1. 16 Feb, 2017 6 commits
    • Ezequiel Garcia's avatar
      Bluetooth: Fix NULL pointer dereference in bt_sock_recvmsg · 9dcbc313
      Ezequiel Garcia authored
      As per the comment in include/linux/net.h, the recvfrom handlers
      should expect msg_name to be NULL. However, bt_sock_recvmsg()
      is currently not checking it, which could lead to a NULL pointer
      dereference.
      
      The following NULL pointer dereference was produced while testing
      L2CAP datagram reception. Note that the kernel is tainted due to
      the r8723bs module being inserted. However, it seems the fix still
      applies.
      
      $ l2test -r -G
      l2test[326]: Receiving ...
      Unable to handle kernel NULL pointer dereference at virtual address 00000000
      pgd = ee008000
      [00000000] *pgd=7f896835
      Internal error: Oops: 817 [#1] PREEMPT SMP ARM
      Modules linked in: r8723bs(O)
      CPU: 0 PID: 326 Comm: l2test Tainted: G           O 4.8.0 #1
      Hardware name: Allwinner sun7i (A20) Family
      task: ef1c6880 task.stack: eea70000
      PC is at __memzero+0x58/0x80
      LR is at l2cap_skb_msg_name+0x1c/0x4c
      pc : [<c02c47d8>]    lr : [<c0506278>]    psr: 00070013
      sp : eea71e60  ip : 00000000  fp : 00034e1c
      r10: 00000000  r9 : 00000000  r8 : eea71ed4
      r7 : 000002a0  r6 : eea71ed8  r5 : 00000000  r4 : ee4a5d80
      r3 : 00000000  r2 : 00000000  r1 : 0000000e  r0 : 00000000
      Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM Segment none
      Control: 10c5387d  Table: 7600806a  DAC: 00000051
      Process l2test (pid: 326, stack limit = 0xeea70210)
      Stack: (0xeea71e60 to 0xeea72000)
      1e60: ee4a5d80 eeac2800 000002a0 c04d7114 173eefa0 00000000 c06ca68e 00000000
      1e80: 00000001 eeac2800 eef23500 00000000 000002a0 eea71ed4 eea70000 c0504d50
      1ea0: 00000000 00000000 eef23500 00000000 00000000 c044e8a0 eea71edc eea9f904
      1ec0: bef89aa0 fffffff7 00000000 00035008 000002a0 00000000 00000000 00000000
      1ee0: 00000000 00000000 eea71ed4 00000000 00000000 00000000 00004000 00000000
      1f00: 0000011b c01078c4 eea70000 c044e5e4 00000000 00000000 642f0001 6c2f7665
      1f20: 0000676f 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      1f40: 00000000 00000000 00000000 00000000 00000000 ffffffff 00000001 bef89ad8
      1f60: 000000a8 c01078c4 eea70000 00000000 00034e1c c01e6c74 00000000 00000000
      1f80: 00034e1c 000341f8 00000000 00000123 c01078c4 c044e90c 00000000 00000000
      1fa0: 000002a0 c0107700 00034e1c 000341f8 00000003 00035008 000002a0 00000000
      1fc0: 00034e1c 000341f8 00000000 00000123 00000000 00000000 00011ffc 00034e1c
      1fe0: 00000000 bef89aa4 0001211c b6eebb60 60070010 00000003 00000000 00000000
      [<c02c47d8>] (__memzero) from [<c0506278>] (l2cap_skb_msg_name+0x1c/0x4c)
      [<c0506278>] (l2cap_skb_msg_name) from [<c04d7114>] (bt_sock_recvmsg+0x128/0x160)
      [<c04d7114>] (bt_sock_recvmsg) from [<c0504d50>] (l2cap_sock_recvmsg+0x98/0x134)
      [<c0504d50>] (l2cap_sock_recvmsg) from [<c044e8a0>] (SyS_recvfrom+0x94/0xec)
      [<c044e8a0>] (SyS_recvfrom) from [<c044e90c>] (SyS_recv+0x14/0x1c)
      [<c044e90c>] (SyS_recv) from [<c0107700>] (ret_fast_syscall+0x0/0x3c)
      Code: e3110010 18a0500c e49de004 e3110008 (18a0000c)
      ---[ end trace 224e35e79fe06b42 ]---
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@vanguardiasur.com.ar>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      9dcbc313
    • Rajat Jain's avatar
      Bluetooth: btusb: Configure Marvell to use one of the pins for oob wakeup · a4ccc9e3
      Rajat Jain authored
      The Marvell devices may have many gpio pins, and hence for wakeup
      on these out-of-band pins, the chip needs to be told which pin is
      to be used for wakeup, using an hci command.
      
      Thus, we read the pin number etc from the device tree node and send
      a command to the chip.
      Signed-off-by: default avatarRajat Jain <rajatja@google.com>
      Reviewed-by: default avatarBrian Norris <briannorris@chromium.org>
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      a4ccc9e3
    • Rajat Jain's avatar
      Bluetooth: btusb: Add out-of-band wakeup support · fd913ef7
      Rajat Jain authored
      Some onboard BT chips (e.g. Marvell 8997) contain a wakeup pin that
      can be connected to a gpio on the CPU side, and can be used to wakeup
      the host out-of-band. This can be useful in situations where the
      in-band wakeup is not possible or not preferable (e.g. the in-band
      wakeup may require the USB host controller to remain active, and
      hence consuming more system power during system sleep).
      
      The oob gpio interrupt to be used for wakeup on the CPU side, is
      read from the device tree node, (using standard interrupt descriptors).
      A devcie tree binding document is also added for the driver. The
      compatible string is in compliance with
      Documentation/devicetree/bindings/usb/usb-device.txt
      Signed-off-by: default avatarRajat Jain <rajatja@google.com>
      Reviewed-by: default avatarBrian Norris <briannorris@chromium.org>
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      fd913ef7
    • Rajat Jain's avatar
      Bluetooth: btusb: Use an error label for error paths · 10ab133b
      Rajat Jain authored
      Use a label to remove the repetetive cleanup, for error cases.
      Signed-off-by: default avatarRajat Jain <rajatja@google.com>
      Reviewed-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      10ab133b
    • Javier Martinez Canillas's avatar
      Bluetooth: btqcomsmd: Fix module autoload · 747d3f1a
      Javier Martinez Canillas authored
      If the driver is built as a module, autoload won't work because the module
      alias information is not filled. So user-space can't match the registered
      device with the corresponding module.
      
      Export the module alias information using the MODULE_DEVICE_TABLE() macro.
      
      Before this patch:
      
      $ modinfo drivers/bluetooth/btqcomsmd.ko | grep alias
      $
      
      After this patch:
      
      $ modinfo drivers/bluetooth/btqcomsmd.ko | grep alias
      alias:          of:N*T*Cqcom,wcnss-btC*
      alias:          of:N*T*Cqcom,wcnss-bt
      Signed-off-by: default avatarJavier Martinez Canillas <javier@osg.samsung.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      747d3f1a
    • Christoph Haag's avatar
      Bluetooth: btusb: add support for 0bb4:0306 · a57bac43
      Christoph Haag authored
      It's a custom USB ID for the broadcom bt adapter in the HTC Vive.
      
      T:  Bus=01 Lev=02 Prnt=02 Port=01 Cnt=02 Dev#=  6 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=0bb4 ProdID=0306 Rev= 1.12
      S:  Manufacturer=Broadcom Corp
      S:  Product=BCM2045A0
      S:  SerialNumber=AC3743E110CE
      C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=  0mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=btusb
      E:  Ad=84(I) Atr=02(Bulk) MxPS=  32 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS=  32 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
      
      dmesg:
      Bluetooth: hci0: BCM: chip id 102
      Bluetooth: hci0: c-l
      Bluetooth: hci0: BCM (001.001.005) build 0000
      Bluetooth: hci0: BCM (001.001.005) build 0481
      Bluetooth: hci0: BCM20703A1 Generic USB 20Mhz fcbga_BU
      Signed-off-by: default avatarChristoph Haag <haagch@frickel.club>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      a57bac43
  2. 15 Feb, 2017 22 commits
  3. 14 Feb, 2017 12 commits