tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next

Johan Hedberg says:

====================
pull request: bluetooth-next 2016-04-12

Here's a set of Bluetooth & 802.15.4 patches intended for the 4.7 kernel:

- Fix for race condition in vhci driver
- Memory leak fix for ieee802154/adf7242 driver
- Improvements to deal with single-mode (LE-only) Bluetooth controllers
- Fix for allowing the BT_SECURITY_FIPS security level
- New BCM2E71 ACPI ID
- NULL pointer dereference fix fox hci_ldisc driver

Let me know if there are any issues pulling. Thanks.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 69fb7812 9a6f2b01

+74 -39
+1
drivers/bluetooth/hci_bcm.c
··· 825 825 { "BCM2E64", 0 }, 826 826 { "BCM2E65", 0 }, 827 827 { "BCM2E67", 0 }, 828 + { "BCM2E71", 0 }, 828 829 { "BCM2E7B", 0 }, 829 830 { "BCM2E7C", 0 }, 830 831 { },
+31 -26
drivers/bluetooth/hci_bcsp.c
··· 102 102 /* Initialise the crc calculator */ 103 103 #define BCSP_CRC_INIT(x) x = 0xffff 104 104 105 - /* 106 - Update crc with next data byte 107 - 108 - Implementation note 109 - The data byte is treated as two nibbles. The crc is generated 110 - in reverse, i.e., bits are fed into the register from the top. 111 - */ 105 + /* Update crc with next data byte 106 + * 107 + * Implementation note 108 + * The data byte is treated as two nibbles. The crc is generated 109 + * in reverse, i.e., bits are fed into the register from the top. 110 + */ 112 111 static void bcsp_crc_update(u16 *crc, u8 d) 113 112 { 114 113 u16 reg = *crc; ··· 222 223 } 223 224 224 225 /* Max len of packet: (original len +4(bcsp hdr) +2(crc))*2 225 - (because bytes 0xc0 and 0xdb are escaped, worst case is 226 - when the packet is all made of 0xc0 and 0xdb :) ) 227 - + 2 (0xc0 delimiters at start and end). */ 226 + * (because bytes 0xc0 and 0xdb are escaped, worst case is 227 + * when the packet is all made of 0xc0 and 0xdb :) ) 228 + * + 2 (0xc0 delimiters at start and end). 229 + */ 228 230 229 231 nskb = alloc_skb((len + 6) * 2 + 2, GFP_ATOMIC); 230 232 if (!nskb) ··· 285 285 struct bcsp_struct *bcsp = hu->priv; 286 286 unsigned long flags; 287 287 struct sk_buff *skb; 288 - 288 + 289 289 /* First of all, check for unreliable messages in the queue, 290 290 since they have priority */ 291 291 ··· 305 305 } 306 306 307 307 /* Now, try to send a reliable pkt. We can only send a 308 - reliable packet if the number of packets sent but not yet ack'ed 309 - is < than the winsize */ 308 + * reliable packet if the number of packets sent but not yet ack'ed 309 + * is < than the winsize 310 + */ 310 311 311 312 spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING); 312 313 ··· 333 332 spin_unlock_irqrestore(&bcsp->unack.lock, flags); 334 333 335 334 /* We could not send a reliable packet, either because there are 336 - none or because there are too many unack'ed pkts. Did we receive 337 - any packets we have not acknowledged yet ? */ 335 + * none or because there are too many unack'ed pkts. Did we receive 336 + * any packets we have not acknowledged yet ? 337 + */ 338 338 339 339 if (bcsp->txack_req) { 340 340 /* if so, craft an empty ACK pkt and send it on BCSP unreliable 341 - channel 0 */ 341 + * channel 0 342 + */ 342 343 struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, NULL, 0, BCSP_ACK_PKT); 343 344 return nskb; 344 345 } ··· 402 399 } 403 400 404 401 /* Handle BCSP link-establishment packets. When we 405 - detect a "sync" packet, symptom that the BT module has reset, 406 - we do nothing :) (yet) */ 402 + * detect a "sync" packet, symptom that the BT module has reset, 403 + * we do nothing :) (yet) 404 + */ 407 405 static void bcsp_handle_le_pkt(struct hci_uart *hu) 408 406 { 409 407 struct bcsp_struct *bcsp = hu->priv; ··· 466 462 case 0xdd: 467 463 memcpy(skb_put(bcsp->rx_skb, 1), &db, 1); 468 464 if ((bcsp->rx_skb->data[0] & 0x40) != 0 && 469 - bcsp->rx_state != BCSP_W4_CRC) 465 + bcsp->rx_state != BCSP_W4_CRC) 470 466 bcsp_crc_update(&bcsp->message_crc, 0xdb); 471 467 bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC; 472 468 bcsp->rx_count--; ··· 538 534 } else { 539 535 BT_ERR("Packet for unknown channel (%u %s)", 540 536 bcsp->rx_skb->data[1] & 0x0f, 541 - bcsp->rx_skb->data[0] & 0x80 ? 537 + bcsp->rx_skb->data[0] & 0x80 ? 542 538 "reliable" : "unreliable"); 543 539 kfree_skb(bcsp->rx_skb); 544 540 } ··· 566 562 struct bcsp_struct *bcsp = hu->priv; 567 563 const unsigned char *ptr; 568 564 569 - BT_DBG("hu %p count %d rx_state %d rx_count %ld", 565 + BT_DBG("hu %p count %d rx_state %d rx_count %ld", 570 566 hu, count, bcsp->rx_state, bcsp->rx_count); 571 567 572 568 ptr = data; ··· 595 591 continue; 596 592 } 597 593 if (bcsp->rx_skb->data[0] & 0x80 /* reliable pkt */ 598 - && (bcsp->rx_skb->data[0] & 0x07) != bcsp->rxseq_txack) { 594 + && (bcsp->rx_skb->data[0] & 0x07) != bcsp->rxseq_txack) { 599 595 BT_ERR("Out-of-order packet arrived, got %u expected %u", 600 596 bcsp->rx_skb->data[0] & 0x07, bcsp->rxseq_txack); 601 597 ··· 605 601 continue; 606 602 } 607 603 bcsp->rx_state = BCSP_W4_DATA; 608 - bcsp->rx_count = (bcsp->rx_skb->data[1] >> 4) + 604 + bcsp->rx_count = (bcsp->rx_skb->data[1] >> 4) + 609 605 (bcsp->rx_skb->data[2] << 4); /* May be 0 */ 610 606 continue; 611 607 ··· 619 615 620 616 case BCSP_W4_CRC: 621 617 if (bitrev16(bcsp->message_crc) != bscp_get_crc(bcsp)) { 622 - BT_ERR ("Checksum failed: computed %04x received %04x", 618 + BT_ERR("Checksum failed: computed %04x received %04x", 623 619 bitrev16(bcsp->message_crc), 624 620 bscp_get_crc(bcsp)); 625 621 ··· 657 653 BCSP_CRC_INIT(bcsp->message_crc); 658 654 659 655 /* Do not increment ptr or decrement count 660 - * Allocate packet. Max len of a BCSP pkt= 661 - * 0xFFF (payload) +4 (header) +2 (crc) */ 656 + * Allocate packet. Max len of a BCSP pkt= 657 + * 0xFFF (payload) +4 (header) +2 (crc) 658 + */ 662 659 663 660 bcsp->rx_skb = bt_skb_alloc(0x1005, GFP_ATOMIC); 664 661 if (!bcsp->rx_skb) {
+7 -4
drivers/bluetooth/hci_ldisc.c
··· 227 227 tty_ldisc_flush(tty); 228 228 tty_driver_flush_buffer(tty); 229 229 230 - if (test_bit(HCI_UART_PROTO_SET, &hu->flags)) 230 + if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) 231 231 hu->proto->flush(hu); 232 232 233 233 return 0; ··· 492 492 493 493 cancel_work_sync(&hu->write_work); 494 494 495 - if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) { 495 + if (test_and_clear_bit(HCI_UART_PROTO_READY, &hu->flags)) { 496 496 if (hdev) { 497 497 if (test_bit(HCI_UART_REGISTERED, &hu->flags)) 498 498 hci_unregister_dev(hdev); ··· 500 500 } 501 501 hu->proto->close(hu); 502 502 } 503 + clear_bit(HCI_UART_PROTO_SET, &hu->flags); 503 504 504 505 kfree(hu); 505 506 } ··· 527 526 if (tty != hu->tty) 528 527 return; 529 528 530 - if (test_bit(HCI_UART_PROTO_SET, &hu->flags)) 529 + if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) 531 530 hci_uart_tx_wakeup(hu); 532 531 } 533 532 ··· 551 550 if (!hu || tty != hu->tty) 552 551 return; 553 552 554 - if (!test_bit(HCI_UART_PROTO_SET, &hu->flags)) 553 + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) 555 554 return; 556 555 557 556 /* It does not need a lock here as it is already protected by a mutex in ··· 639 638 return err; 640 639 641 640 hu->proto = p; 641 + set_bit(HCI_UART_PROTO_READY, &hu->flags); 642 642 643 643 err = hci_uart_register_dev(hu); 644 644 if (err) { 645 + clear_bit(HCI_UART_PROTO_READY, &hu->flags); 645 646 p->close(hu); 646 647 return err; 647 648 }
+1
drivers/bluetooth/hci_uart.h
··· 95 95 /* HCI_UART proto flag bits */ 96 96 #define HCI_UART_PROTO_SET 0 97 97 #define HCI_UART_REGISTERED 1 98 + #define HCI_UART_PROTO_READY 2 98 99 99 100 /* TX states */ 100 101 #define HCI_UART_SENDING 1
+6 -3
drivers/bluetooth/hci_vhci.c
··· 189 189 break; 190 190 191 191 case HCI_VENDOR_PKT: 192 + cancel_delayed_work_sync(&data->open_timeout); 193 + 192 194 if (data->hdev) { 193 195 kfree_skb(skb); 194 196 return -EBADFD; 195 197 } 196 - 197 - cancel_delayed_work_sync(&data->open_timeout); 198 198 199 199 opcode = *((__u8 *) skb->data); 200 200 skb_pull(skb, 1); ··· 333 333 static int vhci_release(struct inode *inode, struct file *file) 334 334 { 335 335 struct vhci_data *data = file->private_data; 336 - struct hci_dev *hdev = data->hdev; 336 + struct hci_dev *hdev; 337 337 338 338 cancel_delayed_work_sync(&data->open_timeout); 339 + 340 + hdev = data->hdev; 339 341 340 342 if (hdev) { 341 343 hci_unregister_dev(hdev); 342 344 hci_free_dev(hdev); 343 345 } 344 346 347 + skb_queue_purge(&data->readq); 345 348 file->private_data = NULL; 346 349 kfree(data); 347 350
+2
drivers/net/ieee802154/adf7242.c
··· 1030 1030 if (ret) { 1031 1031 dev_err(&lp->spi->dev, 1032 1032 "upload firmware failed with %d\n", ret); 1033 + release_firmware(fw); 1033 1034 return ret; 1034 1035 } 1035 1036 ··· 1038 1037 if (ret) { 1039 1038 dev_err(&lp->spi->dev, 1040 1039 "verify firmware failed with %d\n", ret); 1040 + release_firmware(fw); 1041 1041 return ret; 1042 1042 } 1043 1043
+9 -2
net/6lowpan/iphc.c
··· 148 148 (((a)->s6_addr16[6]) == 0) && \ 149 149 (((a)->s6_addr[14]) == 0)) 150 150 151 + #define lowpan_is_linklocal_zero_padded(a) \ 152 + (!(hdr->saddr.s6_addr[1] & 0x3f) && \ 153 + !hdr->saddr.s6_addr16[1] && \ 154 + !hdr->saddr.s6_addr32[1]) 155 + 151 156 #define LOWPAN_IPHC_CID_DCI(cid) (cid & 0x0f) 152 157 #define LOWPAN_IPHC_CID_SCI(cid) ((cid & 0xf0) >> 4) 153 158 ··· 1106 1101 true); 1107 1102 iphc1 |= LOWPAN_IPHC_SAC; 1108 1103 } else { 1109 - if (ipv6_saddr_type & IPV6_ADDR_LINKLOCAL) { 1104 + if (ipv6_saddr_type & IPV6_ADDR_LINKLOCAL && 1105 + lowpan_is_linklocal_zero_padded(hdr->saddr)) { 1110 1106 iphc1 |= lowpan_compress_addr_64(&hc_ptr, 1111 1107 &hdr->saddr, 1112 1108 saddr, true); ··· 1141 1135 false); 1142 1136 iphc1 |= LOWPAN_IPHC_DAC; 1143 1137 } else { 1144 - if (ipv6_daddr_type & IPV6_ADDR_LINKLOCAL) { 1138 + if (ipv6_daddr_type & IPV6_ADDR_LINKLOCAL && 1139 + lowpan_is_linklocal_zero_padded(hdr->daddr)) { 1145 1140 iphc1 |= lowpan_compress_addr_64(&hc_ptr, 1146 1141 &hdr->daddr, 1147 1142 daddr, false);
+13
net/bluetooth/hci_event.c
··· 4727 4727 u32 flags; 4728 4728 u8 *ptr, real_len; 4729 4729 4730 + switch (type) { 4731 + case LE_ADV_IND: 4732 + case LE_ADV_DIRECT_IND: 4733 + case LE_ADV_SCAN_IND: 4734 + case LE_ADV_NONCONN_IND: 4735 + case LE_ADV_SCAN_RSP: 4736 + break; 4737 + default: 4738 + BT_ERR_RATELIMITED("Unknown advetising packet type: 0x%02x", 4739 + type); 4740 + return; 4741 + } 4742 + 4730 4743 /* Find the end of the data in case the report contains padded zero 4731 4744 * bytes at the end causing an invalid length value. 4732 4745 *
+3 -3
net/bluetooth/hci_request.c
··· 1065 1065 if (instance_flags & MGMT_ADV_FLAG_LIMITED_DISCOV) 1066 1066 flags |= LE_AD_LIMITED; 1067 1067 1068 + if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) 1069 + flags |= LE_AD_NO_BREDR; 1070 + 1068 1071 if (flags || (instance_flags & MGMT_ADV_FLAG_MANAGED_FLAGS)) { 1069 1072 /* If a discovery flag wasn't provided, simply use the global 1070 1073 * settings. 1071 1074 */ 1072 1075 if (!flags) 1073 1076 flags |= mgmt_get_adv_discov_flags(hdev); 1074 - 1075 - if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) 1076 - flags |= LE_AD_NO_BREDR; 1077 1077 1078 1078 /* If flags would still be empty, then there is no need to 1079 1079 * include the "Flags" AD field".
+1 -1
net/bluetooth/l2cap_sock.c
··· 778 778 } 779 779 780 780 if (sec.level < BT_SECURITY_LOW || 781 - sec.level > BT_SECURITY_HIGH) { 781 + sec.level > BT_SECURITY_FIPS) { 782 782 err = -EINVAL; 783 783 break; 784 784 }