1. 16 Jul, 2018 1 commit
    • Sudip Mukherjee's avatar
      Bluetooth: avoid killing an already killed socket · 4e1a720d
      Sudip Mukherjee authored
      slub debug reported:
      
      [  440.648642] =============================================================================
      [  440.648649] BUG kmalloc-1024 (Tainted: G    BU     O   ): Poison overwritten
      [  440.648651] -----------------------------------------------------------------------------
      
      [  440.648655] INFO: 0xe70f4bec-0xe70f4bec. First byte 0x6a instead of 0x6b
      [  440.648665] INFO: Allocated in sk_prot_alloc+0x6b/0xc6 age=33155 cpu=1 pid=1047
      [  440.648671] 	___slab_alloc.constprop.24+0x1fc/0x292
      [  440.648675] 	__slab_alloc.isra.18.constprop.23+0x1c/0x25
      [  440.648677] 	__kmalloc+0xb6/0x17f
      [  440.648680] 	sk_prot_alloc+0x6b/0xc6
      [  440.648683] 	sk_alloc+0x1e/0xa1
      [  440.648700] 	sco_sock_alloc.constprop.6+0x26/0xaf [bluetooth]
      [  440.648716] 	sco_connect_cfm+0x166/0x281 [bluetooth]
      [  440.648731] 	hci_conn_request_evt.isra.53+0x258/0x281 [bluetooth]
      [  440.648746] 	hci_event_packet+0x28b/0x2326 [bluetooth]
      [  440.648759] 	hci_rx_work+0x161/0x291 [bluetooth]
      [  440.648764] 	process_one_work+0x163/0x2b2
      [  440.648767] 	worker_thread+0x1a9/0x25c
      [  440.648770] 	kthread+0xf8/0xfd
      [  440.648774] 	ret_from_fork+0x2e/0x38
      [  440.648779] INFO: Freed in __sk_destruct+0xd3/0xdf age=3815 cpu=1 pid=1047
      [  440.648782] 	__slab_free+0x4b/0x27a
      [  440.648784] 	kfree+0x12e/0x155
      [  440.648787] 	__sk_destruct+0xd3/0xdf
      [  440.648790] 	sk_destruct+0x27/0x29
      [  440.648793] 	__sk_free+0x75/0x91
      [  440.648795] 	sk_free+0x1c/0x1e
      [  440.648810] 	sco_sock_kill+0x5a/0x5f [bluetooth]
      [  440.648825] 	sco_conn_del+0x8e/0xba [bluetooth]
      [  440.648840] 	sco_disconn_cfm+0x3a/0x41 [bluetooth]
      [  440.648855] 	hci_event_packet+0x45e/0x2326 [bluetooth]
      [  440.648868] 	hci_rx_work+0x161/0x291 [bluetooth]
      [  440.648872] 	process_one_work+0x163/0x2b2
      [  440.648875] 	worker_thread+0x1a9/0x25c
      [  440.648877] 	kthread+0xf8/0xfd
      [  440.648880] 	ret_from_fork+0x2e/0x38
      [  440.648884] INFO: Slab 0xf4718580 objects=27 used=27 fp=0x  (null) flags=0x40008100
      [  440.648886] INFO: Object 0xe70f4b88 @offset=19336 fp=0xe70f54f8
      
      When KASAN was enabled, it reported:
      
      [  210.096613] ==================================================================
      [  210.096634] BUG: KASAN: use-after-free in ex_handler_refcount+0x5b/0x127
      [  210.096641] Write of size 4 at addr ffff880107e17160 by task kworker/u9:1/2040
      
      [  210.096651] CPU: 1 PID: 2040 Comm: kworker/u9:1 Tainted: G     U     O    4.14.47-20180606+ #2
      [  210.096654] Hardware name: , BIOS 2017.01-00087-g43e04de 08/30/2017
      [  210.096693] Workqueue: hci0 hci_rx_work [bluetooth]
      [  210.096698] Call Trace:
      [  210.096711]  dump_stack+0x46/0x59
      [  210.096722]  print_address_description+0x6b/0x23b
      [  210.096729]  ? ex_handler_refcount+0x5b/0x127
      [  210.096736]  kasan_report+0x220/0x246
      [  210.096744]  ex_handler_refcount+0x5b/0x127
      [  210.096751]  ? ex_handler_clear_fs+0x85/0x85
      [  210.096757]  fixup_exception+0x8c/0x96
      [  210.096766]  do_trap+0x66/0x2c1
      [  210.096773]  do_error_trap+0x152/0x180
      [  210.096781]  ? fixup_bug+0x78/0x78
      [  210.096817]  ? hci_debugfs_create_conn+0x244/0x26a [bluetooth]
      [  210.096824]  ? __schedule+0x113b/0x1453
      [  210.096830]  ? sysctl_net_exit+0xe/0xe
      [  210.096837]  ? __wake_up_common+0x343/0x343
      [  210.096843]  ? insert_work+0x107/0x163
      [  210.096850]  invalid_op+0x1b/0x40
      [  210.096888] RIP: 0010:hci_debugfs_create_conn+0x244/0x26a [bluetooth]
      [  210.096892] RSP: 0018:ffff880094a0f970 EFLAGS: 00010296
      [  210.096898] RAX: 0000000000000000 RBX: ffff880107e170e8 RCX: ffff880107e17160
      [  210.096902] RDX: 000000000000002f RSI: ffff88013b80ed40 RDI: ffffffffa058b940
      [  210.096906] RBP: ffff88011b2b0578 R08: 00000000852f0ec9 R09: ffffffff81cfcf9b
      [  210.096909] R10: 00000000d21bdad7 R11: 0000000000000001 R12: ffff8800967b0488
      [  210.096913] R13: ffff880107e17168 R14: 0000000000000068 R15: ffff8800949c0008
      [  210.096920]  ? __sk_destruct+0x2c6/0x2d4
      [  210.096959]  hci_event_packet+0xff5/0x7de2 [bluetooth]
      [  210.096969]  ? __local_bh_enable_ip+0x43/0x5b
      [  210.097004]  ? l2cap_sock_recv_cb+0x158/0x166 [bluetooth]
      [  210.097039]  ? hci_le_meta_evt+0x2bb3/0x2bb3 [bluetooth]
      [  210.097075]  ? l2cap_ertm_init+0x94e/0x94e [bluetooth]
      [  210.097093]  ? xhci_urb_enqueue+0xbd8/0xcf5 [xhci_hcd]
      [  210.097102]  ? __accumulate_pelt_segments+0x24/0x33
      [  210.097109]  ? __accumulate_pelt_segments+0x24/0x33
      [  210.097115]  ? __update_load_avg_se.isra.2+0x217/0x3a4
      [  210.097122]  ? set_next_entity+0x7c3/0x12cd
      [  210.097128]  ? pick_next_entity+0x25e/0x26c
      [  210.097135]  ? pick_next_task_fair+0x2ca/0xc1a
      [  210.097141]  ? switch_mm_irqs_off+0x346/0xb4f
      [  210.097147]  ? __switch_to+0x769/0xbc4
      [  210.097153]  ? compat_start_thread+0x66/0x66
      [  210.097188]  ? hci_conn_check_link_mode+0x1cd/0x1cd [bluetooth]
      [  210.097195]  ? finish_task_switch+0x392/0x431
      [  210.097228]  ? hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097260]  hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097269]  process_one_work+0x579/0x9e9
      [  210.097277]  worker_thread+0x68f/0x804
      [  210.097285]  kthread+0x31c/0x32b
      [  210.097292]  ? rescuer_thread+0x70c/0x70c
      [  210.097299]  ? kthread_create_on_node+0xa3/0xa3
      [  210.097306]  ret_from_fork+0x35/0x40
      
      [  210.097314] Allocated by task 2040:
      [  210.097323]  kasan_kmalloc.part.1+0x51/0xc7
      [  210.097328]  __kmalloc+0x17f/0x1b6
      [  210.097335]  sk_prot_alloc+0xf2/0x1a3
      [  210.097340]  sk_alloc+0x22/0x297
      [  210.097375]  sco_sock_alloc.constprop.7+0x23/0x202 [bluetooth]
      [  210.097410]  sco_connect_cfm+0x2d0/0x566 [bluetooth]
      [  210.097443]  hci_conn_request_evt.isra.53+0x6d3/0x762 [bluetooth]
      [  210.097476]  hci_event_packet+0x85e/0x7de2 [bluetooth]
      [  210.097507]  hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097512]  process_one_work+0x579/0x9e9
      [  210.097517]  worker_thread+0x68f/0x804
      [  210.097523]  kthread+0x31c/0x32b
      [  210.097529]  ret_from_fork+0x35/0x40
      
      [  210.097533] Freed by task 2040:
      [  210.097539]  kasan_slab_free+0xb3/0x15e
      [  210.097544]  kfree+0x103/0x1a9
      [  210.097549]  __sk_destruct+0x2c6/0x2d4
      [  210.097584]  sco_conn_del.isra.1+0xba/0x10e [bluetooth]
      [  210.097617]  hci_event_packet+0xff5/0x7de2 [bluetooth]
      [  210.097648]  hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097653]  process_one_work+0x579/0x9e9
      [  210.097658]  worker_thread+0x68f/0x804
      [  210.097663]  kthread+0x31c/0x32b
      [  210.097670]  ret_from_fork+0x35/0x40
      
      [  210.097676] The buggy address belongs to the object at ffff880107e170e8
       which belongs to the cache kmalloc-1024 of size 1024
      [  210.097681] The buggy address is located 120 bytes inside of
       1024-byte region [ffff880107e170e8, ffff880107e174e8)
      [  210.097683] The buggy address belongs to the page:
      [  210.097689] page:ffffea00041f8400 count:1 mapcount:0 mapping:          (null) index:0xffff880107e15b68 compound_mapcount: 0
      [  210.110194] flags: 0x8000000000008100(slab|head)
      [  210.115441] raw: 8000000000008100 0000000000000000 ffff880107e15b68 0000000100170016
      [  210.115448] raw: ffffea0004a47620 ffffea0004b48e20 ffff88013b80ed40 0000000000000000
      [  210.115451] page dumped because: kasan: bad access detected
      
      [  210.115454] Memory state around the buggy address:
      [  210.115460]  ffff880107e17000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  210.115465]  ffff880107e17080: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb
      [  210.115469] >ffff880107e17100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  210.115472]                                                        ^
      [  210.115477]  ffff880107e17180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  210.115481]  ffff880107e17200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  210.115483] ==================================================================
      
      And finally when BT_DBG() and ftrace was enabled it showed:
      
             <...>-14979 [001] ....   186.104191: sco_sock_kill <-sco_sock_close
             <...>-14979 [001] ....   186.104191: sco_sock_kill <-sco_sock_release
             <...>-14979 [001] ....   186.104192: sco_sock_kill: sk ef0497a0 state 9
             <...>-14979 [001] ....   186.104193: bt_sock_unlink <-sco_sock_kill
      kworker/u9:2-792   [001] ....   186.104246: sco_sock_kill <-sco_conn_del
      kworker/u9:2-792   [001] ....   186.104248: sco_sock_kill: sk ef0497a0 state 9
      kworker/u9:2-792   [001] ....   186.104249: bt_sock_unlink <-sco_sock_kill
      kworker/u9:2-792   [001] ....   186.104250: sco_sock_destruct <-__sk_destruct
      kworker/u9:2-792   [001] ....   186.104250: sco_sock_destruct: sk ef0497a0
      kworker/u9:2-792   [001] ....   186.104860: hci_conn_del <-hci_event_packet
      kworker/u9:2-792   [001] ....   186.104864: hci_conn_del: hci0 hcon ef0484c0 handle 266
      
      Only in the failed case, sco_sock_kill() gets called with the same sock
      pointer two times. Add a check for SOCK_DEAD to avoid continue killing
      a socket which has already been killed.
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      4e1a720d
  2. 06 Jul, 2018 14 commits
    • Jaganath Kanakkassery's avatar
      Bluetooth: Use extended LE Connection if supported · 4d94f95d
      Jaganath Kanakkassery authored
      This implements extended LE craete connection and enhanced
      LE conn complete event if the controller supports.
      
      For now it is as good as legacy LE connection and event as
      no new features in the extended connection is handled.
      
      < HCI Command: LE Extended Create Connection (0x08|0x0043) plen 26
              Filter policy: White list is not used (0x00)
              Own address type: Public (0x00)
              Peer address type: Random (0x01)
              Peer address: DB:7E:2E:1D:85:E8 (Static)
              Initiating PHYs: 0x01
              Entry 0: LE 1M
                Scan interval: 60.000 msec (0x0060)
                Scan window: 60.000 msec (0x0060)
                Min connection interval: 50.00 msec (0x0028)
                Max connection interval: 70.00 msec (0x0038)
                Connection latency: 0 (0x0000)
                Supervision timeout: 420 msec (0x002a)
                Min connection length: 0.000 msec (0x0000)
                Max connection length: 0.000 msec (0x0000)
      > HCI Event: Command Status (0x0f) plen 4
            LE Extended Create Connection (0x08|0x0043) ncmd 2
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 31
            LE Enhanced Connection Complete (0x0a)
              Status: Success (0x00)
              Handle: 3585
              Role: Master (0x00)
              Peer address type: Random (0x01)
              Peer address: DB:7E:2E:1D:85:E8 (Static)
              Local resolvable private address: 00:00:00:00:00:00 (Non-Resolvable)
              Peer resolvable private address: 00:00:00:00:00:00 (Non-Resolvable)
              Connection interval: 67.50 msec (0x0036)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Master clock accuracy: 0x00
      @ MGMT Event: Device Connected (0x000b) plen 40
              LE Address: DB:7E:2E:1D:85:E8 (Static)
              Flags: 0x00000000
              Data length: 27
              Name (complete): Designer Mouse
              Appearance: Mouse (0x03c2)
              Flags: 0x05
                LE Limited Discoverable Mode
                BR/EDR Not Supported
              16-bit Service UUIDs (complete): 1 entry
                Human Interface Device (0x1812)
      Signed-off-by: default avatarJaganath Kanakkassery <jaganathx.kanakkassery@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      4d94f95d
    • Jaganath Kanakkassery's avatar
      Bluetooth: Introduce helpers for le conn status and complete · d12fb056
      Jaganath Kanakkassery authored
      This is done so that the helpers can be used for extended conn
      implementation which will be done in subsequent patch.
      Signed-off-by: default avatarJaganath Kanakkassery <jaganathx.kanakkassery@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      d12fb056
    • Jaganath Kanakkassery's avatar
      Bluetooth: Process extended ADV report event · c215e939
      Jaganath Kanakkassery authored
      This patch enables Extended ADV report event if extended scanning
      is supported in the controller and process the same.
      
      The new features are not handled and for now its as good as
      legacy ADV report.
      
      > HCI Event: LE Meta Event (0x3e) plen 53
            LE Extended Advertising Report (0x0d)
              Num reports: 1
              Entry 0
                Event type: 0x0013
                  Props: 0x0013
                    Connectable
                    Scannable
                    Use legacy advertising PDUs
                  Data status: Complete
                Legacy PDU Type: ADV_IND (0x0013)
                Address type: Random (0x01)
                Address: DB:7E:2E:1A:85:E8 (Static)
                Primary PHY: LE 1M
                Secondary PHY: LE 1M
                SID: 0x00
                TX power: 0 dBm
                RSSI: -90 dBm (0xa6)
                Periodic advertising invteral: 0.00 msec (0x0000)
                Direct address type: Public (0x00)
                Direct address: 00:00:00:00:00:00 (OUI 00-00-00)
                Data length: 0x1b
              0f 09 44 65 73 69 67 6e 65 72 20 4d 6f 75 73 65  ..Designer Mouse
              03 19 c2 03 02 01 05 03 03 12 18                 ...........
      Signed-off-by: default avatarJaganath Kanakkassery <jaganathx.kanakkassery@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      c215e939
    • Jaganath Kanakkassery's avatar
      Bluetooth: Use extended scanning if controller supports · a2344b9e
      Jaganath Kanakkassery authored
      This implements Set extended scan param and set extended scan enable
      commands and use it for start LE scan based on controller support.
      
      The new features added in these commands are setting of new PHY for
      scanning and setting of scan duration. Both features are disabled
      for now, meaning only 1M PHY is set and scan duration is set to 0
      which means that scanning will be done untill scan disable is called.
      
      < HCI Command: LE Set Extended Scan Parameters (0x08|0x0041) plen 8
              Own address type: Random (0x01)
              Filter policy: Accept all advertisement (0x00)
              PHYs: 0x01
              Entry 0: LE 1M
                Type: Active (0x01)
                Interval: 11.250 msec (0x0012)
                Window: 11.250 msec (0x0012)
      > HCI Event: Command Complete (0x0e) plen 4
            LE Set Extended Scan Parameters (0x08|0x0041) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Extended Scan Enable (0x08|0x0042) plen 6
              Extended scan: Enabled (0x01)
              Filter duplicates: Enabled (0x01)
              Duration: 0 msec (0x0000)
              Period: 0.00 sec (0x0000)
      > HCI Event: Command Complete (0x0e) plen 4
            LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
              Status: Success (0x00)
      Signed-off-by: default avatarJaganath Kanakkassery <jaganathx.kanakkassery@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      a2344b9e
    • Jaganath Kanakkassery's avatar
      Bluetooth: Introduce helpers for LE set scan start and complete · 3baef810
      Jaganath Kanakkassery authored
      Introduce a helper hci_req_start_scan() which starts an LE
      scan and call it from passive_Scan() and active_scan().
      There is not functionality change in this patch.
      
      This is basically done to enable extended scanning if the
      controller supports which will be done in the subsequent
      patch
      Signed-off-by: default avatarJaganath Kanakkassery <jaganathx.kanakkassery@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      3baef810
    • Corentin Labbe's avatar
      Bluetooth: remove unused bt-nokia-h4p.h header · 1b0707a7
      Corentin Labbe authored
      Nothing in tree use this header which seems a remains of a staging
      driver.
      This patch remove it.
      Signed-off-by: default avatarCorentin Labbe <clabbe@baylibre.com>
      Reviewed-by: default avatarSebastian Reichel <sebastian.reichel@collabora.co.uk>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      1b0707a7
    • Ankit Navik's avatar
      Bluetooth: Add HCI command for clear Resolv list · 545f2596
      Ankit Navik authored
      Check for Resolv list supported by controller. So check the supported
      commmand first before issuing this command i.e.,HCI_OP_LE_CLEAR_RESOLV_LIST
      
      Before patch:
      < HCI Command: LE Read White List... (0x08|0x000f) plen 0  #55 [hci0] 13.338168
      > HCI Event: Command Complete (0x0e) plen 5                #56 [hci0] 13.338842
            LE Read White List Size (0x08|0x000f) ncmd 1
              Status: Success (0x00)
              Size: 25
      < HCI Command: LE Clear White List (0x08|0x0010) plen 0    #57 [hci0] 13.339029
      > HCI Event: Command Complete (0x0e) plen 4                #58 [hci0] 13.339939
            LE Clear White List (0x08|0x0010) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Read Resolving L.. (0x08|0x002a) plen 0  #59 [hci0] 13.340152
      > HCI Event: Command Complete (0x0e) plen 5                #60 [hci0] 13.340952
            LE Read Resolving List Size (0x08|0x002a) ncmd 1
              Status: Success (0x00)
              Size: 25
      < HCI Command: LE Read Maximum Dat.. (0x08|0x002f) plen 0  #61 [hci0] 13.341180
      > HCI Event: Command Complete (0x0e) plen 12               #62 [hci0] 13.341898
            LE Read Maximum Data Length (0x08|0x002f) ncmd 1
              Status: Success (0x00)
              Max TX octets: 251
              Max TX time: 17040
              Max RX octets: 251
              Max RX time: 17040
      
      After patch:
      < HCI Command: LE Read White List... (0x08|0x000f) plen 0  #55 [hci0] 28.919131
      > HCI Event: Command Complete (0x0e) plen 5                #56 [hci0] 28.920016
            LE Read White List Size (0x08|0x000f) ncmd 1
              Status: Success (0x00)
              Size: 25
      < HCI Command: LE Clear White List (0x08|0x0010) plen 0    #57 [hci0] 28.920164
      > HCI Event: Command Complete (0x0e) plen 4                #58 [hci0] 28.920873
            LE Clear White List (0x08|0x0010) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Read Resolving L.. (0x08|0x002a) plen 0  #59 [hci0] 28.921109
      > HCI Event: Command Complete (0x0e) plen 5                #60 [hci0] 28.922016
            LE Read Resolving List Size (0x08|0x002a) ncmd 1
              Status: Success (0x00)
              Size: 25
      < HCI Command: LE Clear Resolving... (0x08|0x0029) plen 0  #61 [hci0] 28.922166
      > HCI Event: Command Complete (0x0e) plen 4                #62 [hci0] 28.922872
            LE Clear Resolving List (0x08|0x0029) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Read Maximum Dat.. (0x08|0x002f) plen 0  #63 [hci0] 28.923117
      > HCI Event: Command Complete (0x0e) plen 12               #64 [hci0] 28.924030
            LE Read Maximum Data Length (0x08|0x002f) ncmd 1
              Status: Success (0x00)
              Max TX octets: 251
              Max TX time: 17040
              Max RX octets: 251
              Max RX time: 17040
      Signed-off-by: default avatarAnkit Navik <ankit.p.navik@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      545f2596
    • Ankit Navik's avatar
      Bluetooth: Store Resolv list size · cfdb0c2d
      Ankit Navik authored
      When the controller supports the Read LE Resolv List size feature, the
      maximum list size are read and now stored.
      
      Before patch:
      < HCI Command: LE Read White List... (0x08|0x000f) plen 0  #55 [hci0] 17.979791
      > HCI Event: Command Complete (0x0e) plen 5                #56 [hci0] 17.980629
            LE Read White List Size (0x08|0x000f) ncmd 1
              Status: Success (0x00)
              Size: 25
      < HCI Command: LE Clear White List (0x08|0x0010) plen 0    #57 [hci0] 17.980786
      > HCI Event: Command Complete (0x0e) plen 4                #58 [hci0] 17.981627
            LE Clear White List (0x08|0x0010) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Read Maximum Dat.. (0x08|0x002f) plen 0  #59 [hci0] 17.981786
      > HCI Event: Command Complete (0x0e) plen 12               #60 [hci0] 17.982636
            LE Read Maximum Data Length (0x08|0x002f) ncmd 1
              Status: Success (0x00)
              Max TX octets: 251
              Max TX time: 17040
              Max RX octets: 251
              Max RX time: 17040
      
      After patch:
      < HCI Command: LE Read White List... (0x08|0x000f) plen 0  #55 [hci0] 13.338168
      > HCI Event: Command Complete (0x0e) plen 5                #56 [hci0] 13.338842
            LE Read White List Size (0x08|0x000f) ncmd 1
              Status: Success (0x00)
              Size: 25
      < HCI Command: LE Clear White List (0x08|0x0010) plen 0    #57 [hci0] 13.339029
      > HCI Event: Command Complete (0x0e) plen 4                #58 [hci0] 13.339939
            LE Clear White List (0x08|0x0010) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Read Resolving L.. (0x08|0x002a) plen 0  #59 [hci0] 13.340152
      > HCI Event: Command Complete (0x0e) plen 5                #60 [hci0] 13.340952
            LE Read Resolving List Size (0x08|0x002a) ncmd 1
              Status: Success (0x00)
              Size: 25
      < HCI Command: LE Read Maximum Dat.. (0x08|0x002f) plen 0  #61 [hci0] 13.341180
      > HCI Event: Command Complete (0x0e) plen 12               #62 [hci0] 13.341898
            LE Read Maximum Data Length (0x08|0x002f) ncmd 1
              Status: Success (0x00)
              Max TX octets: 251
              Max TX time: 17040
              Max RX octets: 251
              Max RX time: 17040
      Signed-off-by: default avatarAnkit Navik <ankit.p.navik@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      cfdb0c2d
    • Sebastian Andrzej Siewior's avatar
      Bluetooth: btusb: use irqsave() in URB's complete callback · a5e50d5b
      Sebastian Andrzej Siewior authored
      The USB completion callback does not disable interrupts while acquiring
      the ->lock. We want to remove the local_irq_disable() invocation from
      __usb_hcd_giveback_urb() and therefore it is required for the callback
      handler to disable the interrupts while acquiring the lock.
      The callback may be invoked either in IRQ or BH context depending on the
      USB host controller.
      Use the _irqsave variant of the locking primitives.
      
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Cc: linux-bluetooth@vger.kernel.org
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      a5e50d5b
    • Jian-Hong Pan's avatar
      Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 · 45ae68b8
      Jian-Hong Pan authored
      Without this patch we cannot turn on the Bluethooth adapter on HP
      14-bs007la.
      
      T:  Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#=  4 Spd=12   MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=0bda ProdID=b009 Rev= 2.00
      S:  Manufacturer=Realtek
      S:  Product=802.11n WLAN Adapter
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      Signed-off-by: default avatarJian-Hong Pan <jian-hong@endlessm.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      45ae68b8
    • Michael Scott's avatar
      6lowpan: iphc: reset mac_header after decompress to fix panic · 03bc05e1
      Michael Scott authored
      After decompression of 6lowpan socket data, an IPv6 header is inserted
      before the existing socket payload.  After this, we reset the
      network_header value of the skb to account for the difference in payload
      size from prior to decompression + the addition of the IPv6 header.
      
      However, we fail to reset the mac_header value.
      
      Leaving the mac_header value untouched here, can cause a calculation
      error in net/packet/af_packet.c packet_rcv() function when an
      AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
      interface.
      
      On line 2088, the data pointer is moved backward by the value returned
      from skb_mac_header().  If skb->data is adjusted so that it is before
      the skb->head pointer (which can happen when an old value of mac_header
      is left in place) the kernel generates a panic in net/core/skbuff.c
      line 1717.
      
      This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
      802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
      sources for compression and decompression.
      Signed-off-by: default avatarMichael Scott <michael@opensourcefoundries.com>
      Acked-by: default avatarAlexander Aring <aring@mojatatu.com>
      Acked-by: default avatarJukka Rissanen <jukka.rissanen@linux.intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      03bc05e1
    • David S. Miller's avatar
      Merge branch 'IP-listification-follow-ups' · ab8565af
      David S. Miller authored
      Edward Cree says:
      
      ====================
      IP listification follow-ups
      
      While working on IPv6 list processing, I found another bug in the IPv4
       version.  So this patch series has that fix, and the IPv6 version with
       both fixes incorporated.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab8565af
    • Edward Cree's avatar
      net: ipv6: listify ipv6_rcv() and ip6_rcv_finish() · d8269e2c
      Edward Cree authored
      Essentially the same as the ipv4 equivalents.
      Signed-off-by: default avatarEdward Cree <ecree@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d8269e2c
    • Edward Cree's avatar
      net: ipv4: fix list processing on L3 slave devices · efe6aaca
      Edward Cree authored
      If we have an L3 master device, l3mdev_ip_rcv() will steal the skb, but
       we were returning NET_RX_SUCCESS from ip_rcv_finish_core() which meant
       that ip_list_rcv_finish() would keep it on the list.  Instead let's
       move the l3mdev_ip_rcv() call into the caller, so that our response to
       a steal can be different in the single packet path (return
       NET_RX_SUCCESS) and the list path (forget this packet and continue).
      
      Fixes: 5fa12739 ("net: ipv4: listify ip_rcv_finish")
      Signed-off-by: default avatarEdward Cree <ecree@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      efe6aaca
  3. 05 Jul, 2018 25 commits