1. 21 10月, 2015 40 次提交
    • J
      Bluetooth: Fix missing hdev locking for LE scan cleanup · 8ce783dc
      Johan Hedberg 提交于
      The hci_conn objects don't have a dedicated lock themselves but rely
      on the caller to hold the hci_dev lock for most types of access. The
      hci_conn_timeout() function has so far sent certain HCI commands based
      on the hci_conn state which has been possible without holding the
      hci_dev lock.
      
      The recent changes to do LE scanning before connect attempts added
      even more operations to hci_conn and hci_dev from hci_conn_timeout,
      thereby exposing potential race conditions with the hci_dev and
      hci_conn states.
      
      As an example of such a race, here there's a timeout but an
      l2cap_sock_connect() call manages to race with the cleanup routine:
      
      [Oct21 08:14] l2cap_chan_timeout: chan ee4b12c0 state BT_CONNECT
      [  +0.000004] l2cap_chan_close: chan ee4b12c0 state BT_CONNECT
      [  +0.000002] l2cap_chan_del: chan ee4b12c0, conn f3141580, err 111, state BT_CONNECT
      [  +0.000002] l2cap_sock_teardown_cb: chan ee4b12c0 state BT_CONNECT
      [  +0.000005] l2cap_chan_put: chan ee4b12c0 orig refcnt 4
      [  +0.000010] hci_conn_drop: hcon f53d56e0 orig refcnt 1
      [  +0.000013] l2cap_chan_put: chan ee4b12c0 orig refcnt 3
      [  +0.000063] hci_conn_timeout: hcon f53d56e0 state BT_CONNECT
      [  +0.000049] hci_conn_params_del: addr ee:0d:30:09:53:1f (type 1)
      [  +0.000002] hci_chan_list_flush: hcon f53d56e0
      [  +0.000001] hci_chan_del: hci0 hcon f53d56e0 chan f4e7ccc0
      [  +0.004528] l2cap_sock_create: sock e708fc00
      [  +0.000023] l2cap_chan_create: chan ee4b1770
      [  +0.000001] l2cap_chan_hold: chan ee4b1770 orig refcnt 1
      [  +0.000002] l2cap_sock_init: sk ee4b3390
      [  +0.000029] l2cap_sock_bind: sk ee4b3390
      [  +0.000010] l2cap_sock_setsockopt: sk ee4b3390
      [  +0.000037] l2cap_sock_connect: sk ee4b3390
      [  +0.000002] l2cap_chan_connect: 00:02:72:d9:e5:8b -> ee:0d:30:09:53:1f (type 2) psm 0x00
      [  +0.000002] hci_get_route: 00:02:72:d9:e5:8b -> ee:0d:30:09:53:1f
      [  +0.000001] hci_dev_hold: hci0 orig refcnt 8
      [  +0.000003] hci_conn_hold: hcon f53d56e0 orig refcnt 0
      
      Above the l2cap_chan_connect() shouldn't have been able to reach the
      hci_conn f53d56e0 anymore but since hci_conn_timeout didn't do proper
      locking that's not the case. The end result is a reference to hci_conn
      that's not in the conn_hash list, resulting in list corruption when
      trying to remove it later:
      
      [Oct21 08:15] l2cap_chan_timeout: chan ee4b1770 state BT_CONNECT
      [  +0.000004] l2cap_chan_close: chan ee4b1770 state BT_CONNECT
      [  +0.000003] l2cap_chan_del: chan ee4b1770, conn f3141580, err 111, state BT_CONNECT
      [  +0.000001] l2cap_sock_teardown_cb: chan ee4b1770 state BT_CONNECT
      [  +0.000005] l2cap_chan_put: chan ee4b1770 orig refcnt 4
      [  +0.000002] hci_conn_drop: hcon f53d56e0 orig refcnt 1
      [  +0.000015] l2cap_chan_put: chan ee4b1770 orig refcnt 3
      [  +0.000038] hci_conn_timeout: hcon f53d56e0 state BT_CONNECT
      [  +0.000003] hci_chan_list_flush: hcon f53d56e0
      [  +0.000002] hci_conn_hash_del: hci0 hcon f53d56e0
      [  +0.000001] ------------[ cut here ]------------
      [  +0.000461] WARNING: CPU: 0 PID: 1782 at lib/list_debug.c:56 __list_del_entry+0x3f/0x71()
      [  +0.000839] list_del corruption, f53d56e0->prev is LIST_POISON2 (00000200)
      
      The necessary fix is unfortunately more complicated than just adding
      hci_dev_lock/unlock calls to the hci_conn_timeout() call path.
      Particularly, the hci_conn_del() API, which expects the hci_dev lock to
      be held, performs a cancel_delayed_work_sync(&hcon->disc_work) which
      would lead to a deadlock if the hci_conn_timeout() call path tries to
      acquire the same lock.
      
      This patch solves the problem by deferring the cleanup work to a
      separate work callback. To protect against the hci_dev or hci_conn
      going away meanwhile temporary references are taken with the help of
      hci_dev_hold() and hci_conn_get().
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org # 4.3
      8ce783dc
    • M
      Bluetooth: btintel: Enable extra Intel vendor events · 213445b2
      Marcel Holtmann 提交于
      The Intel Bluetooth controllers can emit extra vendor specific events in
      error conditions or for debugging purposes. To make the life easier for
      engineers, enable them by default. When the vendor_diag options has been
      enabled, then additional debug events are also enabled.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      213445b2
    • M
      Bluetooth: btusb: Set manufacturer for Intel bootloader devices · e4c534bb
      Marcel Holtmann 提交于
      For Intel bootloader devices, set the manufacturer information so that
      it becomes possible to decode the boot process.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      e4c534bb
    • M
      Bluetooth: Introduce driver specific post init callback · 98a63aaf
      Marcel Holtmann 提交于
      Some drivers might have to restore certain settings after the init
      procedure has been completed. This driver callback allows them to hook
      into that stage. This callback is run just before the controller is
      declared as powered up.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      98a63aaf
    • M
      Bluetooth: hci_uart: Provide initial manufacturer information · aee61f7a
      Marcel Holtmann 提交于
      Provide an early indication about the manufacturer information so that
      it can be forwarded into monitor channel.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      aee61f7a
    • D
      Bluetooth: l2cap_disconnection_req priority over shutdown · 9f7378a9
      Dean Jenkins 提交于
      There is a L2CAP protocol race between the local peer and
      the remote peer demanding disconnection of the L2CAP link.
      
      When L2CAP ERTM is used, l2cap_sock_shutdown() can be called
      from userland to disconnect L2CAP. However, there can be a
      delay introduced by waiting for ACKs. During this waiting
      period, the remote peer may have sent a Disconnection Request.
      Therefore, recheck the shutdown status of the socket
      after waiting for ACKs because there is no need to do
      further processing if the connection has gone.
      Signed-off-by: NDean Jenkins <Dean_Jenkins@mentor.com>
      Signed-off-by: NHarish Jenny K N <harish_kandiga@mentor.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      9f7378a9
    • D
      Bluetooth: Reorganize mutex lock in l2cap_sock_shutdown() · 04ba72e6
      Dean Jenkins 提交于
      This commit reorganizes the mutex lock and is now
      only protecting l2cap_chan_close(). This is now consistent
      with other places where l2cap_chan_close() is called.
      
      If a conn connection exists, call
      mutex_lock(&conn->chan_lock) before calling l2cap_chan_close()
      to ensure other L2CAP protocol operations do not interfere.
      
      Note that the conn structure has to be protected from being
      freed as it is possible for the connection to be disconnected
      whilst the locks are not held. This solution allows the mutex
      lock to be used even when the connection has just been
      disconnected.
      
      This commit also reduces the scope of chan locking.
      
      The only place where chan locking is needed is the call to
      l2cap_chan_close(chan, 0) which if necessary closes the channel.
      Therefore, move the l2cap_chan_lock(chan) and
      l2cap_chan_lock(chan) locking calls to around
      l2cap_chan_close(chan, 0).
      
      This allows __l2cap_wait_ack(sk, chan) to be called with no
      chan locks being held so L2CAP messaging over the ACL link
      can be done unimpaired.
      Signed-off-by: NDean Jenkins <Dean_Jenkins@mentor.com>
      Signed-off-by: NHarish Jenny K N <harish_kandiga@mentor.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      04ba72e6
    • D
      Bluetooth: Unwind l2cap_sock_shutdown() · e7456437
      Dean Jenkins 提交于
      l2cap_sock_shutdown() is designed to only action shutdown
      of the channel when shutdown is not already in progress.
      Therefore, reorganise the code flow by adding a goto
      to jump to the end of function handling when shutdown is
      already being actioned. This removes one level of code
      indentation and make the code more readable.
      Signed-off-by: NDean Jenkins <Dean_Jenkins@mentor.com>
      Signed-off-by: NHarish Jenny K N <harish_kandiga@mentor.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      e7456437
    • A
      6lowpan: put mcast compression in an own function · 09bf420f
      Alexander Aring 提交于
      This patch moves the mcast compression algorithmn to an own function
      like all other compression/decompression methods in iphc.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      09bf420f
    • A
      6lowpan: rework tc and flow label handling · b5af9bdb
      Alexander Aring 提交于
      This patch reworks the handling of compression/decompression of traffic
      class and flow label handling. The current method is hard to understand,
      also doesn't checks if we can read the buffer from skb length.
      
      I tried to put the shifting operations into static inline functions and
      comment each steps which I did there to make it hopefully somewhat more
      readable. The big mess to deal with that is the that the ipv6 header
      bring the order "DSCP + ECN" but iphc uses "ECN + DSCP". Additional the
      DCSP + ECN bits are splitted in ipv6_hdr inside the priority and
      flow_lbl[0] fields.
      
      I tested these compressions by using fakelb 802.15.4 driver and
      manipulate the tc and flow label fields manually in function
      "__ip6_local_out" before the skb will be send to lower layers. Then I
      looked up the tc and flow label fields in wireshark on a wpan and lowpan
      interface.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      b5af9bdb
    • A
      6lowpan: iphc: change define values · c8a3e7eb
      Alexander Aring 提交于
      This patch has the main goal to delete shift operations. Instead we
      doing masks and equals afterwards. E.g. for the SAM evaluation we
      masking only the SAM value which fits in iphc1 byte, then comparing with
      all possible SAM values over a switch case statement. We will not
      shifting the SAM value to somewhat readable anymore.
      Additional this patch slighty change the naming style like RFC 6282,
      e.g. TTL to HLIM and we will drop an errno now if CID flag is set,
      because we don't support it.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      c8a3e7eb
    • A
      6lowpan: remove lowpan_is_addr_broadcast · 028b2a8c
      Alexander Aring 提交于
      This macro is used at 802.15.4 6LoWPAN only and can be replaced by
      memcmp with the interface broadcast address.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      028b2a8c
    • A
      6lowpan: move IPHC functionality defines · 6350047e
      Alexander Aring 提交于
      This patch removes the IPHC related defines for doing bit manipulation
      from global 6lowpan header to the iphc file which should the only one
      implementation which use these defines.
      
      Also move next header compression defines to their nhc implementation.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      6350047e
    • A
      6lowpan: nhc: move iphc manipulation out of nhc · 607b0bd3
      Alexander Aring 提交于
      This patch moves the iphc setting of next header commpression bit inside
      iphc functionality. Setting of IPHC bits should be happen at iphc.c file
      only.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      607b0bd3
    • A
      6lowpan: remove lowpan_fetch_skb_u8 · 478208e3
      Alexander Aring 提交于
      This patch removes the lowpan_fetch_skb_u8 function for getting the iphc
      bytes. Instead we using the generic which has a len parameter to tell
      the amount of bytes to fetch.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Acked-by: NJukka Rissanen <jukka.rissanen@linux.intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      478208e3
    • A
      6lowpan: cleanup lowpan_header_decompress · 8911d774
      Alexander Aring 提交于
      This patch changes the lowpan_header_decompress function by removing
      inklayer related information from parameters. This is currently for
      supporting short and extended address for iphc handling in 802154.
      We don't support short address handling anyway right now, but there
      exists already code for handling short addresses in
      lowpan_header_decompress.
      
      The address parameters are also changed to a void pointer, so 6LoWPAN
      linklayer specific code can put complex structures as these parameters
      and cast it again inside the generic code by evaluating linklayer type
      before. The order is also changed by destination address at first and
      then source address, which is the same like all others functions where
      destination is always the first, memcpy, dev_hard_header,
      lowpan_header_compress, etc.
      
      This patch also moves the fetching of iphc values from 6LoWPAN linklayer
      specific code into the generic branch.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Acked-by: NJukka Rissanen <jukka.rissanen@linux.intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      8911d774
    • A
      6lowpan: cleanup lowpan_header_compress · a6f77389
      Alexander Aring 提交于
      This patch changes the lowpan_header_compress function by removing
      unused parameters like "len" and drop static value parameters of
      protocol type. Instead we really check the protocol type inside inside
      the skb structure. Also we drop the use of IEEE802154_ADDR_LEN which is
      link-layer specific. Instead we using EUI64_ADDR_LEN which should always
      the default case for now.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Acked-by: NJukka Rissanen <jukka.rissanen@linux.intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      a6f77389
    • A
      6lowpan: introduce LOWPAN_IPHC_MAX_HC_BUF_LEN · bf513fd6
      Alexander Aring 提交于
      This patch introduces the LOWPAN_IPHC_MAX_HC_BUF_LEN define which
      represent the worst-case supported IPHC buffer length. It's used to
      allocate the stack buffer space for creating the IPHC header.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Acked-by: NJukka Rissanen <jukka.rissanen@linux.intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      bf513fd6
    • A
      bluetooth: 6lowpan: use lowpan dispatch helpers · cefdb801
      Alexander Aring 提交于
      This patch adds a check if the dataroom of skb contains a dispatch value
      by checking if skb->len != 0. This patch also change the dispatch
      evaluation by the recently introduced helpers for checking the common
      6LoWPAN dispatch values for IPv6 and IPHC header.
      
      There was also a forgotten else branch which should drop the packet if
      no matching dispatch is available.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Acked-by: NJukka Rissanen <jukka.rissanen@linux.intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      cefdb801
    • A
      mac802154: llsec: use kzfree · 71cd2aa5
      Alexander Aring 提交于
      This patch will use kzfree instead kfree for security related
      information which can be offered by acccident.
      Signed-off-by: NAlexander Aring <alex.aring@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      71cd2aa5
    • J
      Bluetooth: Fix removing connection parameters when unpairing · a6ad2a6b
      Johan Hedberg 提交于
      The commit 89cbb063 introduced support for deferred connection
      parameter removal when unpairing by removing them only once an
      existing connection gets disconnected. However, it failed to address
      the scenario when we're *not* connected and do an unpair operation.
      
      What makes things worse is that most user space BlueZ versions will
      first issue a disconnect request and only then unpair, meaning the
      buggy code will be triggered every time. This effectively causes the
      kernel to resume scanning and reconnect to a device for which we've
      removed all keys and GATT database information.
      
      This patch fixes the issue by adding the missing call to the
      hci_conn_params_del() function to a branch which handles the case of
      no existing connection.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org # 3.19+
      a6ad2a6b
    • M
      Bluetooth: btusb: Add support for latest Apple controllers · 22f8e9db
      Marcel Holtmann 提交于
      The latest Apple Bluetooth controllers with Broadcom chip in it have
      a small design change. Instead of including a USB hub with mouse and
      keyboard devices, they are now HID interfaces on the same device.
      
      T:  Bus=04 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 39 Spd=12   MxCh= 0
      D:  Ver= 2.01 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=05ac ProdID=8290 Rev= 0.79
      S:  Manufacturer=Broadcom Corp.
      S:  Product=Bluetooth USB Host Controller
      C:* #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=  0mA
      A:  FirstIf#= 2 IfCount= 4 Cls=ff(vend.) Sub=01 Prot=01
      I:* If#= 0 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=01 Prot=01 Driver=usbhid
      E:  Ad=85(I) Atr=03(Int.) MxPS=   8 Ivl=10ms
      I:* If#= 1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=01 Prot=02 Driver=usbhid
      E:  Ad=86(I) Atr=03(Int.) MxPS=   8 Ivl=10ms
      I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 3 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 3 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 3 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 3 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 3 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=btusb
      E:  Ad=84(I) Atr=02(Bulk) MxPS=  32 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS=  32 Ivl=0ms
      I:* If#= 5 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
      
      The general layout of Bluetooth devices is that interface 0 is the main
      interface and interface 1 is for audio data. This design obviously moves
      it to main interface 2 and audio data on interface 3.
      
      Starting with the MacBookPro12,1 (early 2015 models) the new Broadcom
      BCM943602CS cards are used which show this interface layout.
      
      usb 4-1.5: New USB device found, idVendor=05ac, idProduct=8290
      usb 4-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=0
      usb 4-1.5: Product: Bluetooth USB Host Controller
      usb 4-1.5: Manufacturer: Broadcom Corp.
      Bluetooth: hci0: BCM: chip id 102 build 0243
      Bluetooth: hci0: BCM: product 05ac:8290
      Bluetooth: hci0: BCM20703A1 Generic USB UHE Apple 20Mhz fcbga_X87
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      22f8e9db
    • M
      Bluetooth: btusb: Set early vendor info for Intel and Broadcom · 49a5f782
      Marcel Holtmann 提交于
      For the controllers from Intel and Broadcom (including Apple), it is
      helpful to have the information about the manufacturer send out early.
      
      This patch sets the hdev->manufacturer information which will be send
      out before actually calling the vendor specific hdev->setup driver
      callback.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      49a5f782
    • M
      Bluetooth: Add support setup stage internal notification event · e131d74a
      Marcel Holtmann 提交于
      Before the vendor specific setup stage is triggered call back into the
      core to trigger an internal notification event. That event is used to
      send an index update to the monitor interface. With that specific event
      it is possible to update userspace with manufacturer information before
      any HCI command has been executed. This is useful for early stage
      debugging of vendor specific initialization sequences.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      e131d74a
    • D
      Bluetooth: ath3k: Add support of AR3012 0cf3:817b device · 18e0afab
      Dmitry Tunin 提交于
      T: Bus=04 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 3 Spd=12 MxCh= 0
      D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
      P: Vendor=0cf3 ProdID=817b Rev=00.02
      C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      
      BugLink: https://bugs.launchpad.net/bugs/1506615Signed-off-by: NDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      18e0afab
    • D
      Bluetooth: ath3k: Add new AR3012 0930:021c id · cd355ff0
      Dmitry Tunin 提交于
      This adapter works with the existing linux-firmware.
      
      T:  Bus=01 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#=  3 Spd=12  MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=0930 ProdID=021c Rev=00.01
      C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      
      BugLink: https://bugs.launchpad.net/bugs/1502781Signed-off-by: NDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      cd355ff0
    • S
      Bluetooth: btusb: Add support for Foxconn/Lenovo BCM43142A0 (105b:e065) · 2faf71ce
      Santtu Rekilä 提交于
      Recently salvaged this 'BCM43142A0' WiFi/Bluetooth module from a Lenovo laptop
      and noticed it doesn't work automatically, because the USB IDs are missing
      from btusb.c.
      
      Plugging in the adapter on Linux 4.1 (dmesg):
      usb 3-3.3.3: new full-speed USB device number 90 using xhci_hcd
      usb 3-3.3.3: New USB device found, idVendor=105b, idProduct=e065
      usb 3-3.3.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
      usb 3-3.3.3: Product: BCM43142A0
      usb 3-3.3.3: Manufacturer: Broadcom Corp
      usb 3-3.3.3: SerialNumber: 0090A286559E
      
      /sys/kernel/debug/usb/devices:
      T:  Bus=03 Lev=03 Prnt=22 Port=02 Cnt=02 Dev#= 90 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=105b ProdID=e065 Rev= 1.12
      S:  Manufacturer=Broadcom Corp
      S:  Product=BCM43142A0
      S:  SerialNumber=0090A286559E
      C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=  0mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E:  Ad=84(I) Atr=02(Bulk) MxPS=  32 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS=  32 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
      
      Support for the chipset was added in commit 88f9b65d and a similar BCM43142
      based device was added in commit 8f0c304c.
      
      To work around the issue, I got the firmware
      (BCM43142A0_001.001.011.0122.0153) off a Windows installation of Broadcom
      bluetooth driver and converted it to a .hcd -file via. hex2hcd and placed it
      in /lib/firmware/brcm/BCM.hcd. After that:
      
      $ echo "105b e065 0 19ff 0239" > /sys/bus/usb/drivers/btusb/new_id
      ...(plug in the adapter)
      usb 3-3.3.3: new full-speed USB device number 91 using xhci_hcd
      usb 3-3.3.3: New USB device found, idVendor=105b, idProduct=e065
      usb 3-3.3.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
      usb 3-3.3.3: Product: BCM43142A0
      usb 3-3.3.3: Manufacturer: Broadcom Corp
      usb 3-3.3.3: SerialNumber: 0090A286559E
      Bluetooth: hci0: BCM: chip id 70
      Bluetooth: hci0: BCM (001.001.011) build 0000
      bluetooth hci0: firmware: direct-loading firmware brcm/BCM.hcd
      Bluetooth: hci0: BCM (001.001.011) build 0154
      
      Bam, now it works for me!
      
      /sys/kernel/debug/usb/devices:
      T:  Bus=03 Lev=03 Prnt=22 Port=02 Cnt=02 Dev#= 92 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=105b ProdID=e065 Rev= 1.12
      S:  Manufacturer=Broadcom Corp
      S:  Product=BCM43142A0
      S:  SerialNumber=0090A286559E
      C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=  0mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E:  Ad=84(I) Atr=02(Bulk) MxPS=  32 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS=  32 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
      Signed-off-by: NSanttu Rekilä <sare@r00t3d.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      2faf71ce
    • D
      Bluetooth: hidp: fix device disconnect on idle timeout · 660f0fc0
      David Herrmann 提交于
      The HIDP specs define an idle-timeout which automatically disconnects a
      device. This has always been implemented in the HIDP layer and forced a
      synchronous shutdown of the hidp-scheduler. This works just fine, but
      lacks a forced disconnect on the underlying l2cap channels. This has been
      broken since:
      
          commit 5205185d
          Author: David Herrmann <dh.herrmann@gmail.com>
          Date:   Sat Apr 6 20:28:47 2013 +0200
      
              Bluetooth: hidp: remove old session-management
      
      The old session-management always forced an l2cap error on the ctrl/intr
      channels when shutting down. The new session-management skips this, as we
      don't want to enforce channel policy on the caller. In other words, if
      user-space removes an HIDP device, the underlying channels (which are
      *owned* and *referenced* by user-space) are still left active. User-space
      needs to call shutdown(2) or close(2) to release them.
      
      Unfortunately, this does not work with idle-timeouts. There is no way to
      signal user-space that the HIDP layer has been stopped. The API simply
      does not support any event-passing except for poll(2). Hence, we restore
      old behavior and force EUNATCH on the sockets if the HIDP layer is
      disconnected due to idle-timeouts (behavior of explicit disconnects
      remains unmodified). User-space can still call
      
          getsockopt(..., SO_ERROR, ...)
      
      ..to retrieve the EUNATCH error and clear sk_err. Hence, the channels can
      still be re-used (which nobody does so far, though). Therefore, the API
      still supports the new behavior, but with this patch it's also compatible
      to the old implicit channel shutdown.
      
      Cc: <stable@vger.kernel.org> # 3.10+
      Reported-by: NMark Haun <haunma@keteu.org>
      Reported-by: NLuiz Augusto von Dentz <luiz.dentz@gmail.com>
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      660f0fc0
    • M
      Bluetooth: btbcm: Read USB product information for Apple devices · 34cea41e
      Marcel Holtmann 提交于
      For the Apple Bluetooth devices, read the USB product information and
      print them. This allows for easy mapping of chip and USB details.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      34cea41e
    • M
      Bluetooth: btbcm: Fix firmware version number calculation · 8045ce21
      Marcel Holtmann 提交于
      The calculation for the firmware version number is off by one bit.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      8045ce21
    • M
      Bluetooth: btusb: Mark BCM2045 devices to have broken link key commands · 6c9d435d
      Marcel Holtmann 提交于
      The BCM2045 seems to have a problem with the stored link key commands
      and thus just mark them as broken.
      
        HCI Event: Command Complete (0x0e) plen 12
           Read Local Supported Features (0x04|0x0003) ncmd 1
           status 0x00
           Features: 0xff 0xff 0x8d 0xfe 0x8f 0xf9 0x00 0x80
        HCI Event: Command Complete (0x0e) plen 12
           Read Local Version Information (0x04|0x0001) ncmd 1
           status 0x00
           HCI Version: 2.0 (0x3) HCI Revision: 0x2000
           LMP Version: 2.0 (0x3) LMP Subversion: 0x410d
           Manufacturer: Broadcom Corporation (15)
        HCI Event: Command Complete (0x0e) plen 11
           Read Buffer Size (0x04|0x0005) ncmd 1
           status 0x00
           ACL MTU 1017:8 SCO MTU 64:0
        HCI Event: Command Complete (0x0e) plen 68
           Read Local Supported Commands (0x04|0x0002) ncmd 1
           status 0x00
           Commands: ffffff03feffcfffffffffff0300f8ff07
        HCI Event: Command Complete (0x0e) plen 4
           Delete Stored Link Key (0x03|0x0012) ncmd 1
           status 0x11 deleted 2048
           Error: Unsupported Feature or Parameter Value
      
      From the looks of it, this device seems genuine and not one of the
      devices that are neither Broadcom nor CSR devices in reality.
      
      T: Bus=04 Lev=02 Prnt=02 Port=02 Cnt=02 Dev#= 3 Spd=12 MxCh= 0
      D: Ver= 2.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
      P: Vendor=0a5c ProdID=2045 Rev= 1.12
      S: Manufacturer=Broadcom Corp
      S: Product=BCM2045A
      S: SerialNumber=000000000000
      C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=100mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
      E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
      E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
      E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
      I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
      E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
      I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
      E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
      I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
      E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
      I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
      E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
      I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
      E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
      I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms
      E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=00 Driver=(none)
      Reported-and-tested-by: NJulio González Mejías <juliolokooo@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      6c9d435d
    • M
      Bluetooth: btintel: Add diagnostic support for older controllers · 3e24767b
      Marcel Holtmann 提交于
      For the older controllers like Wilkens Peak and Stone Peak, enabling the
      traces requires to switch into manufacturer mode first. This patch does
      exactly that, but only for these older controllers.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      3e24767b
    • M
      Bluetooth: btintel: Set quirk for non-persistent diagnostic settings · d8270fbb
      Marcel Holtmann 提交于
      For Intel controllers the diagnostics settings are not persistent over
      HCI Reset. So set the quirk to programm them again on every power up.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      d8270fbb
    • M
      Bluetooth: Add new quirk for non-persistent diagnostic settings · 7e995b9e
      Marcel Holtmann 提交于
      If the diagnostic settings are not persistent over HCI Reset, then this
      quirk can be used to tell the Bluetoth core about it. This will ensure
      that the settings are programmed correctly when the controller is
      powered up.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      7e995b9e
    • A
      Bluetooth: bpa10x: fix BT_HCIUART dependency · 7841d06e
      Arnd Bergmann 提交于
      The change to bpa10x to use the h4_recv_buf helper added a dependency
      on BT_HCIUART. This was incorrectly added to Kconfig by adding a
      'select' statement, which now in turn causes build failures
      when CONFIG_TTY is not set:
      
      warning: (BT_HCIBPA10X) selects BT_HCIUART which has unmet direct dependencies (NET && BT && TTY)
      vers/built-in.o: In function `hci_uart_tty_receive':
      fpga-mgr.c:(.text+0x282824): undefined reference to `tty_unthrottle'
      drivers/built-in.o: In function `hci_uart_tty_ioctl':
      fpga-mgr.c:(.text+0x282aa0): undefined reference to `n_tty_ioctl_helper'
      drivers/built-in.o: In function `hci_uart_flush':
      
      This replaces the 'select BT_HCIUART' dependency with 'depends on', which
      does not have this kind of problem. Alternatively, one could add 'depends
      on TTY', but avoiding 'select' on user-visible options is generally the
      preferred choice as that does not introduce the potential for dependency
      loops or incomplete dependency chains.
      
      Fixes: 91489919 ("Bluetooth: bpa10x: Fix missing BT_HCIUART dependency")
      Fixes: 943cc592 ("Bluetooth: bpa10x: Use h4_recv_buf helper for frame reassembly")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      7841d06e
    • M
      Bluetooth: btusb: Print information of Intel SfP lock states · 2220994e
      Marcel Holtmann 提交于
      The lock states from Intel SfP controllers can only be read once before
      loading the firmware. So for debugging purposes, print them out.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      2220994e
    • J
      Bluetooth: Don't use remote address type to decide IRK persistency · cad20c27
      Johan Hedberg 提交于
      There are LE devices on the market that start off by announcing their
      public address and then once paired switch to using private address.
      To be interoperable with such devices we should simply trust the fact
      that we're receiving an IRK from them to indicate that they may use
      private addresses in the future. Instead, simply tie the persistency
      to the bonding/no-bonding information the same way as for LTKs and
      CSRKs.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      cad20c27
    • M
      Bluetooth: Queue diagnostic messages together with HCI packets · 581d6fd6
      Marcel Holtmann 提交于
      Sending diagnostic messages directly to the monitor socket might cause
      issues for devices processing their messages in interrupt context. So
      instead of trying to directly forward them, queue them up with the other
      HCI packets and lets them be processed by the sockets at the same time.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      581d6fd6
    • M
      Bluetooth: Restrict valid packet types via HCI_CHANNEL_RAW · bb77543e
      Marcel Holtmann 提交于
      When using the HCI_CHANNEL_RAW, restrict the packet types to valid ones
      from the Bluetooth specification.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      bb77543e
    • M
      Bluetooth: Remove quirk for HCI_VENDOR_PKT filter handling · 8cd4f581
      Marcel Holtmann 提交于
      The HCI_VENDOR_PKT quirk was needed for BPA-100/105 devices that send
      these messages. Now that there is support for proper diagnostic channel
      this quirk is no longer needed.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      8cd4f581