScP */ 2152 + case 0x22: /* BzrIW */ 2095 2153 /* Display version information of TLV type */ 2096 2154 btintel_version_info_tlv(hdev, &ver_tlv); 2097 2155 ··· 2127 2183 2128 2184 if (ver_tlv.img_type == 0x02 || ver_tlv.img_type == 0x03) 2129 2185 data->dmp_hdr.fw_git_sha1 = ver_tlv.git_sha1; 2130 - 2131 - err = hci_devcd_register(hdev, btintel_pcie_dump_traces, btintel_pcie_dump_hdr, 2132 - btintel_pcie_dump_notify); 2133 - if (err) { 2134 - bt_dev_err(hdev, "Failed to register coredump (%d)", err); 2135 - goto exit_error; 2136 - } 2137 2186 2138 2187 btintel_print_fseq_info(hdev); 2139 2188 exit_error: ··· 2173 2236 { 2174 2237 struct btintel_pcie_dev_recovery *tmp, *data = NULL; 2175 2238 const char *name = pci_name(pdev); 2239 + const size_t name_len = strlen(name) + 1; 2176 2240 struct hci_dev *hdev = to_hci_dev(dev); 2177 2241 2178 2242 spin_lock(&btintel_pcie_recovery_lock); ··· 2190 2252 return data; 2191 2253 } 2192 2254 2193 - data = kzalloc(struct_size(data, name, strlen(name) + 1), GFP_ATOMIC); 2255 + data = kzalloc(struct_size(data, name, name_len), GFP_ATOMIC); 2194 2256 if (!data) 2195 2257 return NULL; 2196 2258 2197 - strscpy_pad(data->name, name, strlen(name) + 1); 2259 + strscpy(data->name, name, name_len); 2198 2260 spin_lock(&btintel_pcie_recovery_lock); 2199 2261 list_add_tail(&data->list, &btintel_pcie_recovery_list); 2200 2262 spin_unlock(&btintel_pcie_recovery_lock); ··· 2257 2319 btintel_pcie_synchronize_irqs(data); 2258 2320 2259 2321 flush_work(&data->rx_work); 2260 - flush_work(&data->hdev->dump.dump_rx); 2261 2322 2262 2323 bt_dev_dbg(data->hdev, "Release bluetooth interface"); 2263 2324 btintel_pcie_release_hdev(data); ··· 2347 2410 btintel_pcie_reset(hdev); 2348 2411 } 2349 2412 2413 + static bool btintel_pcie_wakeup(struct hci_dev *hdev) 2414 + { 2415 + struct btintel_pcie_data *data = hci_get_drvdata(hdev); 2416 + 2417 + return device_may_wakeup(&data->pdev->dev); 2418 + } 2419 + 2350 2420 static int btintel_pcie_setup_hdev(struct btintel_pcie_data *data) 2351 2421 { 2352 2422 int err; ··· 2379 2435 hdev->set_diag = btintel_set_diag; 2380 2436 hdev->set_bdaddr = btintel_set_bdaddr; 2381 2437 hdev->reset = btintel_pcie_reset; 2438 + hdev->wakeup = btintel_pcie_wakeup; 2382 2439 2383 2440 err = hci_register_dev(hdev); 2384 2441 if (err < 0) { ··· 2518 2573 } 2519 2574 #endif 2520 2575 2576 + static int btintel_pcie_suspend_late(struct device *dev, pm_message_t mesg) 2577 + { 2578 + struct pci_dev *pdev = to_pci_dev(dev); 2579 + struct btintel_pcie_data *data; 2580 + ktime_t start; 2581 + u32 dxstate; 2582 + int err; 2583 + 2584 + data = pci_get_drvdata(pdev); 2585 + 2586 + dxstate = (mesg.event == PM_EVENT_SUSPEND ? 2587 + BTINTEL_PCIE_STATE_D3_HOT : BTINTEL_PCIE_STATE_D3_COLD); 2588 + 2589 + data->gp0_received = false; 2590 + 2591 + start = ktime_get(); 2592 + 2593 + /* Refer: 6.4.11.7 -> Platform power management */ 2594 + btintel_pcie_wr_sleep_cntrl(data, dxstate); 2595 + err = wait_event_timeout(data->gp0_wait_q, data->gp0_received, 2596 + msecs_to_jiffies(BTINTEL_DEFAULT_INTR_TIMEOUT_MS)); 2597 + if (err == 0) { 2598 + bt_dev_err(data->hdev, 2599 + "Timeout (%u ms) on alive interrupt for D3 entry", 2600 + BTINTEL_DEFAULT_INTR_TIMEOUT_MS); 2601 + return -EBUSY; 2602 + } 2603 + 2604 + bt_dev_dbg(data->hdev, 2605 + "device entered into d3 state from d0 in %lld us", 2606 + ktime_to_us(ktime_get() - start)); 2607 + 2608 + return 0; 2609 + } 2610 + 2611 + static int btintel_pcie_suspend(struct device *dev) 2612 + { 2613 + return btintel_pcie_suspend_late(dev, PMSG_SUSPEND); 2614 + } 2615 + 2616 + static int btintel_pcie_hibernate(struct device *dev) 2617 + { 2618 + return btintel_pcie_suspend_late(dev, PMSG_HIBERNATE); 2619 + } 2620 + 2621 + static int btintel_pcie_freeze(struct device *dev) 2622 + { 2623 + return btintel_pcie_suspend_late(dev, PMSG_FREEZE); 2624 + } 2625 + 2626 + static int btintel_pcie_resume(struct device *dev) 2627 + { 2628 + struct pci_dev *pdev = to_pci_dev(dev); 2629 + struct btintel_pcie_data *data; 2630 + ktime_t start; 2631 + int err; 2632 + 2633 + data = pci_get_drvdata(pdev); 2634 + data->gp0_received = false; 2635 + 2636 + start = ktime_get(); 2637 + 2638 + /* Refer: 6.4.11.7 -> Platform power management */ 2639 + btintel_pcie_wr_sleep_cntrl(data, BTINTEL_PCIE_STATE_D0); 2640 + err = wait_event_timeout(data->gp0_wait_q, data->gp0_received, 2641 + msecs_to_jiffies(BTINTEL_DEFAULT_INTR_TIMEOUT_MS)); 2642 + if (err == 0) { 2643 + bt_dev_err(data->hdev, 2644 + "Timeout (%u ms) on alive interrupt for D0 entry", 2645 + BTINTEL_DEFAULT_INTR_TIMEOUT_MS); 2646 + return -EBUSY; 2647 + } 2648 + 2649 + bt_dev_dbg(data->hdev, 2650 + "device entered into d0 state from d3 in %lld us", 2651 + ktime_to_us(ktime_get() - start)); 2652 + return 0; 2653 + } 2654 + 2655 + static const struct dev_pm_ops btintel_pcie_pm_ops = { 2656 + .suspend = btintel_pcie_suspend, 2657 + .resume = btintel_pcie_resume, 2658 + .freeze = btintel_pcie_freeze, 2659 + .thaw = btintel_pcie_resume, 2660 + .poweroff = btintel_pcie_hibernate, 2661 + .restore = btintel_pcie_resume, 2662 + }; 2663 + 2521 2664 static struct pci_driver btintel_pcie_driver = { 2522 2665 .name = KBUILD_MODNAME, 2523 2666 .id_table = btintel_pcie_table, 2524 2667 .probe = btintel_pcie_probe, 2525 2668 .remove = btintel_pcie_remove, 2669 + .driver.pm = pm_sleep_ptr(&btintel_pcie_pm_ops), 2526 2670 #ifdef CONFIG_DEV_COREDUMP 2527 2671 .driver.coredump = btintel_pcie_coredump 2528 2672 #endif
+2
drivers/bluetooth/btintel_pcie.h
··· 132 132 BTINTEL_CNVI_TOP, 133 133 BTINTEL_DUMP_TIME, 134 134 BTINTEL_FW_BUILD, 135 + BTINTEL_VENDOR, 136 + BTINTEL_DRIVER 135 137 }; 136 138 137 139 /* causes for the MBOX interrupts */
+1 -1
drivers/bluetooth/btmtksdio.c
··· 29 29 #include <net/bluetooth/bluetooth.h> 30 30 #include <net/bluetooth/hci_core.h> 31 31 32 - #include "h4_recv.h" 32 + #include "hci_uart.h" 33 33 #include "btmtk.h" 34 34 35 35 #define VERSION "0.1"
+1 -1
drivers/bluetooth/btmtkuart.c
··· 27 27 #include <net/bluetooth/bluetooth.h> 28 28 #include <net/bluetooth/hci_core.h> 29 29 30 - #include "h4_recv.h" 30 + #include "hci_uart.h" 31 31 #include "btmtk.h" 32 32 33 33 #define VERSION "0.2"
+1 -1
drivers/bluetooth/btnxpuart.c
··· 24 24 #include <net/bluetooth/bluetooth.h> 25 25 #include <net/bluetooth/hci_core.h> 26 26 27 - #include "h4_recv.h" 27 + #include "hci_uart.h" 28 28 29 29 #define MANUFACTURER_NXP 37 30 30
+23
drivers/bluetooth/btusb.c
··· 66 66 #define BTUSB_INTEL_BROKEN_INITIAL_NCMD BIT(25) 67 67 #define BTUSB_INTEL_NO_WBS_SUPPORT BIT(26) 68 68 #define BTUSB_ACTIONS_SEMI BIT(27) 69 + #define BTUSB_BARROT BIT(28) 69 70 70 71 static const struct usb_device_id btusb_table[] = { 71 72 /* Generic Bluetooth USB device */ ··· 523 522 /* Realtek 8851BU Bluetooth devices */ 524 523 { USB_DEVICE(0x3625, 0x010b), .driver_info = BTUSB_REALTEK | 525 524 BTUSB_WIDEBAND_SPEECH }, 525 + { USB_DEVICE(0x2001, 0x332a), .driver_info = BTUSB_REALTEK | 526 + BTUSB_WIDEBAND_SPEECH }, 526 527 527 528 /* Realtek 8852AE Bluetooth devices */ 528 529 { USB_DEVICE(0x0bda, 0x2852), .driver_info = BTUSB_REALTEK | ··· 701 698 BTUSB_WIDEBAND_SPEECH }, 702 699 { USB_DEVICE(0x13d3, 0x3615), .driver_info = BTUSB_MEDIATEK | 703 700 BTUSB_WIDEBAND_SPEECH }, 701 + { USB_DEVICE(0x13d3, 0x3633), .driver_info = BTUSB_MEDIATEK | 702 + BTUSB_WIDEBAND_SPEECH }, 704 703 { USB_DEVICE(0x35f5, 0x7922), .driver_info = BTUSB_MEDIATEK | 705 704 BTUSB_WIDEBAND_SPEECH }, 706 705 ··· 736 731 { USB_DEVICE(0x13d3, 0x3608), .driver_info = BTUSB_MEDIATEK | 737 732 BTUSB_WIDEBAND_SPEECH }, 738 733 { USB_DEVICE(0x13d3, 0x3613), .driver_info = BTUSB_MEDIATEK | 734 + BTUSB_WIDEBAND_SPEECH }, 735 + { USB_DEVICE(0x13d3, 0x3627), .driver_info = BTUSB_MEDIATEK | 739 736 BTUSB_WIDEBAND_SPEECH }, 740 737 { USB_DEVICE(0x13d3, 0x3628), .driver_info = BTUSB_MEDIATEK | 741 738 BTUSB_WIDEBAND_SPEECH }, ··· 816 809 BTUSB_WIDEBAND_SPEECH }, 817 810 { USB_DEVICE(0x0cb5, 0xc547), .driver_info = BTUSB_REALTEK | 818 811 BTUSB_WIDEBAND_SPEECH }, 812 + 813 + /* Barrot Technology Bluetooth devices */ 814 + { USB_DEVICE(0x33fa, 0x0010), .driver_info = BTUSB_BARROT }, 815 + { USB_DEVICE(0x33fa, 0x0012), .driver_info = BTUSB_BARROT }, 819 816 820 817 /* Actions Semiconductor ATS2851 based devices */ 821 818 { USB_DEVICE(0x10d7, 0xb012), .driver_info = BTUSB_ACTIONS_SEMI }, ··· 1203 1192 } 1204 1193 1205 1194 if (!hci_skb_expect(skb)) { 1195 + /* Each chunk should correspond to at least 1 or more 1196 + * events so if there are still bytes left that doesn't 1197 + * constitute a new event this is likely a bug in the 1198 + * controller. 1199 + */ 1200 + if (count && count < HCI_EVENT_HDR_SIZE) { 1201 + bt_dev_warn(data->hdev, 1202 + "Unexpected continuation: %d bytes", 1203 + count); 1204 + count = 0; 1205 + } 1206 + 1206 1207 /* Complete frame */ 1207 1208 btusb_recv_event(data, skb); 1208 1209 skb = NULL;
-153
drivers/bluetooth/h4_recv.h
··· 1 - /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 - /* 3 - * 4 - * Generic Bluetooth HCI UART driver 5 - * 6 - * Copyright (C) 2015-2018 Intel Corporation 7 - */ 8 - 9 - #include <linux/unaligned.h> 10 - 11 - struct h4_recv_pkt { 12 - u8 type; /* Packet type */ 13 - u8 hlen; /* Header length */ 14 - u8 loff; /* Data length offset in header */ 15 - u8 lsize; /* Data length field size */ 16 - u16 maxlen; /* Max overall packet length */ 17 - int (*recv)(struct hci_dev *hdev, struct sk_buff *skb); 18 - }; 19 - 20 - #define H4_RECV_ACL \ 21 - .type = HCI_ACLDATA_PKT, \ 22 - .hlen = HCI_ACL_HDR_SIZE, \ 23 - .loff = 2, \ 24 - .lsize = 2, \ 25 - .maxlen = HCI_MAX_FRAME_SIZE \ 26 - 27 - #define H4_RECV_SCO \ 28 - .type = HCI_SCODATA_PKT, \ 29 - .hlen = HCI_SCO_HDR_SIZE, \ 30 - .loff = 2, \ 31 - .lsize = 1, \ 32 - .maxlen = HCI_MAX_SCO_SIZE 33 - 34 - #define H4_RECV_EVENT \ 35 - .type = HCI_EVENT_PKT, \ 36 - .hlen = HCI_EVENT_HDR_SIZE, \ 37 - .loff = 1, \ 38 - .lsize = 1, \ 39 - .maxlen = HCI_MAX_EVENT_SIZE 40 - 41 - #define H4_RECV_ISO \ 42 - .type = HCI_ISODATA_PKT, \ 43 - .hlen = HCI_ISO_HDR_SIZE, \ 44 - .loff = 2, \ 45 - .lsize = 2, \ 46 - .maxlen = HCI_MAX_FRAME_SIZE 47 - 48 - static inline struct sk_buff *h4_recv_buf(struct hci_dev *hdev, 49 - struct sk_buff *skb, 50 - const unsigned char *buffer, 51 - int count, 52 - const struct h4_recv_pkt *pkts, 53 - int pkts_count) 54 - { 55 - /* Check for error from previous call */ 56 - if (IS_ERR(skb)) 57 - skb = NULL; 58 - 59 - while (count) { 60 - int i, len; 61 - 62 - if (!skb) { 63 - for (i = 0; i < pkts_count; i++) { 64 - if (buffer[0] != (&pkts[i])->type) 65 - continue; 66 - 67 - skb = bt_skb_alloc((&pkts[i])->maxlen, 68 - GFP_ATOMIC); 69 - if (!skb) 70 - return ERR_PTR(-ENOMEM); 71 - 72 - hci_skb_pkt_type(skb) = (&pkts[i])->type; 73 - hci_skb_expect(skb) = (&pkts[i])->hlen; 74 - break; 75 - } 76 - 77 - /* Check for invalid packet type */ 78 - if (!skb) 79 - return ERR_PTR(-EILSEQ); 80 - 81 - count -= 1; 82 - buffer += 1; 83 - } 84 - 85 - len = min_t(uint, hci_skb_expect(skb) - skb->len, count); 86 - skb_put_data(skb, buffer, len); 87 - 88 - count -= len; 89 - buffer += len; 90 - 91 - /* Check for partial packet */ 92 - if (skb->len < hci_skb_expect(skb)) 93 - continue; 94 - 95 - for (i = 0; i < pkts_count; i++) { 96 - if (hci_skb_pkt_type(skb) == (&pkts[i])->type) 97 - break; 98 - } 99 - 100 - if (i >= pkts_count) { 101 - kfree_skb(skb); 102 - return ERR_PTR(-EILSEQ); 103 - } 104 - 105 - if (skb->len == (&pkts[i])->hlen) { 106 - u16 dlen; 107 - 108 - switch ((&pkts[i])->lsize) { 109 - case 0: 110 - /* No variable data length */ 111 - dlen = 0; 112 - break; 113 - case 1: 114 - /* Single octet variable length */ 115 - dlen = skb->data[(&pkts[i])->loff]; 116 - hci_skb_expect(skb) += dlen; 117 - 118 - if (skb_tailroom(skb) < dlen) { 119 - kfree_skb(skb); 120 - return ERR_PTR(-EMSGSIZE); 121 - } 122 - break; 123 - case 2: 124 - /* Double octet variable length */ 125 - dlen = get_unaligned_le16(skb->data + 126 - (&pkts[i])->loff); 127 - hci_skb_expect(skb) += dlen; 128 - 129 - if (skb_tailroom(skb) < dlen) { 130 - kfree_skb(skb); 131 - return ERR_PTR(-EMSGSIZE); 132 - } 133 - break; 134 - default: 135 - /* Unsupported variable length */ 136 - kfree_skb(skb); 137 - return ERR_PTR(-EILSEQ); 138 - } 139 - 140 - if (!dlen) { 141 - /* No more data, complete frame */ 142 - (&pkts[i])->recv(hdev, skb); 143 - skb = NULL; 144 - } 145 - } else { 146 - /* Complete frame */ 147 - (&pkts[i])->recv(hdev, skb); 148 - skb = NULL; 149 - } 150 - } 151 - 152 - return skb; 153 - }
+3
drivers/bluetooth/hci_bcsp.c
··· 582 582 struct bcsp_struct *bcsp = hu->priv; 583 583 const unsigned char *ptr; 584 584 585 + if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) 586 + return -EUNATCH; 587 + 585 588 BT_DBG("hu %p count %d rx_state %d rx_count %ld", 586 589 hu, count, bcsp->rx_state, bcsp->rx_count); 587 590
+2 -1
include/net/bluetooth/bluetooth.h
··· 272 272 #define BT_ERR(fmt, ...) bt_err(fmt "\n", ##__VA_ARGS__) 273 273 274 274 #if IS_ENABLED(CONFIG_BT_FEATURE_DEBUG) 275 - #define BT_DBG(fmt, ...) bt_dbg(fmt "\n", ##__VA_ARGS__) 275 + #define BT_DBG(fmt, ...) \ 276 + bt_dbg("%s:%d: " fmt "\n", __func__, __LINE__, ##__VA_ARGS__) 276 277 #else 277 278 #define BT_DBG(fmt, ...) pr_debug(fmt "\n", ##__VA_ARGS__) 278 279 #endif
+1
include/net/bluetooth/hci.h
··· 488 488 #define HCI_AUTO_OFF_TIMEOUT msecs_to_jiffies(2000) /* 2 seconds */ 489 489 #define HCI_ACL_CONN_TIMEOUT msecs_to_jiffies(20000) /* 20 seconds */ 490 490 #define HCI_LE_CONN_TIMEOUT msecs_to_jiffies(20000) /* 20 seconds */ 491 + #define HCI_ISO_TX_TIMEOUT usecs_to_jiffies(0x7fffff) /* 8388607 usecs */ 491 492 492 493 /* HCI data types */ 493 494 #define HCI_COMMAND_PKT 0x01
+7 -4
include/net/bluetooth/hci_core.h
··· 487 487 488 488 unsigned long acl_last_tx; 489 489 unsigned long le_last_tx; 490 + unsigned long iso_last_tx; 490 491 491 492 __u8 le_tx_def_phys; 492 493 __u8 le_rx_def_phys; ··· 1588 1587 __u16 setting, struct bt_codec *codec, 1589 1588 u16 timeout); 1590 1589 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, 1591 - __u8 dst_type, struct bt_iso_qos *qos); 1590 + __u8 dst_type, struct bt_iso_qos *qos, 1591 + u16 timeout); 1592 1592 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst, __u8 sid, 1593 1593 struct bt_iso_qos *qos, 1594 - __u8 base_len, __u8 *base); 1594 + __u8 base_len, __u8 *base, u16 timeout); 1595 1595 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, 1596 - __u8 dst_type, struct bt_iso_qos *qos); 1596 + __u8 dst_type, struct bt_iso_qos *qos, 1597 + u16 timeout); 1597 1598 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst, 1598 1599 __u8 dst_type, __u8 sid, 1599 1600 struct bt_iso_qos *qos, 1600 - __u8 data_len, __u8 *data); 1601 + __u8 data_len, __u8 *data, u16 timeout); 1601 1602 struct hci_conn *hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, 1602 1603 __u8 dst_type, __u8 sid, struct bt_iso_qos *qos); 1603 1604 int hci_conn_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
+1 -1
include/net/bluetooth/hci_drv.h
··· 47 47 struct hci_drv_rp_read_info { 48 48 __u8 driver_name[HCI_DRV_MAX_DRIVER_NAME_LENGTH]; 49 49 __le16 num_supported_commands; 50 - __le16 supported_commands[]; 50 + __le16 supported_commands[] __counted_by_le(num_supported_commands); 51 51 } __packed; 52 52 53 53 /* Driver specific OGF (Opcode Group Field)
+7 -2
include/net/bluetooth/mgmt.h
··· 53 53 } __packed; 54 54 55 55 struct mgmt_tlv { 56 - __le16 type; 57 - __u8 length; 56 + /* New members MUST be added within the __struct_group() macro below. */ 57 + __struct_group(mgmt_tlv_hdr, __hdr, __packed, 58 + __le16 type; 59 + __u8 length; 60 + ); 58 61 __u8 value[]; 59 62 } __packed; 63 + static_assert(offsetof(struct mgmt_tlv, value) == sizeof(struct mgmt_tlv_hdr), 64 + "struct member likely outside of __struct_group()"); 60 65 61 66 struct mgmt_addr_info { 62 67 bdaddr_t bdaddr;
+15 -12
net/bluetooth/hci_conn.c
··· 924 924 case CIS_LINK: 925 925 case BIS_LINK: 926 926 case PA_LINK: 927 - if (hdev->iso_mtu) 928 - /* Dedicated ISO Buffer exists */ 929 - break; 930 - fallthrough; 927 + if (!hdev->iso_mtu) 928 + return ERR_PTR(-ECONNREFUSED); 929 + break; 931 930 case LE_LINK: 932 931 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU) 933 932 return ERR_PTR(-ECONNREFUSED); ··· 1539 1540 /* This function requires the caller holds hdev->lock */ 1540 1541 static struct hci_conn *hci_add_bis(struct hci_dev *hdev, bdaddr_t *dst, 1541 1542 __u8 sid, struct bt_iso_qos *qos, 1542 - __u8 base_len, __u8 *base) 1543 + __u8 base_len, __u8 *base, u16 timeout) 1543 1544 { 1544 1545 struct hci_conn *conn; 1545 1546 int err; ··· 1581 1582 1582 1583 conn->state = BT_CONNECT; 1583 1584 conn->sid = sid; 1585 + conn->conn_timeout = timeout; 1584 1586 1585 1587 hci_conn_hold(conn); 1586 1588 return conn; ··· 1922 1922 } 1923 1923 1924 1924 struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, 1925 - __u8 dst_type, struct bt_iso_qos *qos) 1925 + __u8 dst_type, struct bt_iso_qos *qos, 1926 + u16 timeout) 1926 1927 { 1927 1928 struct hci_conn *cis; 1928 1929 ··· 1938 1937 cis->dst_type = dst_type; 1939 1938 cis->iso_qos.ucast.cig = BT_ISO_QOS_CIG_UNSET; 1940 1939 cis->iso_qos.ucast.cis = BT_ISO_QOS_CIS_UNSET; 1940 + cis->conn_timeout = timeout; 1941 1941 } 1942 1942 1943 1943 if (cis->state == BT_CONNECTED) ··· 2178 2176 2179 2177 struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst, __u8 sid, 2180 2178 struct bt_iso_qos *qos, 2181 - __u8 base_len, __u8 *base) 2179 + __u8 base_len, __u8 *base, u16 timeout) 2182 2180 { 2183 2181 struct hci_conn *conn; 2184 2182 struct hci_conn *parent; ··· 2199 2197 base, base_len); 2200 2198 2201 2199 /* We need hci_conn object using the BDADDR_ANY as dst */ 2202 - conn = hci_add_bis(hdev, dst, sid, qos, base_len, eir); 2200 + conn = hci_add_bis(hdev, dst, sid, qos, base_len, eir, timeout); 2203 2201 if (IS_ERR(conn)) 2204 2202 return conn; 2205 2203 ··· 2252 2250 struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst, 2253 2251 __u8 dst_type, __u8 sid, 2254 2252 struct bt_iso_qos *qos, 2255 - __u8 base_len, __u8 *base) 2253 + __u8 base_len, __u8 *base, u16 timeout) 2256 2254 { 2257 2255 struct hci_conn *conn; 2258 2256 int err; 2259 2257 struct iso_list_data data; 2260 2258 2261 - conn = hci_bind_bis(hdev, dst, sid, qos, base_len, base); 2259 + conn = hci_bind_bis(hdev, dst, sid, qos, base_len, base, timeout); 2262 2260 if (IS_ERR(conn)) 2263 2261 return conn; 2264 2262 ··· 2301 2299 } 2302 2300 2303 2301 struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, 2304 - __u8 dst_type, struct bt_iso_qos *qos) 2302 + __u8 dst_type, struct bt_iso_qos *qos, 2303 + u16 timeout) 2305 2304 { 2306 2305 struct hci_conn *le; 2307 2306 struct hci_conn *cis; ··· 2326 2323 hci_iso_qos_setup(hdev, le, &qos->ucast.in, 2327 2324 le->le_rx_phy ? le->le_rx_phy : hdev->le_rx_def_phys); 2328 2325 2329 - cis = hci_bind_cis(hdev, dst, dst_type, qos); 2326 + cis = hci_bind_cis(hdev, dst, dst_type, qos, timeout); 2330 2327 if (IS_ERR(cis)) { 2331 2328 hci_conn_drop(le); 2332 2329 return cis;
+40 -12
net/bluetooth/hci_core.c
··· 3267 3267 3268 3268 spin_unlock_bh(&queue->lock); 3269 3269 } 3270 + 3271 + bt_dev_dbg(hdev, "chan %p queued %d", chan, skb_queue_len(queue)); 3270 3272 } 3271 3273 3272 3274 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags) ··· 3300 3298 hci_skb_pkt_type(skb) = HCI_SCODATA_PKT; 3301 3299 3302 3300 skb_queue_tail(&conn->data_q, skb); 3301 + 3302 + bt_dev_dbg(hdev, "hcon %p queued %d", conn, 3303 + skb_queue_len(&conn->data_q)); 3304 + 3303 3305 queue_work(hdev->workqueue, &hdev->tx_work); 3304 3306 } 3305 3307 ··· 3363 3357 __skb_queue_tail(queue, skb); 3364 3358 } while (list); 3365 3359 } 3360 + 3361 + bt_dev_dbg(hdev, "hcon %p queued %d", conn, skb_queue_len(queue)); 3366 3362 } 3367 3363 3368 3364 void hci_send_iso(struct hci_conn *conn, struct sk_buff *skb) ··· 3407 3399 case CIS_LINK: 3408 3400 case BIS_LINK: 3409 3401 case PA_LINK: 3410 - cnt = hdev->iso_mtu ? hdev->iso_cnt : 3411 - hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt; 3402 + cnt = hdev->iso_cnt; 3412 3403 break; 3413 3404 default: 3414 3405 cnt = 0; ··· 3434 3427 if (c->type != type || 3435 3428 skb_queue_empty(&c->data_q)) 3436 3429 continue; 3430 + 3431 + bt_dev_dbg(hdev, "hcon %p state %s queued %d", c, 3432 + state_to_string(c->state), 3433 + skb_queue_len(&c->data_q)); 3437 3434 3438 3435 if (c->state != BT_CONNECTED && c->state != BT_CONFIG) 3439 3436 continue; ··· 3597 3586 3598 3587 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt, u8 type) 3599 3588 { 3600 - unsigned long last_tx; 3589 + unsigned long timeout; 3601 3590 3602 3591 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) 3603 3592 return; 3604 3593 3605 3594 switch (type) { 3595 + case ACL_LINK: 3596 + /* tx timeout must be longer than maximum link supervision 3597 + * timeout (40.9 seconds) 3598 + */ 3599 + timeout = hdev->acl_last_tx + HCI_ACL_TX_TIMEOUT; 3600 + break; 3606 3601 case LE_LINK: 3607 - last_tx = hdev->le_last_tx; 3602 + /* tx timeout must be longer than maximum link supervision 3603 + * timeout (40.9 seconds) 3604 + */ 3605 + timeout = hdev->le_last_tx + HCI_ACL_TX_TIMEOUT; 3606 + break; 3607 + case CIS_LINK: 3608 + case BIS_LINK: 3609 + case PA_LINK: 3610 + /* tx timeout must be longer than the maximum transport latency 3611 + * (8.388607 seconds) 3612 + */ 3613 + timeout = hdev->iso_last_tx + HCI_ISO_TX_TIMEOUT; 3608 3614 break; 3609 3615 default: 3610 - last_tx = hdev->acl_last_tx; 3611 - break; 3616 + return; 3612 3617 } 3613 3618 3614 - /* tx timeout must be longer than maximum link supervision timeout 3615 - * (40.9 seconds) 3616 - */ 3617 - if (!cnt && time_after(jiffies, last_tx + HCI_ACL_TX_TIMEOUT)) 3619 + if (!cnt && time_after(jiffies, timeout)) 3618 3620 hci_link_tx_to(hdev, type); 3619 3621 } 3620 3622 ··· 3783 3759 if (!hci_conn_num(hdev, type)) 3784 3760 return; 3785 3761 3786 - cnt = hdev->iso_pkts ? &hdev->iso_cnt : 3787 - hdev->le_pkts ? &hdev->le_cnt : &hdev->acl_cnt; 3762 + cnt = &hdev->iso_cnt; 3763 + 3764 + __check_timeout(hdev, *cnt, type); 3765 + 3788 3766 while (*cnt && (conn = hci_low_sent(hdev, type, &quote))) { 3789 3767 while (quote-- && (skb = skb_dequeue(&conn->data_q))) { 3790 3768 BT_DBG("skb %p len %d", skb, skb->len); 3769 + 3791 3770 hci_send_conn_frame(hdev, conn, skb); 3771 + hdev->iso_last_tx = jiffies; 3792 3772 3793 3773 conn->sent++; 3794 3774 if (conn->sent == ~0)
+3 -13
net/bluetooth/hci_event.c
··· 4461 4461 case CIS_LINK: 4462 4462 case BIS_LINK: 4463 4463 case PA_LINK: 4464 - if (hdev->iso_pkts) { 4465 - hdev->iso_cnt += count; 4466 - if (hdev->iso_cnt > hdev->iso_pkts) 4467 - hdev->iso_cnt = hdev->iso_pkts; 4468 - } else if (hdev->le_pkts) { 4469 - hdev->le_cnt += count; 4470 - if (hdev->le_cnt > hdev->le_pkts) 4471 - hdev->le_cnt = hdev->le_pkts; 4472 - } else { 4473 - hdev->acl_cnt += count; 4474 - if (hdev->acl_cnt > hdev->acl_pkts) 4475 - hdev->acl_cnt = hdev->acl_pkts; 4476 - } 4464 + hdev->iso_cnt += count; 4465 + if (hdev->iso_cnt > hdev->iso_pkts) 4466 + hdev->iso_cnt = hdev->iso_pkts; 4477 4467 break; 4478 4468 4479 4469 default:
+6 -4
net/bluetooth/hci_sync.c
··· 1325 1325 { 1326 1326 struct hci_cp_le_set_ext_adv_params cp; 1327 1327 struct hci_rp_le_set_ext_adv_params rp; 1328 - bool connectable; 1328 + bool connectable, require_privacy; 1329 1329 u32 flags; 1330 1330 bdaddr_t random_addr; 1331 1331 u8 own_addr_type; ··· 1363 1363 return -EPERM; 1364 1364 1365 1365 /* Set require_privacy to true only when non-connectable 1366 - * advertising is used. In that case it is fine to use a 1367 - * non-resolvable private address. 1366 + * advertising is used and it is not periodic. 1367 + * In that case it is fine to use a non-resolvable private address. 1368 1368 */ 1369 - err = hci_get_random_address(hdev, !connectable, 1369 + require_privacy = !connectable && !(adv && adv->periodic); 1370 + 1371 + err = hci_get_random_address(hdev, require_privacy, 1370 1372 adv_use_rpa(hdev, flags), adv, 1371 1373 &own_addr_type, &random_addr); 1372 1374 if (err < 0)
+27 -7
net/bluetooth/iso.c
··· 91 91 iso_sock_match_t match, void *data); 92 92 93 93 /* ---- ISO timers ---- */ 94 - #define ISO_CONN_TIMEOUT (HZ * 40) 95 - #define ISO_DISCONN_TIMEOUT (HZ * 2) 94 + #define ISO_CONN_TIMEOUT secs_to_jiffies(20) 95 + #define ISO_DISCONN_TIMEOUT secs_to_jiffies(2) 96 96 97 97 static void iso_conn_free(struct kref *ref) 98 98 { ··· 110 110 111 111 /* Ensure no more work items will run since hci_conn has been dropped */ 112 112 disable_delayed_work_sync(&conn->timeout_work); 113 + 114 + kfree_skb(conn->rx_skb); 113 115 114 116 kfree(conn); 115 117 } ··· 369 367 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 370 368 hcon = hci_bind_bis(hdev, &iso_pi(sk)->dst, iso_pi(sk)->bc_sid, 371 369 &iso_pi(sk)->qos, iso_pi(sk)->base_len, 372 - iso_pi(sk)->base); 370 + iso_pi(sk)->base, 371 + READ_ONCE(sk->sk_sndtimeo)); 373 372 if (IS_ERR(hcon)) { 374 373 err = PTR_ERR(hcon); 375 374 goto unlock; ··· 379 376 hcon = hci_connect_bis(hdev, &iso_pi(sk)->dst, 380 377 le_addr_type(iso_pi(sk)->dst_type), 381 378 iso_pi(sk)->bc_sid, &iso_pi(sk)->qos, 382 - iso_pi(sk)->base_len, iso_pi(sk)->base); 379 + iso_pi(sk)->base_len, iso_pi(sk)->base, 380 + READ_ONCE(sk->sk_sndtimeo)); 383 381 if (IS_ERR(hcon)) { 384 382 err = PTR_ERR(hcon); 385 383 goto unlock; ··· 462 458 goto unlock; 463 459 } 464 460 461 + /* Check if there are available buffers for output/TX. */ 462 + if (iso_pi(sk)->qos.ucast.out.sdu && !hci_iso_count(hdev) && 463 + (hdev->iso_pkts && !hdev->iso_cnt)) { 464 + err = -ENOBUFS; 465 + goto unlock; 466 + } 467 + 465 468 /* Just bind if DEFER_SETUP has been set */ 466 469 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 467 470 hcon = hci_bind_cis(hdev, &iso_pi(sk)->dst, 468 471 le_addr_type(iso_pi(sk)->dst_type), 469 - &iso_pi(sk)->qos); 472 + &iso_pi(sk)->qos, 473 + READ_ONCE(sk->sk_sndtimeo)); 470 474 if (IS_ERR(hcon)) { 471 475 err = PTR_ERR(hcon); 472 476 goto unlock; ··· 482 470 } else { 483 471 hcon = hci_connect_cis(hdev, &iso_pi(sk)->dst, 484 472 le_addr_type(iso_pi(sk)->dst_type), 485 - &iso_pi(sk)->qos); 473 + &iso_pi(sk)->qos, 474 + READ_ONCE(sk->sk_sndtimeo)); 486 475 if (IS_ERR(hcon)) { 487 476 err = PTR_ERR(hcon); 488 477 goto unlock; ··· 762 749 return; 763 750 764 751 BT_DBG("sk %p state %d", sk, sk->sk_state); 752 + 753 + /* Sock is dead, so set conn->sk to NULL to avoid possible UAF */ 754 + if (iso_pi(sk)->conn) { 755 + iso_conn_lock(iso_pi(sk)->conn); 756 + iso_pi(sk)->conn->sk = NULL; 757 + iso_conn_unlock(iso_pi(sk)->conn); 758 + } 765 759 766 760 /* Kill poor orphan */ 767 761 bt_sock_unlink(&iso_sk_list, sk); ··· 2427 2407 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 2428 2408 skb->len); 2429 2409 conn->rx_len -= skb->len; 2430 - return; 2410 + break; 2431 2411 2432 2412 case ISO_END: 2433 2413 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
+4 -6
net/bluetooth/mgmt.c
··· 4542 4542 return -ENOMEM; 4543 4543 4544 4544 #ifdef CONFIG_BT_FEATURE_DEBUG 4545 - if (!hdev) { 4546 - flags = bt_dbg_get() ? BIT(0) : 0; 4545 + flags = bt_dbg_get() ? BIT(0) : 0; 4547 4546 4548 - memcpy(rp->features[idx].uuid, debug_uuid, 16); 4549 - rp->features[idx].flags = cpu_to_le32(flags); 4550 - idx++; 4551 - } 4547 + memcpy(rp->features[idx].uuid, debug_uuid, 16); 4548 + rp->features[idx].flags = cpu_to_le32(flags); 4549 + idx++; 4552 4550 #endif 4553 4551 4554 4552 if (hdev && hci_dev_le_state_simultaneous(hdev)) {
+2 -2
net/bluetooth/mgmt_config.c
··· 13 13 14 14 #define HDEV_PARAM_U16(_param_name_) \ 15 15 struct {\ 16 - struct mgmt_tlv entry; \ 16 + struct mgmt_tlv_hdr entry; \ 17 17 __le16 value; \ 18 18 } __packed _param_name_ 19 19 20 20 #define HDEV_PARAM_U8(_param_name_) \ 21 21 struct {\ 22 - struct mgmt_tlv entry; \ 22 + struct mgmt_tlv_hdr entry; \ 23 23 __u8 value; \ 24 24 } __packed _param_name_ 25 25
+7
net/bluetooth/sco.c
··· 498 498 499 499 BT_DBG("sk %p state %d", sk, sk->sk_state); 500 500 501 + /* Sock is dead, so set conn->sk to NULL to avoid possible UAF */ 502 + if (sco_pi(sk)->conn) { 503 + sco_conn_lock(sco_pi(sk)->conn); 504 + sco_pi(sk)->conn->sk = NULL; 505 + sco_conn_unlock(sco_pi(sk)->conn); 506 + } 507 + 501 508 /* Kill poor orphan */ 502 509 bt_sock_unlink(&sco_sk_list, sk); 503 510 sock_set_flag(sk, SOCK_DEAD);