summaryrefslogtreecommitdiffstats
path: root/drivers/bluetooth (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Bluetooth: btrtl: remove unneeded semicolonYueHaibing2019-10-261-1/+1
| | | | | | | | Remove unneeded semicolon. This is detected by coccinelle. Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: hci_bcm: Fix RTS handling during startupStefan Wahren2019-10-211-0/+2
| | | | | | | | | | | The RPi 4 uses the hardware handshake lines for CYW43455, but the chip doesn't react to HCI requests during DT probe. The reason is the inproper handling of the RTS line during startup. According to the startup signaling sequence in the CYW43455 datasheet, the hosts RTS line must be driven after BT_REG_ON and BT_HOST_WAKE. Signed-off-by: Stefan Wahren <wahrenst@gmx.net> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Revert "Bluetooth: hci_qca: Add delay for wcn3990 stability"Jeffrey Hugo2019-10-211-3/+1
| | | | | | | | | | | | This reverts commit cde9dde6e11a5ab54b6462cd46d82878926783bc. The frame reassembly errors were root caused to a transient gpio issue. The missing response was root caused to an issue with properly managing RFR in the uart driver. Addressing those root causes occurs outside of hci_qca and eliminates the need for the 50ms delay, so remove it. Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: btusb: Remove return statement in btintel_reset_to_bootloaderNathan Chancellor2019-10-191-1/+0
| | | | | | | | | | | | | | | | | | | | | | When building with Clang and CONFIG_BT_INTEL unset, the following error occurs: In file included from drivers/bluetooth/hci_ldisc.c:34: drivers/bluetooth/btintel.h:188:2: error: void function 'btintel_reset_to_bootloader' should not return a value [-Wreturn-type] return -EOPNOTSUPP; ^ ~~~~~~~~~~~ 1 error generated. Remove the unneeded return statement to fix this. Fixes: b9a2562f4918 ("Bluetooth: btusb: Trigger Intel FW download error recovery") Link: https://github.com/ClangBuiltLinux/linux/issues/743 Reported-by: <ci_notify@linaro.org> Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: hci_qca: Split qca_power_setup()Bjorn Andersson2019-10-171-25/+36
| | | | | | | | | Split and rename qca_power_setup() in order to simplify each code path and to clarify that it is unrelated to qca_power_off() and qca_power_setup(). Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: hci_qca: Use regulator bulk enable/disableBjorn Andersson2019-10-171-42/+13
| | | | | | | | | | | | | With the regulator_set_load() and regulator_set_voltage() out of the enable/disable code paths the code can now use the standard regulator bulk enable/disable API. By cloning num_vregs into struct qca_power there's no need to lug around a reference to the struct qca_vreg_data, which further simplifies qca_power_setup(). Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: hci_qca: Don't vote for specific voltageBjorn Andersson2019-10-171-18/+8
| | | | | | | | | | | | | | Devices with specific voltage requirements should not request voltage from the driver, but instead rely on the system configuration to define appropriate voltages for each rail. This ensures that PMIC and board variations are accounted for, something that the 0.1V range in the hci_qca driver currently tries to address. But on the Lenovo Yoga C630 (with wcn3990) vddch0 is 3.1V, which means the driver will fail to set the voltage. Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: hci_qca: Update regulator_set_load() usageBjorn Andersson2019-10-171-15/+18
| | | | | | | | | | | | Since the introduction of '5451781dadf8 ("regulator: core: Only count load for enabled consumers")' in v5.0, the requested load of a regulator consumer is only accounted for when said consumer is voted enabled. So there's no need to vote for load ever time the regulator is enabled or disabled. Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: hci_qca: Add delay for wcn3990 stabilityJeffrey Hugo2019-10-171-1/+3
| | | | | | | | | | | | | On the msm8998 mtp, the response to the baudrate change command is never received. On the Lenovo Miix 630, the response to the baudrate change command is corrupted - "Frame reassembly failed (-84)". Adding a 50ms delay before re-enabling flow to receive the baudrate change command response from the wcn3990 addesses both issues, and allows bluetooth to become functional. Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: btusb: Trigger Intel FW download error recoveryAmit K Bag2019-10-173-4/+67
| | | | | | | | | | | | | | | | | Sometimes during FW data download stage, in case of an error is encountered the controller device could not be recovered. To recover from such failures send Intel hard Reset to re-trigger FW download in following error scenarios: 1. Intel Read version command error 2. Firmware download timeout 3. Failure in Intel Soft Reset for switching to operational FW 4. Boot timeout for switching to operaional FW Signed-off-by: Raghuram Hegde <raghuram.hegde@intel.com> Signed-off-by: Chethan T N <chethan.tumkur.narayan@intel.com> Signed-off-by: Amit K Bag <amit.k.bag@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: btwilink: drop superseded driverSebastian Reichel2019-10-163-349/+0
| | | | | | | | All users of this driver have been converted to the serdev based hci_ll driver. The unused driver can be safely dropped now. Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Revert "Bluetooth: hci_ll: set operational frequency earlier"Adam Ford2019-10-161-21/+18
| | | | | | | | | | | | | | As nice as it would be to update firmware faster, that patch broke at least two different boards, an OMAP4+WL1285 based Motorola Droid 4, as reported by Sebasian Reichel and the Logic PD i.MX6Q + WL1837MOD. This reverts commit a2e02f38eff84f199c8e32359eb213f81f270047. Signed-off-by: Adam Ford <aford173@gmail.com> Acked-by: Sebastian Reichel <sebastian.reichel@collabora.com> Cc: stable@vger.kernel.org Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: btusb: Use IS_ENABLED instead of #ifdefMarcel Holtmann2019-10-161-15/+7
| | | | | | | | For the different hardware support options, it is better to use IS_ENABLED check. Let the compiler do the needed optimizations. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
* Bluetooth: btusb: avoid unused function warningArnd Bergmann2019-10-161-3/+2
| | | | | | | | | | | | | | | The btusb_rtl_cmd_timeout() function is used inside of an ifdef, leading to a warning when this part is hidden from the compiler: drivers/bluetooth/btusb.c:530:13: error: unused function 'btusb_rtl_cmd_timeout' [-Werror,-Wunused-function] Use an IS_ENABLED() check instead so the compiler can see the code and then discard it silently. Fixes: d7ef0d1e3968 ("Bluetooth: btusb: Use cmd_timeout to reset Realtek device") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: btusb: print FW version after FW downloadAmit K Bag2019-10-161-0/+7
| | | | | | | | | | After FW download there is no print to confirm the current FW version. Add print to check FW version incase of FW download. Signed-off-by: Amit K Bag <amit.k.bag@intel.com> Signed-off-by: Yoni Shavit <yshavit@chromium.org> Signed-off-by: Chethan Tumkur Narayan <chethan.tumkur.narayan@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: btrtl: Fix an issue for the incorrect error return code.Max Chou2019-10-161-1/+1
| | | | | | | | It does not need the '-' for PTR_ERR(skb) because PTR_ERR(skb) will return the negative value during errors. Signed-off-by: Max Chou <max.chou@realtek.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: hci_nokia: Save a few cycles in 'nokia_enqueue()'Christophe JAILLET2019-10-161-1/+1
| | | | | | | | | | | 'skb_pad()' a few lines above already initializes the "padded" byte to 0. So there is no need to do it twice. All what is needed is to increase the len of the skb. So 'skb_put(..., 1)' is enough here. Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netDavid S. Miller2019-09-153-10/+10
|\ | | | | | | | | | | Minor overlapping changes in the btusb and ixgbe drivers. Signed-off-by: David S. Miller <davem@davemloft.net>
| * Bluetooth: bpa10x: change return valueNavid Emamdoost2019-09-041-1/+1
| | | | | | | | | | | | | | | | When returning from bpa10x_send_frame, it is necessary to propagate any potential errno returned from usb_submit_urb. Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
| * Bluetooth: hci_qca: disable irqs when spinlock is acquiredHarish Bandi2019-09-041-4/+6
| | | | | | | | | | | | | | | | | | | | | | Looks like Deadlock is observed in hci_qca while performing stress and stability tests. Since same lock is getting acquired from qca_wq_awake_rx and hci_ibs_tx_idle_timeout seeing spinlock recursion, irqs should be disable while acquiring the spinlock always. Signed-off-by: Harish Bandi <c-hbandi@codeaurora.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
| * Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devicesJian-Hong Pan2019-09-041-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ASUS X412FA laptop contains a Realtek RTL8822CE device with an associated BT chip using a USB ID of 04ca:4005. This ID is added to the driver. The /sys/kernel/debug/usb/devices portion for this device is: T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=04 Dev#= 4 Spd=12 MxCh= 0 D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=04ca ProdID=4005 Rev= 0.00 S: Manufacturer=Realtek S: Product=Bluetooth Radio S: SerialNumber=00e04c000001 C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=204707 Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
| * Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature"Mario Limonciello2019-08-301-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit a0085f2510e8976614ad8f766b209448b385492f. This commit has caused regressions in notebooks that support suspend to idle such as the XPS 9360, XPS 9370 and XPS 9380. These notebooks will wakeup from suspend to idle from an unsolicited advertising packet from an unpaired BLE device. In a bug report it was sugggested that this is caused by a generic lack of LE privacy support. Revert this commit until that behavior can be avoided by the kernel. Fixes: a0085f2510e8 ("Bluetooth: btusb: driver to enable the usb-wakeup feature") BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=200039 Link: https://marc.info/?l=linux-bluetooth&m=156441081612627&w=2 Link: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/750073/ CC: Bastien Nocera <hadess@hadess.net> CC: Christian Kellner <ckellner@redhat.com> CC: Sukumar Ghorai <sukumar.ghorai@intel.com> Signed-off-by: Mario Limonciello <mario.limonciello@dell.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | Bluetooth: btusb: Use cmd_timeout to reset Realtek deviceAlex Lu2019-09-051-0/+31
| | | | | | | | | | | | | | | | | | Realtek Bluetooth controller provides a BT_DIS reset pin for hardware reset of it. The cmd_timeout is helpful on Realtek bluetooth controller where the firmware gets stuck. Signed-off-by: Alex Lu <alex_lu@realsil.com.cn> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | Bluetooth: btrtl: Fix an issue that failing to download the FW which size is ↵Max Chou2019-09-051-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | over 32K bytes Fix the issue that when the FW size is 32K+, it will fail for the download process because of the incorrect index. When firmware patch length is over 32K, "dl_cmd->index" may >= 0x80. It will be thought as "data end" that download process will not complete. However, driver should recount the index from 1. Signed-off-by: Max Chou <max.chou@realtek.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | Bluetooth: btrtl: Remove trailing newline from calls to rtl_dev macrosAlex Lu2019-09-051-28/+28
| | | | | | | | | | | | | | | | These printing macros already add a trailing newline, so drop these unnecessary additional newlines. Signed-off-by: Alex Lu <alex_lu@realsil.com.cn> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | Bluetooth: btrtl: Remove redundant prefix from calls to rtl_dev macrosAlex Lu2019-09-051-6/+6
| | | | | | | | | | | | | | | | the rtl: or RTL: prefix in the string is pointless. The rtl_dev_* macros already does that. Signed-off-by: Alex Lu <alex_lu@realsil.com.cn> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | Bluetooth: btrtl: Add firmware version printAlex Lu2019-09-051-21/+35
| | | | | | | | | | | | | | This patch is used to print fw version for debug convenience Signed-off-by: Alex Lu <alex_lu@realsil.com.cn> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | Bluetooth: btrtl: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERYAlex Lu2019-09-051-0/+5
| | | | | | | | | | | | | | | | Realtek Bluetooth controllers can do both LE scan and BR/EDR inquiry at once, need to set HCI_QUIRK_SIMULTANEOUS_DISCOVERY quirk. Signed-off-by: Alex Lu <alex_lu@realsil.com.cn> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | Bluetooth: hci_qca: wait for Pre shutdown complete event before sending the ↵Harish Bandi2019-09-052-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Power off pulse When SoC receives pre shut down command, it share the same with other COEX shared clients. So SoC needs a short time after sending VS pre shutdown command before turning off the regulators and sending the power off pulse. Along with short delay, needs to wait for command complete event for Pre shutdown VS command Signed-off-by: Harish Bandi <c-hbandi@codeaurora.org> Reviewed-by: Balakrishna Godavarthi <bgodavar@codeaurora.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | bluetooth: hci_bcm: Give more time to come out of resetOndrej Jirman2019-09-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Some supported devices need more time to come out of reset (eg. BCM4345C5 in AP6256). I don't have/found a datasheet, so the value was arrive at experimentally with the Oprange Pi 3 board. Without increased delay, I got intermittent failures during probe. This is a Bluetooth 5.0 device, so maybe that's why it takes longer to initialize than the others. Signed-off-by: Ondrej Jirman <megous@megous.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | bluetooth: bcm: Add support for loading firmware for BCM4345C5Ondrej Jirman2019-09-052-0/+4
| | | | | | | | | | | | | | Detect BCM4345C5 and load a corresponding firmware file. Signed-off-by: Ondrej Jirman <megous@megous.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | Bluetooth: hci_qca: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for QCA UART RadioRocky Liao2019-09-051-0/+5
| | | | | | | | | | | | | | | | QCA UART Bluetooth controllers can do both LE scan and BR/EDR inquiry at once, need to set HCI_QUIRK_SIMULTANEOUS_DISCOVERY quirk. Signed-off-by: Rocky Liao <rjliao@codeaurora.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | Bluetooth: hci_qca: Make structure qca_proto constantNishka Dasgupta2019-09-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Static structure qca_proto, of type hci_uart_proto, is used four times: as the last argument in function hci_uart_register_device(), and as the only argument to functions hci_uart_register_proto() and hci_uart_unregister_proto(). In all three of these functions, the parameter corresponding to qca_proto is declared as constant. Therefore, make qca_proto itself constant as well in order to protect it from unintended modification. Issue found with Coccinelle. Signed-off-by: Nishka Dasgupta <nishkadg.linux@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | Bluetooth: btusb: Fix suspend issue for Realtek devicesAlex Lu2019-09-051-4/+30
| | | | | | | | | | | | | | | | | | | | | | | | From the perspective of controller, global suspend means there is no SET_FEATURE (DEVICE_REMOTE_WAKEUP) and controller would drop the firmware. It would consume less power. So we should not send this kind of SET_FEATURE when host goes to suspend state. Otherwise, when making device enter selective suspend, host should send SET_FEATURE to make sure the firmware remains. Signed-off-by: Alex Lu <alex_lu@realsil.com.cn> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | Bluetooth: hci_bcm: Fix -Wunused-const-variable warningsYueHaibing2019-09-051-15/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If CONFIG_ACPI is not set, gcc warn this: drivers/bluetooth/hci_bcm.c:831:39: warning: acpi_bcm_int_last_gpios defined but not used [-Wunused-const-variable=] drivers/bluetooth/hci_bcm.c:838:39: warning: acpi_bcm_int_first_gpios defined but not used [-Wunused-const-variable=] move them to #ifdef CONFIG_ACPI block. Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | Bluetooth: hci_qca: Remove redundant initializations to zeroMatthias Kaehlcke2019-09-051-19/+0
|/ | | | | | | | | | The qca_data structure is allocated with kzalloc() and hence zero-initialized. Remove a bunch of unnecessary explicit initializations of struct members to zero. Signed-off-by: Matthias Kaehlcke <mka@chromium.org> Reviewed-by: Balakrishna Godavarthi <bgodavar@codeaurora.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: hci_qca: Skip 1 error print in device_want_to_sleep()Rocky Liao2019-08-141-2/+2
| | | | | | | | Don't fall through to print error message when receive sleep indication in HCI_IBS_RX_ASLEEP state, this is allowed behavior. Signed-off-by: Rocky Liao <rjliao@codeaurora.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: btqca: Reset download type to defaultBalakrishna Godavarthi2019-08-121-0/+1
| | | | | | | | | | | This patch will reset the download flag to default value before retrieving the download mode type. Fixes: 32646db8cc28 ("Bluetooth: btqca: inject command complete event during fw download") Signed-off-by: Balakrishna Godavarthi <bgodavar@codeaurora.org> Tested-by: Claire Chang <tientzu@chromium.org> Reviewed-by: Claire Chang <tientzu@chromium.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: btqca: release_firmware after qca_inject_cmd_complete_eventClaire Chang2019-08-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 32646db8cc28 ("Bluetooth: btqca: inject command complete event during fw download") added qca_inject_cmd_complete_event() for certain qualcomm chips. However, qca_download_firmware() will return without calling release_firmware() in this case. This leads to a memory leak like the following found by kmemleak: unreferenced object 0xfffffff3868a5880 (size 128): comm "kworker/u17:5", pid 347, jiffies 4294676481 (age 312.157s) hex dump (first 32 bytes): ac fd 00 00 00 00 00 00 00 d0 7e 17 80 ff ff ff ..........~..... 00 00 00 00 00 00 00 00 00 59 8a 86 f3 ff ff ff .........Y...... backtrace: [<00000000978ce31d>] kmem_cache_alloc_trace+0x194/0x298 [<000000006ea0398c>] _request_firmware+0x74/0x4e4 [<000000004da31ca0>] request_firmware+0x44/0x64 [<0000000094572996>] qca_download_firmware+0x74/0x6e4 [btqca] [<00000000b24d615a>] qca_uart_setup+0xc0/0x2b0 [btqca] [<00000000364a6d5a>] qca_setup+0x204/0x570 [hci_uart] [<000000006be1a544>] hci_uart_setup+0xa8/0x148 [hci_uart] [<00000000d64c0f4f>] hci_dev_do_open+0x144/0x530 [bluetooth] [<00000000f69f5110>] hci_power_on+0x84/0x288 [bluetooth] [<00000000d4151583>] process_one_work+0x210/0x420 [<000000003cf3dcfb>] worker_thread+0x2c4/0x3e4 [<000000007ccaf055>] kthread+0x124/0x134 [<00000000bef1f723>] ret_from_fork+0x10/0x18 [<00000000c36ee3dd>] 0xffffffffffffffff unreferenced object 0xfffffff37b16de00 (size 128): comm "kworker/u17:5", pid 347, jiffies 4294676873 (age 311.766s) hex dump (first 32 bytes): da 07 00 00 00 00 00 00 00 50 ff 0b 80 ff ff ff .........P...... 00 00 00 00 00 00 00 00 00 dd 16 7b f3 ff ff ff ...........{.... backtrace: [<00000000978ce31d>] kmem_cache_alloc_trace+0x194/0x298 [<000000006ea0398c>] _request_firmware+0x74/0x4e4 [<000000004da31ca0>] request_firmware+0x44/0x64 [<0000000094572996>] qca_download_firmware+0x74/0x6e4 [btqca] [<000000000cde20a9>] qca_uart_setup+0x144/0x2b0 [btqca] [<00000000364a6d5a>] qca_setup+0x204/0x570 [hci_uart] [<000000006be1a544>] hci_uart_setup+0xa8/0x148 [hci_uart] [<00000000d64c0f4f>] hci_dev_do_open+0x144/0x530 [bluetooth] [<00000000f69f5110>] hci_power_on+0x84/0x288 [bluetooth] [<00000000d4151583>] process_one_work+0x210/0x420 [<000000003cf3dcfb>] worker_thread+0x2c4/0x3e4 [<000000007ccaf055>] kthread+0x124/0x134 [<00000000bef1f723>] ret_from_fork+0x10/0x18 [<00000000c36ee3dd>] 0xffffffffffffffff Make sure release_firmware() is called aftre qca_inject_cmd_complete_event() to avoid the memory leak. Fixes: 32646db8cc28 ("Bluetooth: btqca: inject command complete event during fw download") Signed-off-by: Claire Chang <tientzu@chromium.org> Reviewed-by: Balakrishna Godavarthi <bgodavar@codeaurora.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: hci_qca: Send VS pre shutdown command.Harish Bandi2019-08-123-0/+31
| | | | | | | | | WCN399x chips are coex chips, it needs a VS pre shutdown command while turning off the BT. So that chip can inform BT is OFF to other active clients. Signed-off-by: Harish Bandi <c-hbandi@codeaurora.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: btqca: Use correct byte format for opcode of injected commandMatthias Kaehlcke2019-08-121-1/+1
| | | | | | | | | | | | | The opcode of the command injected by commit 32646db8cc28 ("Bluetooth: btqca: inject command complete event during fw download") uses the CPU byte format, however it should always be little endian. In practice it shouldn't really matter, since all we need is an opcode != 0, but still let's do things correctly and keep sparse happy. Fixes: 32646db8cc28 ("Bluetooth: btqca: inject command complete event during fw download") Reported-by: kbuild test robot <lkp@intel.com> Signed-off-by: Matthias Kaehlcke <mka@chromium.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: hci_qca: Use kfree_skb() instead of kfree()Wei Yongjun2019-08-121-1/+1
| | | | | | | | | Use kfree_skb() instead of kfree() to free sk_buff. Fixes: 2faa3f15fa2f ("Bluetooth: hci_qca: wcn3990: Drop baudrate change vendor event") Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> Reviewed-by: Matthias Kaehlcke <mka@chromium.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: btqca: Add a short delay before downloading the NVMMatthias Kaehlcke2019-08-121-0/+3
| | | | | | | | | | | | | | | | On WCN3990 downloading the NVM sometimes fails with a "TLV response size mismatch" error: [ 174.949955] Bluetooth: btqca.c:qca_download_firmware() hci0: QCA Downloading qca/crnv21.bin [ 174.958718] Bluetooth: btqca.c:qca_tlv_send_segment() hci0: QCA TLV response size mismatch It seems the controller needs a short time after downloading the firmware before it is ready for the NVM. A delay as short as 1 ms seems sufficient, make it 10 ms just in case. No event is received during the delay, hence we don't just silently drop an extra event. Signed-off-by: Matthias Kaehlcke <mka@chromium.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: btusb: Fix error return code in btusb_mtk_setup_firmware()Wei Yongjun2019-08-121-1/+3
| | | | | | | | | Fix to return error code -EINVAL from the error handling case instead of 0, as done elsewhere in this function. Fixes: a1c49c434e15 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices") Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: hci_uart: check for missing tty operationsVladis Dronov2019-07-317-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset() functions which are called by the certain HCI UART protocols (hci_ath, hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control() or directly. This leads to an execution at NULL and can be triggered by an unprivileged user. Fix this by adding a helper function and a check for the missing tty operations in the protocols code. This fixes CVE-2019-10207. The Fixes: lines list commits where calls to tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART protocols. Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50 Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com Cc: stable@vger.kernel.org # v2.6.36+ Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial chip") Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM functions") Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate configuration support") Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support") Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990") Signed-off-by: Vladis Dronov <vdronov@redhat.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Reviewed-by: Yu-Chen, Cho <acho@suse.com> Tested-by: Yu-Chen, Cho <acho@suse.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* Bluetooth: btusb: Add protocol support for MediaTek MT7663U USB devicesSean Wang2019-07-061-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the support of enabling MT7663U Bluetooth function running on the top of btusb driver. The information in /sys/kernel/debug/usb/devices about the Bluetooth device is listed as the below. T: Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 5 Spd=5000 MxCh= 0 D: Ver= 3.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS= 9 #Cfgs= 1 P: Vendor=0e8d ProdID=7663 Rev= 1.00 S: Manufacturer=MediaTek Inc. S: Product=Wireless_Device S: SerialNumber=000000000 C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=160mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devicesSean Wang2019-07-062-0/+587
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the support of enabling MT7668U Bluetooth function running on the top of btusb driver. The information in /sys/kernel/debug/usb/devices about the Bluetooth device is listed as the below. T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 D: Ver= 3.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS= 9 #Cfgs= 1 P: Vendor=0e8d ProdID=7668 Rev= 1.00 S: Manufacturer=MediaTek Inc. S: Product=Wireless_Device S: SerialNumber=000000000 C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=160mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: Add new 13d3:3491 QCA_ROME deviceJoão Paulo Rechi Vita2019-07-061-0/+1
| | | | | | | | | | | | | | | Without the QCA ROME setup routine this adapter fails to establish a SCO connection. T: Bus=01 Lev=01 Prnt=01 Port=08 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=13d3 ProdID=3491 Rev=00.01 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#=0x0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#=0x1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: Add new 13d3:3501 QCA_ROME deviceJoão Paulo Rechi Vita2019-07-061-0/+1
| | | | | | | | | | | | | | | Without the QCA ROME setup routine this adapter fails to establish a SCO connection. T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=13d3 ProdID=3501 Rev=00.01 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#=0x0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#=0x1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* Bluetooth: hci_bcsp: Fix memory leak in rx_skbTomas Bortoli2019-07-061-0/+5
| | | | | | | | | | | Syzkaller found that it is possible to provoke a memory leak by never freeing rx_skb in struct bcsp_struct. Fix by freeing in bcsp_close() Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com> Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com Signed-off-by: Marcel Holtmann <marcel@holtmann.org>