1. 04 Mar, 2020 2 commits
  2. 01 Mar, 2020 1 commit
  3. 28 Feb, 2020 13 commits
  4. 19 Feb, 2020 2 commits
  5. 18 Feb, 2020 5 commits
  6. 16 Feb, 2020 1 commit
  7. 14 Feb, 2020 2 commits
    • Luiz Augusto von Dentz's avatar
      Bluetooth: Add BT_PHY socket option · eab2404b
      Luiz Augusto von Dentz authored
      This adds BT_PHY socket option (read-only) which can be used to read
      the PHYs in use by the underline connection.
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      eab2404b
    • Howard Chung's avatar
      Bluetooth: secure bluetooth stack from bluedump attack · cee5f20f
      Howard Chung authored
      Attack scenario:
      1. A Chromebook (let's call this device A) is paired to a legitimate
         Bluetooth classic device (e.g. a speaker) (let's call this device
         B).
      2. A malicious device (let's call this device C) pretends to be the
         Bluetooth speaker by using the same BT address.
      3. If device A is not currently connected to device B, device A will
         be ready to accept connection from device B in the background
         (technically, doing Page Scan).
      4. Therefore, device C can initiate connection to device A
         (because device A is doing Page Scan) and device A will accept the
         connection because device A trusts device C's address which is the
         same as device B's address.
      5. Device C won't be able to communicate at any high level Bluetooth
         profile with device A because device A enforces that device C is
         encrypted with their common Link Key, which device C doesn't have.
         But device C can initiate pairing with device A with just-works
         model without requiring user interaction (there is only pairing
         notification). After pairing, device A now trusts device C with a
         new different link key, common between device A and C.
      6. From now on, device A trusts device C, so device C can at anytime
         connect to device A to do any kind of high-level hijacking, e.g.
         speaker hijack or mouse/keyboard hijack.
      
      Since we don't know whether the repairing is legitimate or not,
      leave the decision to user space if all the conditions below are met.
      - the pairing is initialized by peer
      - the authorization method is just-work
      - host already had the link key to the peer
      Signed-off-by: default avatarHoward Chung <howardchung@google.com>
      Acked-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      cee5f20f
  8. 13 Feb, 2020 3 commits
  9. 08 Feb, 2020 1 commit
    • Sergey Shatunov's avatar
      Bluetooth: btusb: Add support for 13d3:3548 Realtek 8822CE device · eb3939e3
      Sergey Shatunov authored
      The ASUS FX505DV laptop contains RTL8822CE device with an
      associated BT chip using a USB ID of 13d3:3548.
      This patch add fw download support for it.
      
      T:  Bus=03 Lev=01 Prnt=01 Port=03 Cnt=03 Dev#=  4 Spd=12   MxCh= 0
      D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=13d3 ProdID=3548 Rev= 0.00
      S:  Manufacturer=Realtek
      S:  Product=Bluetooth Radio
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      Signed-off-by: default avatarSergey Shatunov <me@prok.pw>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      eb3939e3
  10. 05 Feb, 2020 3 commits
  11. 03 Feb, 2020 2 commits
  12. 29 Jan, 2020 2 commits
    • Davidlohr Bueso's avatar
      Bluetooth: optimize barrier usage for Rmw atomics · fe664831
      Davidlohr Bueso authored
      Use smp_mb__before_atomic() instead of smp_mb() and avoid the
      unnecessary barrier for non LL/SC architectures, such as x86.
      Signed-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      fe664831
    • Manish Mandlik's avatar
      Bluetooth: Fix refcount use-after-free issue · 6c08fc89
      Manish Mandlik authored
      There is no lock preventing both l2cap_sock_release() and
      chan->ops->close() from running at the same time.
      
      If we consider Thread A running l2cap_chan_timeout() and Thread B running
      l2cap_sock_release(), expected behavior is:
        A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb()
        A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill()
        B::l2cap_sock_release()->sock_orphan()
        B::l2cap_sock_release()->l2cap_sock_kill()
      
      where,
      sock_orphan() clears "sk->sk_socket" and l2cap_sock_teardown_cb() marks
      socket as SOCK_ZAPPED.
      
      In l2cap_sock_kill(), there is an "if-statement" that checks if both
      sock_orphan() and sock_teardown() has been run i.e. sk->sk_socket is NULL
      and socket is marked as SOCK_ZAPPED. Socket is killed if the condition is
      satisfied.
      
      In the race condition, following occurs:
        A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb()
        B::l2cap_sock_release()->sock_orphan()
        B::l2cap_sock_release()->l2cap_sock_kill()
        A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill()
      
      In this scenario, "if-statement" is true in both B::l2cap_sock_kill() and
      A::l2cap_sock_kill() and we hit "refcount: underflow; use-after-free" bug.
      
      Similar condition occurs at other places where teardown/sock_kill is
      happening:
        l2cap_disconnect_rsp()->l2cap_chan_del()->l2cap_sock_teardown_cb()
        l2cap_disconnect_rsp()->l2cap_sock_close_cb()->l2cap_sock_kill()
      
        l2cap_conn_del()->l2cap_chan_del()->l2cap_sock_teardown_cb()
        l2cap_conn_del()->l2cap_sock_close_cb()->l2cap_sock_kill()
      
        l2cap_disconnect_req()->l2cap_chan_del()->l2cap_sock_teardown_cb()
        l2cap_disconnect_req()->l2cap_sock_close_cb()->l2cap_sock_kill()
      
        l2cap_sock_cleanup_listen()->l2cap_chan_close()->l2cap_sock_teardown_cb()
        l2cap_sock_cleanup_listen()->l2cap_sock_kill()
      
      Protect teardown/sock_kill and orphan/sock_kill by adding hold_lock on
      l2cap channel to ensure that the socket is killed only after marked as
      zapped and orphan.
      Signed-off-by: default avatarManish Mandlik <mmandlik@google.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      6c08fc89
  13. 28 Jan, 2020 1 commit
  14. 27 Jan, 2020 2 commits
    • David S. Miller's avatar
      Merge branch 'qed-Utilize-FW-8.42.2.0' · 8e5aa617
      David S. Miller authored
      Michal Kalderon says:
      
      ====================
      qed*: Utilize FW 8.42.2.0
      
      This FW contains several fixes and features, main ones listed below.
      We have taken into consideration past comments on previous FW versions
      that were uploaded and tried to separate this one to smaller patches to
      ease review.
      
      - RoCE
      	- SRIOV support
      	- Fixes in following flows:
      		- latency optimization flow for inline WQEs
      		- iwarp OOO packed DDPs flow
      		- tx-dif workaround calculations flow
      		- XRC-SRQ exceed cache num
      
      - iSCSI
      	- Fixes:
      		- iSCSI TCP out-of-order handling.
      		- iscsi retransmit flow
      
      - Fcoe
      	- Fixes:
      		- upload + cleanup flows
      
      - Debug
      	- Better handling of extracting data during traffic
      	- ILT Dump -> dumping host memory used by chip
      	- MDUMP -> collect debug data on system crash and extract after
      	  reboot
      
      Patches prefixed with FW 8.42.2.0 are required to work with binary
      8.42.2.0 FW where as the rest are FW related but do not require the
      binary.
      
      Changes from V2
      ---------------
      - Move FW version to the start of the series to maintain minimal compatibility
      - Fix some kbuild errors:
      	- frame size larger than 1024 (Queue Manager patch - remove redundant
      	  field from struct)
      	- sparse warning on endianity (Dmae patch fix - wrong use of __le32 for field
      	  used only on host, should be u32)
      	- static should be used for some functions (Debug feature ilt and mdump)
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      
      Changes from V1
      ---------------
      - Remove epoch + kernel version from device debug dump
      - don't bump driver version
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8e5aa617
    • Michal Kalderon's avatar
      qed: FW 8.42.2.0 debug features · 2d22bc83
      Michal Kalderon authored
      Add to debug dump more information on the platform it was collected
      from (pci func, path id).
      Provide human readable reg fifo erros.
      
      Removed static debug arrays from HSI Functions, and move them to
      the hwfn.
      
      Some structures were slightly changed (removing reserved chip id
      for example) which lead to many long initializations being modified
      with one parameter less during initialization. This leads to
      some long diffs that don't really change anything.
      Signed-off-by: default avatarAriel Elior <ariel.elior@marvell.com>
      Signed-off-by: default avatarMichal Kalderon <michal.kalderon@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d22bc83