Merge tag 'for-net-next-2024-11-14' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next

+8

Documentation/devicetree/bindings/net/bluetooth/nxp,88w8987-bt.yaml

··· 34 34 firmware-name: 35 35 maxItems: 1 36 36 37 + device-wakeup-gpios: 38 + maxItems: 1 39 + description: 40 + Host-To-Chip power save mechanism is driven by this GPIO 41 + connected to BT_WAKE_IN pin of the NXP chipset. 42 + 37 43 required: 38 44 - compatible 39 45 ··· 47 41 48 42 examples: 49 43 - | 44 + #include <dt-bindings/gpio/gpio.h> 50 45 serial { 51 46 bluetooth { 52 47 compatible = "nxp,88w8987-bt"; 53 48 fw-init-baudrate = <3000000>; 54 49 firmware-name = "uartuart8987_bt_v0.bin"; 50 + device-wakeup-gpios = <&gpio 11 GPIO_ACTIVE_HIGH>; 55 51 }; 56 52 };

+1 -3

drivers/bluetooth/btbcm.c

··· 541 541 static const char *btbcm_get_board_name(struct device *dev) 542 542 { 543 543 #ifdef CONFIG_OF 544 - struct device_node *root; 544 + struct device_node *root __free(device_node) = of_find_node_by_path("/"); 545 545 char *board_type; 546 546 const char *tmp; 547 547 548 - root = of_find_node_by_path("/"); 549 548 if (!root) 550 549 return NULL; 551 550 ··· 554 555 /* get rid of any '/' in the compatible string */ 555 556 board_type = devm_kstrdup(dev, tmp, GFP_KERNEL); 556 557 strreplace(board_type, '/', '-'); 557 - of_node_put(root); 558 558 559 559 return board_type; 560 560 #else

+92 -16

drivers/bluetooth/btintel.c

··· 1040 1040 * as needed. 1041 1041 * 1042 1042 * Send set of commands with 4 byte alignment from the 1043 - * firmware data buffer as a single Data fragement. 1043 + * firmware data buffer as a single Data fragment. 1044 1044 */ 1045 1045 if (!(frag_len % 4)) { 1046 1046 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr); ··· 1252 1252 struct intel_reset params; 1253 1253 struct sk_buff *skb; 1254 1254 1255 + /* PCIe transport uses shared hardware reset mechanism for recovery 1256 + * which gets triggered in pcie *setup* function on error. 1257 + */ 1258 + if (hdev->bus == HCI_PCI) 1259 + return; 1260 + 1255 1261 /* Send Intel Reset command. This will result in 1256 1262 * re-enumeration of BT controller. 1257 1263 * ··· 1273 1267 * boot_param: Boot address 1274 1268 * 1275 1269 */ 1270 + 1276 1271 params.reset_type = 0x01; 1277 1272 params.patch_enable = 0x01; 1278 1273 params.ddc_reload = 0x01; ··· 1848 1841 return 0; 1849 1842 } 1850 1843 1844 + static int btintel_boot_wait_d0(struct hci_dev *hdev, ktime_t calltime, 1845 + int msec) 1846 + { 1847 + ktime_t delta, rettime; 1848 + unsigned long long duration; 1849 + int err; 1850 + 1851 + bt_dev_info(hdev, "Waiting for device transition to d0"); 1852 + 1853 + err = btintel_wait_on_flag_timeout(hdev, INTEL_WAIT_FOR_D0, 1854 + TASK_INTERRUPTIBLE, 1855 + msecs_to_jiffies(msec)); 1856 + if (err == -EINTR) { 1857 + bt_dev_err(hdev, "Device d0 move interrupted"); 1858 + return -EINTR; 1859 + } 1860 + 1861 + if (err) { 1862 + bt_dev_err(hdev, "Device d0 move timeout"); 1863 + return -ETIMEDOUT; 1864 + } 1865 + 1866 + rettime = ktime_get(); 1867 + delta = ktime_sub(rettime, calltime); 1868 + duration = (unsigned long long)ktime_to_ns(delta) >> 10; 1869 + 1870 + bt_dev_info(hdev, "Device moved to D0 in %llu usecs", duration); 1871 + 1872 + return 0; 1873 + } 1874 + 1851 1875 static int btintel_boot(struct hci_dev *hdev, u32 boot_addr) 1852 1876 { 1853 1877 ktime_t calltime; ··· 1887 1849 calltime = ktime_get(); 1888 1850 1889 1851 btintel_set_flag(hdev, INTEL_BOOTING); 1852 + btintel_set_flag(hdev, INTEL_WAIT_FOR_D0); 1890 1853 1891 1854 err = btintel_send_intel_reset(hdev, boot_addr); 1892 1855 if (err) { ··· 1900 1861 * is done by the operational firmware sending bootup notification. 1901 1862 * 1902 1863 * Booting into operational firmware should not take longer than 1903 - * 1 second. However if that happens, then just fail the setup 1864 + * 5 second. However if that happens, then just fail the setup 1904 1865 * since something went wrong. 1905 1866 */ 1906 - err = btintel_boot_wait(hdev, calltime, 1000); 1907 - if (err == -ETIMEDOUT) 1867 + err = btintel_boot_wait(hdev, calltime, 5000); 1868 + if (err == -ETIMEDOUT) { 1908 1869 btintel_reset_to_bootloader(hdev); 1870 + goto exit_error; 1871 + } 1909 1872 1873 + if (hdev->bus == HCI_PCI) { 1874 + /* In case of PCIe, after receiving bootup event, driver performs 1875 + * D0 entry by writing 0 to sleep control register (check 1876 + * btintel_pcie_recv_event()) 1877 + * Firmware acks with alive interrupt indicating host is full ready to 1878 + * perform BT operation. Lets wait here till INTEL_WAIT_FOR_D0 1879 + * bit is cleared. 1880 + */ 1881 + calltime = ktime_get(); 1882 + err = btintel_boot_wait_d0(hdev, calltime, 2000); 1883 + } 1884 + 1885 + exit_error: 1910 1886 return err; 1911 1887 } 1912 1888 ··· 2747 2693 2748 2694 struct btintel_dsbr_cmd cmd; 2749 2695 struct sk_buff *skb; 2696 + u32 dsbr, cnvi; 2750 2697 u8 status; 2751 - u32 dsbr; 2752 - bool apply_dsbr; 2753 2698 int err; 2754 2699 2755 - /* DSBR command needs to be sent for BlazarI + B0 step product after 2756 - * downloading IML image. 2700 + cnvi = ver->cnvi_top & 0xfff; 2701 + /* DSBR command needs to be sent for, 2702 + * 1. BlazarI or BlazarIW + B0 step product in IML image. 2703 + * 2. Gale Peak2 or BlazarU in OP image. 2757 2704 */ 2758 - apply_dsbr = (ver->img_type == BTINTEL_IMG_IML && 2759 - ((ver->cnvi_top & 0xfff) == BTINTEL_CNVI_BLAZARI) && 2760 - INTEL_CNVX_TOP_STEP(ver->cnvi_top) == 0x01); 2761 2705 2762 - if (!apply_dsbr) 2706 + switch (cnvi) { 2707 + case BTINTEL_CNVI_BLAZARI: 2708 + case BTINTEL_CNVI_BLAZARIW: 2709 + if (ver->img_type == BTINTEL_IMG_IML && 2710 + INTEL_CNVX_TOP_STEP(ver->cnvi_top) == 0x01) 2711 + break; 2763 2712 return 0; 2713 + case BTINTEL_CNVI_GAP: 2714 + case BTINTEL_CNVI_BLAZARU: 2715 + if (ver->img_type == BTINTEL_IMG_OP && 2716 + hdev->bus == HCI_USB) 2717 + break; 2718 + return 0; 2719 + default: 2720 + return 0; 2721 + } 2764 2722 2765 2723 dsbr = 0; 2766 2724 err = btintel_uefi_get_dsbr(&dsbr); ··· 2814 2748 * command while downloading the firmware. 2815 2749 */ 2816 2750 boot_param = 0x00000000; 2751 + 2752 + /* In case of PCIe, this function might get called multiple times with 2753 + * same hdev instance if there is any error on firmware download. 2754 + * Need to clear stale bits of previous firmware download attempt. 2755 + */ 2756 + for (int i = 0; i < __INTEL_NUM_FLAGS; i++) 2757 + btintel_clear_flag(hdev, i); 2817 2758 2818 2759 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2819 2760 ··· 2908 2835 case 0x12: /* ThP */ 2909 2836 case 0x13: /* HrP */ 2910 2837 case 0x14: /* CcP */ 2911 - /* All Intel new genration controllers support the Microsoft vendor 2838 + /* All Intel new generation controllers support the Microsoft vendor 2912 2839 * extension are using 0xFC1E for VsMsftOpCode. 2913 2840 */ 2914 2841 case 0x17: ··· 3346 3273 } 3347 3274 EXPORT_SYMBOL_GPL(btintel_configure_setup); 3348 3275 3349 - static int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb) 3276 + int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb) 3350 3277 { 3351 3278 struct intel_tlv *tlv = (void *)&skb->data[5]; 3352 3279 ··· 3374 3301 recv_frame: 3375 3302 return hci_recv_frame(hdev, skb); 3376 3303 } 3304 + EXPORT_SYMBOL_GPL(btintel_diagnostics); 3377 3305 3378 3306 int btintel_recv_event(struct hci_dev *hdev, struct sk_buff *skb) 3379 3307 { ··· 3394 3320 * indicating that the bootup completed. 3395 3321 */ 3396 3322 btintel_bootup(hdev, ptr, len); 3397 - break; 3323 + kfree_skb(skb); 3324 + return 0; 3398 3325 case 0x06: 3399 3326 /* When the firmware loading completes the 3400 3327 * device sends out a vendor specific event ··· 3403 3328 * loading. 3404 3329 */ 3405 3330 btintel_secure_send_result(hdev, ptr, len); 3406 - break; 3331 + kfree_skb(skb); 3332 + return 0; 3407 3333 } 3408 3334 } 3409 3335

+10

drivers/bluetooth/btintel.h

··· 53 53 } __packed; 54 54 55 55 #define BTINTEL_CNVI_BLAZARI 0x900 56 + #define BTINTEL_CNVI_BLAZARIW 0x901 57 + #define BTINTEL_CNVI_GAP 0x910 58 + #define BTINTEL_CNVI_BLAZARU 0x930 56 59 57 60 #define BTINTEL_IMG_BOOTLOADER 0x01 /* Bootloader image */ 58 61 #define BTINTEL_IMG_IML 0x02 /* Intermediate image */ ··· 181 178 INTEL_ROM_LEGACY, 182 179 INTEL_ROM_LEGACY_NO_WBS_SUPPORT, 183 180 INTEL_ACPI_RESET_ACTIVE, 181 + INTEL_WAIT_FOR_D0, 184 182 185 183 __INTEL_NUM_FLAGS, 186 184 }; ··· 253 249 int btintel_shutdown_combined(struct hci_dev *hdev); 254 250 void btintel_hw_error(struct hci_dev *hdev, u8 code); 255 251 void btintel_print_fseq_info(struct hci_dev *hdev); 252 + int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb); 256 253 #else 257 254 258 255 static inline int btintel_check_bdaddr(struct hci_dev *hdev) ··· 386 381 387 382 static inline void btintel_print_fseq_info(struct hci_dev *hdev) 388 383 { 384 + } 385 + 386 + static inline int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb) 387 + { 388 + return -EOPNOTSUPP; 389 389 } 390 390 #endif

+336 -51

drivers/bluetooth/btintel_pcie.c

··· 48 48 #define BTINTEL_PCIE_HCI_EVT_PKT 0x00000004 49 49 #define BTINTEL_PCIE_HCI_ISO_PKT 0x00000005 50 50 51 + /* Alive interrupt context */ 52 + enum { 53 + BTINTEL_PCIE_ROM, 54 + BTINTEL_PCIE_FW_DL, 55 + BTINTEL_PCIE_HCI_RESET, 56 + BTINTEL_PCIE_INTEL_HCI_RESET1, 57 + BTINTEL_PCIE_INTEL_HCI_RESET2, 58 + BTINTEL_PCIE_D0, 59 + BTINTEL_PCIE_D3 60 + }; 61 + 51 62 static inline void ipc_print_ia_ring(struct hci_dev *hdev, struct ia *ia, 52 63 u16 queue_num) 53 64 { ··· 73 62 { 74 63 bt_dev_dbg(hdev, "RXQ:urbd1(%u) frbd_tag:%u status: 0x%x fixed:0x%x", 75 64 index, urbd1->frbd_tag, urbd1->status, urbd1->fixed); 76 - } 77 - 78 - static int btintel_pcie_poll_bit(struct btintel_pcie_data *data, u32 offset, 79 - u32 bits, u32 mask, int timeout_us) 80 - { 81 - int t = 0; 82 - u32 reg; 83 - 84 - do { 85 - reg = btintel_pcie_rd_reg32(data, offset); 86 - 87 - if ((reg & mask) == (bits & mask)) 88 - return t; 89 - udelay(POLL_INTERVAL_US); 90 - t += POLL_INTERVAL_US; 91 - } while (t < timeout_us); 92 - 93 - return -ETIMEDOUT; 94 65 } 95 66 96 67 static struct btintel_pcie_data *btintel_pcie_get_data(struct msix_entry *entry) ··· 230 237 memset(data->ia.cr_tia, 0, sizeof(u16) * BTINTEL_PCIE_NUM_QUEUES); 231 238 } 232 239 233 - static void btintel_pcie_reset_bt(struct btintel_pcie_data *data) 240 + static int btintel_pcie_reset_bt(struct btintel_pcie_data *data) 234 241 { 235 - btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG, 236 - BTINTEL_PCIE_CSR_FUNC_CTRL_SW_RESET); 242 + u32 reg; 243 + int retry = 3; 244 + 245 + reg = btintel_pcie_rd_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG); 246 + 247 + reg &= ~(BTINTEL_PCIE_CSR_FUNC_CTRL_FUNC_ENA | 248 + BTINTEL_PCIE_CSR_FUNC_CTRL_MAC_INIT | 249 + BTINTEL_PCIE_CSR_FUNC_CTRL_FUNC_INIT); 250 + reg |= BTINTEL_PCIE_CSR_FUNC_CTRL_BUS_MASTER_DISCON; 251 + 252 + btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG, reg); 253 + 254 + do { 255 + reg = btintel_pcie_rd_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG); 256 + if (reg & BTINTEL_PCIE_CSR_FUNC_CTRL_BUS_MASTER_STS) 257 + break; 258 + usleep_range(10000, 12000); 259 + 260 + } while (--retry > 0); 261 + usleep_range(10000, 12000); 262 + 263 + reg = btintel_pcie_rd_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG); 264 + 265 + reg &= ~(BTINTEL_PCIE_CSR_FUNC_CTRL_FUNC_ENA | 266 + BTINTEL_PCIE_CSR_FUNC_CTRL_MAC_INIT | 267 + BTINTEL_PCIE_CSR_FUNC_CTRL_FUNC_INIT); 268 + reg |= BTINTEL_PCIE_CSR_FUNC_CTRL_SW_RESET; 269 + btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG, reg); 270 + usleep_range(10000, 12000); 271 + 272 + reg = btintel_pcie_rd_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG); 273 + bt_dev_dbg(data->hdev, "csr register after reset: 0x%8.8x", reg); 274 + 275 + reg = btintel_pcie_rd_reg32(data, BTINTEL_PCIE_CSR_BOOT_STAGE_REG); 276 + 277 + /* If shared hardware reset is success then boot stage register shall be 278 + * set to 0 279 + */ 280 + return reg == 0 ? 0 : -ENODEV; 237 281 } 238 282 239 283 /* This function enables BT function by setting BTINTEL_PCIE_CSR_FUNC_CTRL_MAC_INIT bit in ··· 282 252 static int btintel_pcie_enable_bt(struct btintel_pcie_data *data) 283 253 { 284 254 int err; 255 + u32 reg; 285 256 286 257 data->gp0_received = false; 287 258 ··· 298 267 data->boot_stage_cache = 0x0; 299 268 300 269 /* Set MAC_INIT bit to start primary bootloader */ 301 - btintel_pcie_rd_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG); 270 + reg = btintel_pcie_rd_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG); 271 + reg &= ~(BTINTEL_PCIE_CSR_FUNC_CTRL_FUNC_INIT | 272 + BTINTEL_PCIE_CSR_FUNC_CTRL_BUS_MASTER_DISCON | 273 + BTINTEL_PCIE_CSR_FUNC_CTRL_SW_RESET); 274 + reg |= (BTINTEL_PCIE_CSR_FUNC_CTRL_FUNC_ENA | 275 + BTINTEL_PCIE_CSR_FUNC_CTRL_MAC_INIT); 302 276 303 - btintel_pcie_set_reg_bits(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG, 304 - BTINTEL_PCIE_CSR_FUNC_CTRL_MAC_INIT); 305 - 306 - /* Wait until MAC_ACCESS is granted */ 307 - err = btintel_pcie_poll_bit(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG, 308 - BTINTEL_PCIE_CSR_FUNC_CTRL_MAC_ACCESS_STS, 309 - BTINTEL_PCIE_CSR_FUNC_CTRL_MAC_ACCESS_STS, 310 - BTINTEL_DEFAULT_MAC_ACCESS_TIMEOUT_US); 311 - if (err < 0) 312 - return -ENODEV; 277 + btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG, reg); 313 278 314 279 /* MAC is ready. Enable BT FUNC */ 315 280 btintel_pcie_set_reg_bits(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG, 316 - BTINTEL_PCIE_CSR_FUNC_CTRL_FUNC_ENA | 317 281 BTINTEL_PCIE_CSR_FUNC_CTRL_FUNC_INIT); 318 282 319 283 btintel_pcie_rd_reg32(data, BTINTEL_PCIE_CSR_FUNC_CTRL_REG); ··· 316 290 /* wait for interrupt from the device after booting up to primary 317 291 * bootloader. 318 292 */ 293 + data->alive_intr_ctxt = BTINTEL_PCIE_ROM; 319 294 err = wait_event_timeout(data->gp0_wait_q, data->gp0_received, 320 - msecs_to_jiffies(BTINTEL_DEFAULT_INTR_TIMEOUT)); 295 + msecs_to_jiffies(BTINTEL_DEFAULT_INTR_TIMEOUT_MS)); 321 296 if (!err) 322 297 return -ETIME; 323 298 ··· 329 302 return 0; 330 303 } 331 304 305 + /* BIT(0) - ROM, BIT(1) - IML and BIT(3) - OP 306 + * Sometimes during firmware image switching from ROM to IML or IML to OP image, 307 + * the previous image bit is not cleared by firmware when alive interrupt is 308 + * received. Driver needs to take care of these sticky bits when deciding the 309 + * current image running on controller. 310 + * Ex: 0x10 and 0x11 - both represents that controller is running IML 311 + */ 312 + static inline bool btintel_pcie_in_rom(struct btintel_pcie_data *data) 313 + { 314 + return data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_ROM && 315 + !(data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_IML) && 316 + !(data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_OPFW); 317 + } 318 + 319 + static inline bool btintel_pcie_in_op(struct btintel_pcie_data *data) 320 + { 321 + return data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_OPFW; 322 + } 323 + 324 + static inline bool btintel_pcie_in_iml(struct btintel_pcie_data *data) 325 + { 326 + return data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_IML && 327 + !(data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_OPFW); 328 + } 329 + 330 + static inline bool btintel_pcie_in_d3(struct btintel_pcie_data *data) 331 + { 332 + return data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_D3_STATE_READY; 333 + } 334 + 335 + static inline bool btintel_pcie_in_d0(struct btintel_pcie_data *data) 336 + { 337 + return !(data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_D3_STATE_READY); 338 + } 339 + 340 + static void btintel_pcie_wr_sleep_cntrl(struct btintel_pcie_data *data, 341 + u32 dxstate) 342 + { 343 + bt_dev_dbg(data->hdev, "writing sleep_ctl_reg: 0x%8.8x", dxstate); 344 + btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_IPC_SLEEP_CTL_REG, dxstate); 345 + } 346 + 347 + static inline char *btintel_pcie_alivectxt_state2str(u32 alive_intr_ctxt) 348 + { 349 + switch (alive_intr_ctxt) { 350 + case BTINTEL_PCIE_ROM: 351 + return "rom"; 352 + case BTINTEL_PCIE_FW_DL: 353 + return "fw_dl"; 354 + case BTINTEL_PCIE_D0: 355 + return "d0"; 356 + case BTINTEL_PCIE_D3: 357 + return "d3"; 358 + case BTINTEL_PCIE_HCI_RESET: 359 + return "hci_reset"; 360 + case BTINTEL_PCIE_INTEL_HCI_RESET1: 361 + return "intel_reset1"; 362 + case BTINTEL_PCIE_INTEL_HCI_RESET2: 363 + return "intel_reset2"; 364 + default: 365 + return "unknown"; 366 + } 367 + } 368 + 332 369 /* This function handles the MSI-X interrupt for gp0 cause (bit 0 in 333 370 * BTINTEL_PCIE_CSR_MSIX_HW_INT_CAUSES) which is sent for boot stage and image response. 334 371 */ 335 372 static void btintel_pcie_msix_gp0_handler(struct btintel_pcie_data *data) 336 373 { 337 - u32 reg; 374 + bool submit_rx, signal_waitq; 375 + u32 reg, old_ctxt; 338 376 339 377 /* This interrupt is for three different causes and it is not easy to 340 378 * know what causes the interrupt. So, it compares each register value ··· 409 317 if (reg != data->boot_stage_cache) 410 318 data->boot_stage_cache = reg; 411 319 320 + bt_dev_dbg(data->hdev, "Alive context: %s old_boot_stage: 0x%8.8x new_boot_stage: 0x%8.8x", 321 + btintel_pcie_alivectxt_state2str(data->alive_intr_ctxt), 322 + data->boot_stage_cache, reg); 412 323 reg = btintel_pcie_rd_reg32(data, BTINTEL_PCIE_CSR_IMG_RESPONSE_REG); 413 324 if (reg != data->img_resp_cache) 414 325 data->img_resp_cache = reg; 415 326 416 327 data->gp0_received = true; 417 328 418 - /* If the boot stage is OP or IML, reset IA and start RX again */ 419 - if (data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_OPFW || 420 - data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_IML) { 329 + old_ctxt = data->alive_intr_ctxt; 330 + submit_rx = false; 331 + signal_waitq = false; 332 + 333 + switch (data->alive_intr_ctxt) { 334 + case BTINTEL_PCIE_ROM: 335 + data->alive_intr_ctxt = BTINTEL_PCIE_FW_DL; 336 + signal_waitq = true; 337 + break; 338 + case BTINTEL_PCIE_FW_DL: 339 + /* Error case is already handled. Ideally control shall not 340 + * reach here 341 + */ 342 + break; 343 + case BTINTEL_PCIE_INTEL_HCI_RESET1: 344 + if (btintel_pcie_in_op(data)) { 345 + submit_rx = true; 346 + break; 347 + } 348 + 349 + if (btintel_pcie_in_iml(data)) { 350 + submit_rx = true; 351 + data->alive_intr_ctxt = BTINTEL_PCIE_FW_DL; 352 + break; 353 + } 354 + break; 355 + case BTINTEL_PCIE_INTEL_HCI_RESET2: 356 + if (btintel_test_and_clear_flag(data->hdev, INTEL_WAIT_FOR_D0)) { 357 + btintel_wake_up_flag(data->hdev, INTEL_WAIT_FOR_D0); 358 + data->alive_intr_ctxt = BTINTEL_PCIE_D0; 359 + } 360 + break; 361 + case BTINTEL_PCIE_D0: 362 + if (btintel_pcie_in_d3(data)) { 363 + data->alive_intr_ctxt = BTINTEL_PCIE_D3; 364 + signal_waitq = true; 365 + break; 366 + } 367 + break; 368 + case BTINTEL_PCIE_D3: 369 + if (btintel_pcie_in_d0(data)) { 370 + data->alive_intr_ctxt = BTINTEL_PCIE_D0; 371 + submit_rx = true; 372 + signal_waitq = true; 373 + break; 374 + } 375 + break; 376 + case BTINTEL_PCIE_HCI_RESET: 377 + data->alive_intr_ctxt = BTINTEL_PCIE_D0; 378 + submit_rx = true; 379 + signal_waitq = true; 380 + break; 381 + default: 382 + bt_dev_err(data->hdev, "Unknown state: 0x%2.2x", 383 + data->alive_intr_ctxt); 384 + break; 385 + } 386 + 387 + if (submit_rx) { 421 388 btintel_pcie_reset_ia(data); 422 389 btintel_pcie_start_rx(data); 423 390 } 424 391 425 - wake_up(&data->gp0_wait_q); 392 + if (signal_waitq) { 393 + bt_dev_dbg(data->hdev, "wake up gp0 wait_q"); 394 + wake_up(&data->gp0_wait_q); 395 + } 396 + 397 + if (old_ctxt != data->alive_intr_ctxt) 398 + bt_dev_dbg(data->hdev, "alive context changed: %s -> %s", 399 + btintel_pcie_alivectxt_state2str(old_ctxt), 400 + btintel_pcie_alivectxt_state2str(data->alive_intr_ctxt)); 426 401 } 427 402 428 403 /* This function handles the MSX-X interrupt for rx queue 0 which is for TX ··· 523 364 } 524 365 } 525 366 367 + static int btintel_pcie_recv_event(struct hci_dev *hdev, struct sk_buff *skb) 368 + { 369 + struct hci_event_hdr *hdr = (void *)skb->data; 370 + const char diagnostics_hdr[] = { 0x87, 0x80, 0x03 }; 371 + struct btintel_pcie_data *data = hci_get_drvdata(hdev); 372 + 373 + if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff && 374 + hdr->plen > 0) { 375 + const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1; 376 + unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1; 377 + 378 + if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 379 + switch (skb->data[2]) { 380 + case 0x02: 381 + /* When switching to the operational firmware 382 + * the device sends a vendor specific event 383 + * indicating that the bootup completed. 384 + */ 385 + btintel_bootup(hdev, ptr, len); 386 + 387 + /* If bootup event is from operational image, 388 + * driver needs to write sleep control register to 389 + * move into D0 state 390 + */ 391 + if (btintel_pcie_in_op(data)) { 392 + btintel_pcie_wr_sleep_cntrl(data, BTINTEL_PCIE_STATE_D0); 393 + data->alive_intr_ctxt = BTINTEL_PCIE_INTEL_HCI_RESET2; 394 + kfree_skb(skb); 395 + return 0; 396 + } 397 + 398 + if (btintel_pcie_in_iml(data)) { 399 + /* In case of IML, there is no concept 400 + * of D0 transition. Just mimic as if 401 + * IML moved to D0 by clearing INTEL_WAIT_FOR_D0 402 + * bit and waking up the task waiting on 403 + * INTEL_WAIT_FOR_D0. This is required 404 + * as intel_boot() is common function for 405 + * both IML and OP image loading. 406 + */ 407 + if (btintel_test_and_clear_flag(data->hdev, 408 + INTEL_WAIT_FOR_D0)) 409 + btintel_wake_up_flag(data->hdev, 410 + INTEL_WAIT_FOR_D0); 411 + } 412 + kfree_skb(skb); 413 + return 0; 414 + case 0x06: 415 + /* When the firmware loading completes the 416 + * device sends out a vendor specific event 417 + * indicating the result of the firmware 418 + * loading. 419 + */ 420 + btintel_secure_send_result(hdev, ptr, len); 421 + kfree_skb(skb); 422 + return 0; 423 + } 424 + } 425 + 426 + /* Handle all diagnostics events separately. May still call 427 + * hci_recv_frame. 428 + */ 429 + if (len >= sizeof(diagnostics_hdr) && 430 + memcmp(&skb->data[2], diagnostics_hdr, 431 + sizeof(diagnostics_hdr)) == 0) { 432 + return btintel_diagnostics(hdev, skb); 433 + } 434 + 435 + /* This is a debug event that comes from IML and OP image when it 436 + * starts execution. There is no need pass this event to stack. 437 + */ 438 + if (skb->data[2] == 0x97) 439 + return 0; 440 + } 441 + 442 + return hci_recv_frame(hdev, skb); 443 + } 526 444 /* Process the received rx data 527 445 * It check the frame header to identify the data type and create skb 528 446 * and calling HCI API ··· 701 465 hdev->stat.byte_rx += plen; 702 466 703 467 if (pcie_pkt_type == BTINTEL_PCIE_HCI_EVT_PKT) 704 - ret = btintel_recv_event(hdev, new_skb); 468 + ret = btintel_pcie_recv_event(hdev, new_skb); 705 469 else 706 470 ret = hci_recv_frame(hdev, new_skb); 707 471 ··· 752 516 buf += sizeof(*rfh_hdr); 753 517 754 518 skb = alloc_skb(len, GFP_ATOMIC); 755 - if (!skb) { 756 - ret = -ENOMEM; 519 + if (!skb) 757 520 goto resubmit; 758 - } 759 521 760 522 skb_put_data(skb, buf, len); 761 523 skb_queue_tail(&data->rx_skb_q, skb); ··· 968 734 return err; 969 735 } 970 736 971 - err = pcim_iomap_regions(pdev, BIT(0), KBUILD_MODNAME); 972 - if (err) 973 - return err; 974 - 975 - data->base_addr = pcim_iomap_table(pdev)[0]; 976 - if (!data->base_addr) 977 - return -ENODEV; 737 + data->base_addr = pcim_iomap_region(pdev, 0, KBUILD_MODNAME); 738 + if (IS_ERR(data->base_addr)) 739 + return PTR_ERR(data->base_addr); 978 740 979 741 err = btintel_pcie_setup_irq(data); 980 742 if (err) ··· 1283 1053 struct sk_buff *skb) 1284 1054 { 1285 1055 struct btintel_pcie_data *data = hci_get_drvdata(hdev); 1056 + struct hci_command_hdr *cmd; 1057 + __u16 opcode = ~0; 1286 1058 int ret; 1287 1059 u32 type; 1060 + u32 old_ctxt; 1288 1061 1289 1062 /* Due to the fw limitation, the type header of the packet should be 1290 1063 * 4 bytes unlike 1 byte for UART. In UART, the firmware can read ··· 1306 1073 switch (hci_skb_pkt_type(skb)) { 1307 1074 case HCI_COMMAND_PKT: 1308 1075 type = BTINTEL_PCIE_HCI_CMD_PKT; 1076 + cmd = (void *)skb->data; 1077 + opcode = le16_to_cpu(cmd->opcode); 1309 1078 if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 1310 1079 struct hci_command_hdr *cmd = (void *)skb->data; 1311 1080 __u16 opcode = le16_to_cpu(cmd->opcode); ··· 1346 1111 bt_dev_err(hdev, "Failed to send frame (%d)", ret); 1347 1112 goto exit_error; 1348 1113 } 1114 + 1115 + if (type == BTINTEL_PCIE_HCI_CMD_PKT && 1116 + (opcode == HCI_OP_RESET || opcode == 0xfc01)) { 1117 + old_ctxt = data->alive_intr_ctxt; 1118 + data->alive_intr_ctxt = 1119 + (opcode == 0xfc01 ? BTINTEL_PCIE_INTEL_HCI_RESET1 : 1120 + BTINTEL_PCIE_HCI_RESET); 1121 + bt_dev_dbg(data->hdev, "sent cmd: 0x%4.4x alive context changed: %s -> %s", 1122 + opcode, btintel_pcie_alivectxt_state2str(old_ctxt), 1123 + btintel_pcie_alivectxt_state2str(data->alive_intr_ctxt)); 1124 + if (opcode == HCI_OP_RESET) { 1125 + data->gp0_received = false; 1126 + ret = wait_event_timeout(data->gp0_wait_q, 1127 + data->gp0_received, 1128 + msecs_to_jiffies(BTINTEL_DEFAULT_INTR_TIMEOUT_MS)); 1129 + if (!ret) { 1130 + hdev->stat.err_tx++; 1131 + bt_dev_err(hdev, "No alive interrupt received for %s", 1132 + btintel_pcie_alivectxt_state2str(data->alive_intr_ctxt)); 1133 + ret = -ETIME; 1134 + goto exit_error; 1135 + } 1136 + } 1137 + } 1349 1138 hdev->stat.byte_tx += skb->len; 1350 1139 kfree_skb(skb); 1351 1140 ··· 1387 1128 data->hdev = NULL; 1388 1129 } 1389 1130 1390 - static int btintel_pcie_setup(struct hci_dev *hdev) 1131 + static int btintel_pcie_setup_internal(struct hci_dev *hdev) 1391 1132 { 1392 1133 const u8 param[1] = { 0xFF }; 1393 1134 struct intel_version_tlv ver_tlv; ··· 1475 1216 exit_error: 1476 1217 kfree_skb(skb); 1477 1218 1219 + return err; 1220 + } 1221 + 1222 + static int btintel_pcie_setup(struct hci_dev *hdev) 1223 + { 1224 + int err, fw_dl_retry = 0; 1225 + struct btintel_pcie_data *data = hci_get_drvdata(hdev); 1226 + 1227 + while ((err = btintel_pcie_setup_internal(hdev)) && fw_dl_retry++ < 1) { 1228 + bt_dev_err(hdev, "Firmware download retry count: %d", 1229 + fw_dl_retry); 1230 + err = btintel_pcie_reset_bt(data); 1231 + if (err) { 1232 + bt_dev_err(hdev, "Failed to do shr reset: %d", err); 1233 + break; 1234 + } 1235 + usleep_range(10000, 12000); 1236 + btintel_pcie_reset_ia(data); 1237 + btintel_pcie_config_msix(data); 1238 + err = btintel_pcie_enable_bt(data); 1239 + if (err) { 1240 + bt_dev_err(hdev, "Failed to enable hardware: %d", err); 1241 + break; 1242 + } 1243 + btintel_pcie_start_rx(data); 1244 + } 1478 1245 return err; 1479 1246 } 1480 1247

+17 -1

drivers/bluetooth/btintel_pcie.h

··· 12 12 #define BTINTEL_PCIE_CSR_HW_REV_REG (BTINTEL_PCIE_CSR_BASE + 0x028) 13 13 #define BTINTEL_PCIE_CSR_RF_ID_REG (BTINTEL_PCIE_CSR_BASE + 0x09C) 14 14 #define BTINTEL_PCIE_CSR_BOOT_STAGE_REG (BTINTEL_PCIE_CSR_BASE + 0x108) 15 + #define BTINTEL_PCIE_CSR_IPC_SLEEP_CTL_REG (BTINTEL_PCIE_CSR_BASE + 0x114) 15 16 #define BTINTEL_PCIE_CSR_CI_ADDR_LSB_REG (BTINTEL_PCIE_CSR_BASE + 0x118) 16 17 #define BTINTEL_PCIE_CSR_CI_ADDR_MSB_REG (BTINTEL_PCIE_CSR_BASE + 0x11C) 17 18 #define BTINTEL_PCIE_CSR_IMG_RESPONSE_REG (BTINTEL_PCIE_CSR_BASE + 0x12C) ··· 23 22 #define BTINTEL_PCIE_CSR_FUNC_CTRL_MAC_INIT (BIT(6)) 24 23 #define BTINTEL_PCIE_CSR_FUNC_CTRL_FUNC_INIT (BIT(7)) 25 24 #define BTINTEL_PCIE_CSR_FUNC_CTRL_MAC_ACCESS_STS (BIT(20)) 25 + #define BTINTEL_PCIE_CSR_FUNC_CTRL_BUS_MASTER_STS (BIT(28)) 26 + #define BTINTEL_PCIE_CSR_FUNC_CTRL_BUS_MASTER_DISCON (BIT(29)) 26 27 #define BTINTEL_PCIE_CSR_FUNC_CTRL_SW_RESET (BIT(31)) 27 28 28 29 /* Value for BTINTEL_PCIE_CSR_BOOT_STAGE register */ ··· 35 32 #define BTINTEL_PCIE_CSR_BOOT_STAGE_IML_LOCKDOWN (BIT(11)) 36 33 #define BTINTEL_PCIE_CSR_BOOT_STAGE_MAC_ACCESS_ON (BIT(16)) 37 34 #define BTINTEL_PCIE_CSR_BOOT_STAGE_ALIVE (BIT(23)) 35 + #define BTINTEL_PCIE_CSR_BOOT_STAGE_D3_STATE_READY (BIT(24)) 38 36 39 37 /* Registers for MSI-X */ 40 38 #define BTINTEL_PCIE_CSR_MSIX_BASE (0x2000) ··· 59 55 BTINTEL_PCIE_MSIX_HW_INT_CAUSES_GP0 = BIT(0), /* cause 32 */ 60 56 }; 61 57 58 + /* PCIe device states 59 + * Host-Device interface is active 60 + * Host-Device interface is inactive(as reflected by IPC_SLEEP_CONTROL_CSR_AD) 61 + * Host-Device interface is inactive(as reflected by IPC_SLEEP_CONTROL_CSR_AD) 62 + */ 63 + enum { 64 + BTINTEL_PCIE_STATE_D0 = 0, 65 + BTINTEL_PCIE_STATE_D3_HOT = 2, 66 + BTINTEL_PCIE_STATE_D3_COLD = 3, 67 + }; 62 68 #define BTINTEL_PCIE_MSIX_NON_AUTO_CLEAR_CAUSE BIT(7) 63 69 64 70 /* Minimum and Maximum number of MSI-X Vector ··· 81 67 #define BTINTEL_DEFAULT_MAC_ACCESS_TIMEOUT_US 200000 82 68 83 69 /* Default interrupt timeout in msec */ 84 - #define BTINTEL_DEFAULT_INTR_TIMEOUT 3000 70 + #define BTINTEL_DEFAULT_INTR_TIMEOUT_MS 3000 85 71 86 72 /* The number of descriptors in TX/RX queues */ 87 73 #define BTINTEL_DESCS_COUNT 16 ··· 357 343 * @ia: Index Array struct 358 344 * @txq: TX Queue struct 359 345 * @rxq: RX Queue struct 346 + * @alive_intr_ctxt: Alive interrupt context 360 347 */ 361 348 struct btintel_pcie_data { 362 349 struct pci_dev *pdev; ··· 404 389 struct ia ia; 405 390 struct txq txq; 406 391 struct rxq rxq; 392 + u32 alive_intr_ctxt; 407 393 }; 408 394 409 395 static inline u32 btintel_pcie_rd_reg32(struct btintel_pcie_data *data,

+1 -2

drivers/bluetooth/btmtk.c

··· 324 324 wmt_params.data = NULL; 325 325 wmt_params.status = NULL; 326 326 327 - /* Activate funciton the firmware providing to */ 327 + /* Activate function the firmware providing to */ 328 328 err = wmt_cmd_sync(hdev, &wmt_params); 329 329 if (err < 0) { 330 330 bt_dev_err(hdev, "Failed to send wmt rst (%d)", err); ··· 1215 1215 struct sk_buff *skb; 1216 1216 int err; 1217 1217 1218 - init_usb_anchor(&btmtk_data->isopkt_anchor); 1219 1218 spin_lock_init(&btmtk_data->isorxlock); 1220 1219 1221 1220 __set_mtk_intr_interface(hdev);

+17 -4

drivers/bluetooth/btmtksdio.c

··· 681 681 if (err < 0) 682 682 goto err_release_irq; 683 683 684 - /* Explitly set write-1-clear method */ 684 + /* Explicitly set write-1-clear method */ 685 685 val = sdio_readl(bdev->func, MTK_REG_CHCR, &err); 686 686 if (err < 0) 687 687 goto err_release_irq; ··· 1328 1328 { 1329 1329 struct btmtksdio_dev *bdev; 1330 1330 struct hci_dev *hdev; 1331 + struct device_node *old_node; 1332 + bool restore_node; 1331 1333 int err; 1332 1334 1333 1335 bdev = devm_kzalloc(&func->dev, sizeof(*bdev), GFP_KERNEL); ··· 1398 1396 if (pm_runtime_enabled(bdev->dev)) 1399 1397 pm_runtime_disable(bdev->dev); 1400 1398 1401 - /* As explaination in drivers/mmc/core/sdio_bus.c tells us: 1399 + /* As explanation in drivers/mmc/core/sdio_bus.c tells us: 1402 1400 * Unbound SDIO functions are always suspended. 1403 1401 * During probe, the function is set active and the usage count 1404 1402 * is incremented. If the driver supports runtime PM, ··· 1413 1411 if (err) 1414 1412 bt_dev_err(hdev, "failed to initialize device wakeup"); 1415 1413 1416 - bdev->dev->of_node = of_find_compatible_node(NULL, NULL, 1417 - "mediatek,mt7921s-bluetooth"); 1414 + restore_node = false; 1415 + if (!of_device_is_compatible(bdev->dev->of_node, "mediatek,mt7921s-bluetooth")) { 1416 + restore_node = true; 1417 + old_node = bdev->dev->of_node; 1418 + bdev->dev->of_node = of_find_compatible_node(NULL, NULL, 1419 + "mediatek,mt7921s-bluetooth"); 1420 + } 1421 + 1418 1422 bdev->reset = devm_gpiod_get_optional(bdev->dev, "reset", 1419 1423 GPIOD_OUT_LOW); 1420 1424 if (IS_ERR(bdev->reset)) 1421 1425 err = PTR_ERR(bdev->reset); 1426 + 1427 + if (restore_node) { 1428 + of_node_put(bdev->dev->of_node); 1429 + bdev->dev->of_node = old_node; 1430 + } 1422 1431 1423 1432 return err; 1424 1433 }

+1 -1

drivers/bluetooth/btmtkuart.c

··· 327 327 if (count <= 0) 328 328 return NULL; 329 329 330 - /* Tranlate to how much the size of data H4 can handle so far */ 330 + /* Translate to how much the size of data H4 can handle so far */ 331 331 *sz_h4 = min_t(int, count, bdev->stp_dlen); 332 332 333 333 /* Update the remaining size of STP packet */

+65 -16

drivers/bluetooth/btnxpuart.c

··· 16 16 #include <linux/crc8.h> 17 17 #include <linux/crc32.h> 18 18 #include <linux/string_helpers.h> 19 + #include <linux/gpio/consumer.h> 19 20 20 21 #include <net/bluetooth/bluetooth.h> 21 22 #include <net/bluetooth/hci_core.h> ··· 35 34 /* NXP HW err codes */ 36 35 #define BTNXPUART_IR_HW_ERR 0xb0 37 36 38 - #define FIRMWARE_W8987 "uart8987_bt_v0.bin" 37 + #define FIRMWARE_W8987 "uart8987_bt.bin" 39 38 #define FIRMWARE_W8987_OLD "uartuart8987_bt.bin" 40 39 #define FIRMWARE_W8997 "uart8997_bt_v4.bin" 41 40 #define FIRMWARE_W8997_OLD "uartuart8997_bt_v4.bin" 42 41 #define FIRMWARE_W9098 "uart9098_bt_v1.bin" 43 42 #define FIRMWARE_W9098_OLD "uartuart9098_bt_v1.bin" 44 - #define FIRMWARE_IW416 "uartiw416_bt_v0.bin" 43 + #define FIRMWARE_IW416 "uartiw416_bt.bin" 44 + #define FIRMWARE_IW416_OLD "uartiw416_bt_v0.bin" 45 45 #define FIRMWARE_IW612 "uartspi_n61x_v1.bin.se" 46 - #define FIRMWARE_IW615 "uartspi_iw610_v0.bin" 47 - #define FIRMWARE_SECURE_IW615 "uartspi_iw610_v0.bin.se" 46 + #define FIRMWARE_IW610 "uartspi_iw610.bin" 47 + #define FIRMWARE_SECURE_IW610 "uartspi_iw610.bin.se" 48 48 #define FIRMWARE_IW624 "uartiw624_bt.bin" 49 49 #define FIRMWARE_SECURE_IW624 "uartiw624_bt.bin.se" 50 50 #define FIRMWARE_AW693 "uartaw693_bt.bin" ··· 61 59 #define CHIP_ID_IW624c 0x8001 62 60 #define CHIP_ID_AW693a0 0x8200 63 61 #define CHIP_ID_AW693a1 0x8201 64 - #define CHIP_ID_IW615a0 0x8800 65 - #define CHIP_ID_IW615a1 0x8801 62 + #define CHIP_ID_IW610a0 0x8800 63 + #define CHIP_ID_IW610a1 0x8801 66 64 67 65 #define FW_SECURE_MASK 0xc0 68 66 #define FW_OPEN 0x00 ··· 83 81 #define WAKEUP_METHOD_BREAK 1 84 82 #define WAKEUP_METHOD_EXT_BREAK 2 85 83 #define WAKEUP_METHOD_RTS 3 84 + #define WAKEUP_METHOD_GPIO 4 86 85 #define WAKEUP_METHOD_INVALID 0xff 87 86 88 87 /* power save mode status */ ··· 137 134 bool driver_sent_cmd; 138 135 u16 h2c_ps_interval; 139 136 u16 c2h_ps_interval; 137 + struct gpio_desc *h2c_ps_gpio; 140 138 struct hci_dev *hdev; 141 139 struct work_struct work; 142 140 struct timer_list ps_timer; ··· 368 364 { 369 365 struct btnxpuart_dev *nxpdev = hci_get_drvdata(hdev); 370 366 struct ps_data *psdata = &nxpdev->psdata; 371 - int status; 367 + int status = 0; 372 368 373 369 if (psdata->ps_state == ps_state || 374 370 !test_bit(BTNXPUART_SERDEV_OPEN, &nxpdev->tx_state)) ··· 376 372 377 373 mutex_lock(&psdata->ps_lock); 378 374 switch (psdata->cur_h2c_wakeupmode) { 375 + case WAKEUP_METHOD_GPIO: 376 + if (ps_state == PS_STATE_AWAKE) 377 + gpiod_set_value_cansleep(psdata->h2c_ps_gpio, 0); 378 + else 379 + gpiod_set_value_cansleep(psdata->h2c_ps_gpio, 1); 380 + bt_dev_dbg(hdev, "Set h2c_ps_gpio: %s", 381 + str_high_low(ps_state == PS_STATE_SLEEP)); 382 + break; 379 383 case WAKEUP_METHOD_DTR: 380 384 if (ps_state == PS_STATE_AWAKE) 381 385 status = serdev_device_set_tiocm(nxpdev->serdev, TIOCM_DTR, 0); ··· 433 421 } 434 422 } 435 423 436 - static void ps_setup(struct hci_dev *hdev) 424 + static int ps_setup(struct hci_dev *hdev) 437 425 { 438 426 struct btnxpuart_dev *nxpdev = hci_get_drvdata(hdev); 427 + struct serdev_device *serdev = nxpdev->serdev; 439 428 struct ps_data *psdata = &nxpdev->psdata; 429 + 430 + psdata->h2c_ps_gpio = devm_gpiod_get_optional(&serdev->dev, "device-wakeup", 431 + GPIOD_OUT_LOW); 432 + if (IS_ERR(psdata->h2c_ps_gpio)) { 433 + bt_dev_err(hdev, "Error fetching device-wakeup-gpios: %ld", 434 + PTR_ERR(psdata->h2c_ps_gpio)); 435 + return PTR_ERR(psdata->h2c_ps_gpio); 436 + } 437 + 438 + if (!psdata->h2c_ps_gpio) 439 + psdata->h2c_wakeup_gpio = 0xff; 440 440 441 441 psdata->hdev = hdev; 442 442 INIT_WORK(&psdata->work, ps_work_func); 443 443 mutex_init(&psdata->ps_lock); 444 444 timer_setup(&psdata->ps_timer, ps_timeout_func, 0); 445 + 446 + return 0; 445 447 } 446 448 447 449 static bool ps_wakeup(struct btnxpuart_dev *nxpdev) ··· 541 515 pcmd.c2h_wakeupmode = psdata->c2h_wakeupmode; 542 516 pcmd.c2h_wakeup_gpio = psdata->c2h_wakeup_gpio; 543 517 switch (psdata->h2c_wakeupmode) { 518 + case WAKEUP_METHOD_GPIO: 519 + pcmd.h2c_wakeupmode = BT_CTRL_WAKEUP_METHOD_GPIO; 520 + break; 544 521 case WAKEUP_METHOD_DTR: 545 522 pcmd.h2c_wakeupmode = BT_CTRL_WAKEUP_METHOD_DSR; 546 523 break; ··· 578 549 { 579 550 struct btnxpuart_dev *nxpdev = hci_get_drvdata(hdev); 580 551 struct ps_data *psdata = &nxpdev->psdata; 552 + u8 default_h2c_wakeup_mode = DEFAULT_H2C_WAKEUP_MODE; 581 553 582 554 serdev_device_set_tiocm(nxpdev->serdev, 0, TIOCM_RTS); 583 555 usleep_range(5000, 10000); ··· 590 560 psdata->c2h_wakeup_gpio = 0xff; 591 561 592 562 psdata->cur_h2c_wakeupmode = WAKEUP_METHOD_INVALID; 563 + if (psdata->h2c_ps_gpio) 564 + default_h2c_wakeup_mode = WAKEUP_METHOD_GPIO; 565 + 593 566 psdata->h2c_ps_interval = PS_DEFAULT_TIMEOUT_PERIOD_MS; 594 - switch (DEFAULT_H2C_WAKEUP_MODE) { 567 + 568 + switch (default_h2c_wakeup_mode) { 569 + case WAKEUP_METHOD_GPIO: 570 + psdata->h2c_wakeupmode = WAKEUP_METHOD_GPIO; 571 + gpiod_set_value_cansleep(psdata->h2c_ps_gpio, 0); 572 + usleep_range(5000, 10000); 573 + break; 595 574 case WAKEUP_METHOD_DTR: 596 575 psdata->h2c_wakeupmode = WAKEUP_METHOD_DTR; 597 576 serdev_device_set_tiocm(nxpdev->serdev, 0, TIOCM_DTR); ··· 985 946 else 986 947 bt_dev_err(hdev, "Illegal loader version %02x", loader_ver); 987 948 break; 988 - case CHIP_ID_IW615a0: 989 - case CHIP_ID_IW615a1: 949 + case CHIP_ID_IW610a0: 950 + case CHIP_ID_IW610a1: 990 951 if ((loader_ver & FW_SECURE_MASK) == FW_OPEN) 991 - fw_name = FIRMWARE_IW615; 952 + fw_name = FIRMWARE_IW610; 992 953 else if ((loader_ver & FW_SECURE_MASK) != FW_AUTH_ILLEGAL) 993 - fw_name = FIRMWARE_SECURE_IW615; 954 + fw_name = FIRMWARE_SECURE_IW610; 994 955 else 995 956 bt_dev_err(hdev, "Illegal loader version %02x", loader_ver); 996 957 break; ··· 1009 970 switch (chipid) { 1010 971 case CHIP_ID_W9098: 1011 972 fw_name_old = FIRMWARE_W9098_OLD; 973 + break; 974 + case CHIP_ID_IW416: 975 + fw_name_old = FIRMWARE_IW416_OLD; 1012 976 break; 1013 977 } 1014 978 return fw_name_old; ··· 1317 1275 psdata->c2h_wakeup_gpio = wakeup_parm.c2h_wakeup_gpio; 1318 1276 psdata->h2c_wakeup_gpio = wakeup_parm.h2c_wakeup_gpio; 1319 1277 switch (wakeup_parm.h2c_wakeupmode) { 1278 + case BT_CTRL_WAKEUP_METHOD_GPIO: 1279 + psdata->h2c_wakeupmode = WAKEUP_METHOD_GPIO; 1280 + break; 1320 1281 case BT_CTRL_WAKEUP_METHOD_DSR: 1321 1282 psdata->h2c_wakeupmode = WAKEUP_METHOD_DTR; 1322 1283 break; ··· 1550 1505 1551 1506 if (hci_register_dev(hdev) < 0) { 1552 1507 dev_err(&serdev->dev, "Can't register HCI device\n"); 1553 - hci_free_dev(hdev); 1554 - return -ENODEV; 1508 + goto probe_fail; 1555 1509 } 1556 1510 1557 - ps_setup(hdev); 1511 + if (ps_setup(hdev)) 1512 + goto probe_fail; 1558 1513 1559 1514 return 0; 1515 + 1516 + probe_fail: 1517 + hci_free_dev(hdev); 1518 + return -ENODEV; 1560 1519 } 1561 1520 1562 1521 static void nxp_serdev_remove(struct serdev_device *serdev)

+1 -1

drivers/bluetooth/btrtl.c

··· 1371 1371 /* According to the vendor driver, BT must be reset on close to avoid 1372 1372 * firmware crash. 1373 1373 */ 1374 - skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 1374 + skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_CMD_TIMEOUT); 1375 1375 if (IS_ERR(skb)) { 1376 1376 ret = PTR_ERR(skb); 1377 1377 bt_dev_err(hdev, "HCI reset during shutdown failed");

+63 -13

drivers/bluetooth/btusb.c

··· 371 371 /* QCA WCN785x chipset */ 372 372 { USB_DEVICE(0x0cf3, 0xe700), .driver_info = BTUSB_QCA_WCN6855 | 373 373 BTUSB_WIDEBAND_SPEECH }, 374 + { USB_DEVICE(0x0489, 0xe0fc), .driver_info = BTUSB_QCA_WCN6855 | 375 + BTUSB_WIDEBAND_SPEECH }, 376 + { USB_DEVICE(0x0489, 0xe0f3), .driver_info = BTUSB_QCA_WCN6855 | 377 + BTUSB_WIDEBAND_SPEECH }, 378 + { USB_DEVICE(0x13d3, 0x3623), .driver_info = BTUSB_QCA_WCN6855 | 379 + BTUSB_WIDEBAND_SPEECH }, 374 380 375 381 /* Broadcom BCM2035 */ 376 382 { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 }, ··· 530 524 BTUSB_WIDEBAND_SPEECH }, 531 525 { USB_DEVICE(0x13d3, 0x3591), .driver_info = BTUSB_REALTEK | 532 526 BTUSB_WIDEBAND_SPEECH }, 527 + { USB_DEVICE(0x0489, 0xe123), .driver_info = BTUSB_REALTEK | 528 + BTUSB_WIDEBAND_SPEECH }, 533 529 { USB_DEVICE(0x0489, 0xe125), .driver_info = BTUSB_REALTEK | 534 530 BTUSB_WIDEBAND_SPEECH }, 535 531 ··· 569 561 570 562 /* Additional MediaTek MT7668 Bluetooth devices */ 571 563 { USB_DEVICE(0x043e, 0x3109), .driver_info = BTUSB_MEDIATEK | 564 + BTUSB_WIDEBAND_SPEECH }, 565 + 566 + /* Additional MediaTek MT7920 Bluetooth devices */ 567 + { USB_DEVICE(0x0489, 0xe134), .driver_info = BTUSB_MEDIATEK | 568 + BTUSB_WIDEBAND_SPEECH }, 569 + { USB_DEVICE(0x13d3, 0x3620), .driver_info = BTUSB_MEDIATEK | 570 + BTUSB_WIDEBAND_SPEECH }, 571 + { USB_DEVICE(0x13d3, 0x3621), .driver_info = BTUSB_MEDIATEK | 572 + BTUSB_WIDEBAND_SPEECH }, 573 + { USB_DEVICE(0x13d3, 0x3622), .driver_info = BTUSB_MEDIATEK | 572 574 BTUSB_WIDEBAND_SPEECH }, 573 575 574 576 /* Additional MediaTek MT7921 Bluetooth devices */ ··· 648 630 BTUSB_WIDEBAND_SPEECH }, 649 631 650 632 /* Additional MediaTek MT7925 Bluetooth devices */ 633 + { USB_DEVICE(0x0489, 0xe111), .driver_info = BTUSB_MEDIATEK | 634 + BTUSB_WIDEBAND_SPEECH }, 651 635 { USB_DEVICE(0x0489, 0xe113), .driver_info = BTUSB_MEDIATEK | 652 636 BTUSB_WIDEBAND_SPEECH }, 653 637 { USB_DEVICE(0x0489, 0xe118), .driver_info = BTUSB_MEDIATEK | 654 638 BTUSB_WIDEBAND_SPEECH }, 655 639 { USB_DEVICE(0x0489, 0xe11e), .driver_info = BTUSB_MEDIATEK | 640 + BTUSB_WIDEBAND_SPEECH }, 641 + { USB_DEVICE(0x0489, 0xe124), .driver_info = BTUSB_MEDIATEK | 642 + BTUSB_WIDEBAND_SPEECH }, 643 + { USB_DEVICE(0x0489, 0xe139), .driver_info = BTUSB_MEDIATEK | 644 + BTUSB_WIDEBAND_SPEECH }, 645 + { USB_DEVICE(0x0489, 0xe14f), .driver_info = BTUSB_MEDIATEK | 646 + BTUSB_WIDEBAND_SPEECH }, 647 + { USB_DEVICE(0x0489, 0xe150), .driver_info = BTUSB_MEDIATEK | 648 + BTUSB_WIDEBAND_SPEECH }, 649 + { USB_DEVICE(0x0489, 0xe151), .driver_info = BTUSB_MEDIATEK | 656 650 BTUSB_WIDEBAND_SPEECH }, 657 651 { USB_DEVICE(0x13d3, 0x3602), .driver_info = BTUSB_MEDIATEK | 658 652 BTUSB_WIDEBAND_SPEECH }, ··· 876 846 877 847 int (*suspend)(struct hci_dev *hdev); 878 848 int (*resume)(struct hci_dev *hdev); 849 + int (*disconnect)(struct hci_dev *hdev); 879 850 880 851 int oob_wake_irq; /* irq for out-of-band wake-on-bt */ 881 852 unsigned cmd_timeout_cnt; ··· 1092 1061 static int btusb_recv_event(struct btusb_data *data, struct sk_buff *skb) 1093 1062 { 1094 1063 if (data->intr_interval) { 1095 - /* Trigger dequeue immediatelly if an event is received */ 1064 + /* Trigger dequeue immediately if an event is received */ 1096 1065 schedule_delayed_work(&data->rx_work, 0); 1097 1066 } 1098 1067 ··· 2647 2616 } 2648 2617 2649 2618 set_bit(BTMTK_ISOPKT_OVER_INTR, &btmtk_data->flags); 2619 + init_usb_anchor(&btmtk_data->isopkt_anchor); 2650 2620 } 2651 2621 2652 - static void btusb_mtk_release_iso_intf(struct btusb_data *data) 2622 + static void btusb_mtk_release_iso_intf(struct hci_dev *hdev) 2653 2623 { 2654 - struct btmtk_data *btmtk_data = hci_get_priv(data->hdev); 2624 + struct btmtk_data *btmtk_data = hci_get_priv(hdev); 2655 2625 2656 - if (btmtk_data->isopkt_intf) { 2626 + if (test_bit(BTMTK_ISOPKT_OVER_INTR, &btmtk_data->flags)) { 2657 2627 usb_kill_anchored_urbs(&btmtk_data->isopkt_anchor); 2658 2628 clear_bit(BTMTK_ISOPKT_RUNNING, &btmtk_data->flags); 2659 2629 ··· 2666 2634 } 2667 2635 2668 2636 clear_bit(BTMTK_ISOPKT_OVER_INTR, &btmtk_data->flags); 2637 + } 2638 + 2639 + static int btusb_mtk_disconnect(struct hci_dev *hdev) 2640 + { 2641 + /* This function describes the specific additional steps taken by MediaTek 2642 + * when Bluetooth usb driver's resume function is called. 2643 + */ 2644 + btusb_mtk_release_iso_intf(hdev); 2645 + 2646 + return 0; 2669 2647 } 2670 2648 2671 2649 static int btusb_mtk_reset(struct hci_dev *hdev, void *rst_data) ··· 2694 2652 if (err < 0) 2695 2653 return err; 2696 2654 2697 - if (test_bit(BTMTK_ISOPKT_RUNNING, &btmtk_data->flags)) 2698 - btusb_mtk_release_iso_intf(data); 2655 + /* Release MediaTek ISO data interface */ 2656 + btusb_mtk_release_iso_intf(hdev); 2699 2657 2700 2658 btusb_stop_traffic(data); 2701 2659 usb_kill_anchored_urbs(&data->tx_anchor); ··· 2740 2698 btmtk_data->reset_sync = btusb_mtk_reset; 2741 2699 2742 2700 /* Claim ISO data interface and endpoint */ 2743 - btmtk_data->isopkt_intf = usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM); 2744 - if (btmtk_data->isopkt_intf) 2701 + if (!test_bit(BTMTK_ISOPKT_OVER_INTR, &btmtk_data->flags)) { 2702 + btmtk_data->isopkt_intf = usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM); 2745 2703 btusb_mtk_claim_iso_intf(data); 2704 + } 2746 2705 2747 2706 return btmtk_usb_setup(hdev); 2748 2707 } 2749 2708 2750 2709 static int btusb_mtk_shutdown(struct hci_dev *hdev) 2751 2710 { 2752 - struct btusb_data *data = hci_get_drvdata(hdev); 2753 - struct btmtk_data *btmtk_data = hci_get_priv(hdev); 2711 + int ret; 2754 2712 2755 - if (test_bit(BTMTK_ISOPKT_RUNNING, &btmtk_data->flags)) 2756 - btusb_mtk_release_iso_intf(data); 2713 + ret = btmtk_usb_shutdown(hdev); 2757 2714 2758 - return btmtk_usb_shutdown(hdev); 2715 + /* Release MediaTek iso interface after shutdown */ 2716 + btusb_mtk_release_iso_intf(hdev); 2717 + 2718 + return ret; 2759 2719 } 2760 2720 2761 2721 #ifdef CONFIG_PM ··· 3869 3825 data->recv_acl = btmtk_usb_recv_acl; 3870 3826 data->suspend = btmtk_usb_suspend; 3871 3827 data->resume = btmtk_usb_resume; 3828 + data->disconnect = btusb_mtk_disconnect; 3872 3829 } 3873 3830 3874 3831 if (id->driver_info & BTUSB_SWAVE) { ··· 3941 3896 set_bit(HCI_QUIRK_BROKEN_SET_RPA_TIMEOUT, &hdev->quirks); 3942 3897 set_bit(HCI_QUIRK_BROKEN_EXT_SCAN, &hdev->quirks); 3943 3898 set_bit(HCI_QUIRK_BROKEN_READ_ENC_KEY_SIZE, &hdev->quirks); 3899 + set_bit(HCI_QUIRK_BROKEN_EXT_CREATE_CONN, &hdev->quirks); 3900 + set_bit(HCI_QUIRK_BROKEN_WRITE_AUTH_PAYLOAD_TIMEOUT, &hdev->quirks); 3944 3901 } 3945 3902 3946 3903 if (!reset) ··· 4059 4012 4060 4013 if (data->diag) 4061 4014 usb_set_intfdata(data->diag, NULL); 4015 + 4016 + if (data->disconnect) 4017 + data->disconnect(hdev); 4062 4018 4063 4019 hci_unregister_dev(hdev); 4064 4020

+8 -17

drivers/bluetooth/hci_bcm.c

··· 1068 1068 struct clk *clk; 1069 1069 1070 1070 /* New explicit name */ 1071 - clk = devm_clk_get(dev, "txco"); 1072 - if (!IS_ERR(clk) || PTR_ERR(clk) == -EPROBE_DEFER) 1071 + clk = devm_clk_get_optional(dev, "txco"); 1072 + if (clk) 1073 1073 return clk; 1074 1074 1075 1075 /* Deprecated name */ 1076 - clk = devm_clk_get(dev, "extclk"); 1077 - if (!IS_ERR(clk) || PTR_ERR(clk) == -EPROBE_DEFER) 1076 + clk = devm_clk_get_optional(dev, "extclk"); 1077 + if (clk) 1078 1078 return clk; 1079 1079 1080 1080 /* Original code used no name at all */ 1081 - return devm_clk_get(dev, NULL); 1081 + return devm_clk_get_optional(dev, NULL); 1082 1082 } 1083 1083 1084 1084 static int bcm_get_resources(struct bcm_device *dev) ··· 1093 1093 return 0; 1094 1094 1095 1095 dev->txco_clk = bcm_get_txco(dev->dev); 1096 - 1097 - /* Handle deferred probing */ 1098 - if (dev->txco_clk == ERR_PTR(-EPROBE_DEFER)) 1096 + if (IS_ERR(dev->txco_clk)) 1099 1097 return PTR_ERR(dev->txco_clk); 1100 1098 1101 - /* Ignore all other errors as before */ 1102 - if (IS_ERR(dev->txco_clk)) 1103 - dev->txco_clk = NULL; 1104 - 1105 - dev->lpo_clk = devm_clk_get(dev->dev, "lpo"); 1106 - if (dev->lpo_clk == ERR_PTR(-EPROBE_DEFER)) 1107 - return PTR_ERR(dev->lpo_clk); 1108 - 1099 + dev->lpo_clk = devm_clk_get_optional(dev->dev, "lpo"); 1109 1100 if (IS_ERR(dev->lpo_clk)) 1110 - dev->lpo_clk = NULL; 1101 + return PTR_ERR(dev->lpo_clk); 1111 1102 1112 1103 /* Check if we accidentally fetched the lpo clock twice */ 1113 1104 if (dev->lpo_clk && clk_is_match(dev->lpo_clk, dev->txco_clk)) {

+1 -1

drivers/bluetooth/hci_ldisc.c

··· 594 594 * Called by tty low level driver when receive data is 595 595 * available. 596 596 * 597 - * Arguments: tty pointer to tty isntance data 597 + * Arguments: tty pointer to tty instance data 598 598 * data pointer to received data 599 599 * flags pointer to flags for data 600 600 * count count of received data in bytes

+1 -1

drivers/bluetooth/hci_ll.c

··· 305 305 hci_uart_tx_wakeup(hu); 306 306 } 307 307 308 - /* Enqueue frame for transmittion (padding, crc, etc) */ 308 + /* Enqueue frame for transmission (padding, crc, etc) */ 309 309 /* may be called from two simultaneous tasklets */ 310 310 static int ll_enqueue(struct hci_uart *hu, struct sk_buff *skb) 311 311 {

+1 -1

drivers/bluetooth/hci_nokia.c

··· 501 501 return 0; 502 502 } 503 503 504 - /* Enqueue frame for transmittion (padding, crc, etc) */ 504 + /* Enqueue frame for transmission (padding, crc, etc) */ 505 505 static int nokia_enqueue(struct hci_uart *hu, struct sk_buff *skb) 506 506 { 507 507 struct nokia_bt_dev *btdev = hu->priv;

+6 -26

drivers/bluetooth/hci_qca.c

··· 873 873 hci_uart_tx_wakeup(hu); 874 874 } 875 875 876 - /* Enqueue frame for transmittion (padding, crc, etc) may be called from 876 + /* Enqueue frame for transmission (padding, crc, etc) may be called from 877 877 * two simultaneous tasklets. 878 878 */ 879 879 static int qca_enqueue(struct hci_uart *hu, struct sk_buff *skb) ··· 1059 1059 if (!seq_no) { 1060 1060 1061 1061 /* This is the first frame of memdump packet from 1062 - * the controller, Disable IBS to recevie dump 1062 + * the controller, Disable IBS to receive dump 1063 1063 * with out any interruption, ideally time required for 1064 1064 * the controller to send the dump is 8 seconds. let us 1065 1065 * start timer to handle this asynchronous activity. ··· 2294 2294 return 0; 2295 2295 } 2296 2296 2297 - static void qca_clk_disable_unprepare(void *data) 2298 - { 2299 - struct clk *clk = data; 2300 - 2301 - clk_disable_unprepare(clk); 2302 - } 2303 - 2304 2297 static int qca_serdev_probe(struct serdev_device *serdev) 2305 2298 { 2306 2299 struct qca_serdev *qcadev; ··· 2351 2358 * Backward compatibility with old DT sources. If the 2352 2359 * node doesn't have the 'enable-gpios' property then 2353 2360 * let's use the power sequencer. Otherwise, let's 2354 - * drive everything outselves. 2361 + * drive everything ourselves. 2355 2362 */ 2356 2363 qcadev->bt_power->pwrseq = devm_pwrseq_get(&serdev->dev, 2357 2364 "bluetooth"); ··· 2426 2433 if (!qcadev->bt_en) 2427 2434 power_ctrl_enabled = false; 2428 2435 2429 - qcadev->susclk = devm_clk_get_optional(&serdev->dev, NULL); 2436 + qcadev->susclk = devm_clk_get_optional_enabled_with_rate( 2437 + &serdev->dev, NULL, SUSCLK_RATE_32KHZ); 2430 2438 if (IS_ERR(qcadev->susclk)) { 2431 2439 dev_warn(&serdev->dev, "failed to acquire clk\n"); 2432 2440 return PTR_ERR(qcadev->susclk); 2433 2441 } 2434 - err = clk_set_rate(qcadev->susclk, SUSCLK_RATE_32KHZ); 2435 - if (err) 2436 - return err; 2437 - 2438 - err = clk_prepare_enable(qcadev->susclk); 2439 - if (err) 2440 - return err; 2441 - 2442 - err = devm_add_action_or_reset(&serdev->dev, 2443 - qca_clk_disable_unprepare, 2444 - qcadev->susclk); 2445 - if (err) 2446 - return err; 2447 - 2448 2442 } 2449 2443 2450 2444 err = hci_uart_register_device(&qcadev->serdev_hu, &qca_proto); ··· 2510 2530 hci_dev_test_flag(hdev, HCI_SETUP)) 2511 2531 return; 2512 2532 2513 - /* The serdev must be in open state when conrol logic arrives 2533 + /* The serdev must be in open state when control logic arrives 2514 2534 * here, so also fix the use-after-free issue caused by that 2515 2535 * the serdev is flushed or wrote after it is closed. 2516 2536 */

+18 -1

include/net/bluetooth/hci.h

··· 1 1 /* 2 2 BlueZ - Bluetooth protocol stack for Linux 3 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 - Copyright 2023 NXP 4 + Copyright 2023-2024 NXP 5 5 6 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 7 ··· 29 29 #define HCI_MAX_ACL_SIZE 1024 30 30 #define HCI_MAX_SCO_SIZE 255 31 31 #define HCI_MAX_ISO_SIZE 251 32 + #define HCI_MAX_ISO_BIS 31 32 33 #define HCI_MAX_EVENT_SIZE 260 33 34 #define HCI_MAX_FRAME_SIZE (HCI_MAX_ACL_SIZE + 4) 34 35 ··· 68 67 #define HCI_I2C 8 69 68 #define HCI_SMD 9 70 69 #define HCI_VIRTIO 10 70 + #define HCI_IPC 11 71 71 72 72 /* HCI device quirks */ 73 73 enum { ··· 301 299 * to support it. 302 300 */ 303 301 HCI_QUIRK_BROKEN_SET_RPA_TIMEOUT, 302 + 303 + /* 304 + * When this quirk is set, the HCI_OP_LE_EXT_CREATE_CONN command is 305 + * disabled. This is required for the Actions Semiconductor ATS2851 306 + * based controllers, which erroneously claims to support it. 307 + */ 308 + HCI_QUIRK_BROKEN_EXT_CREATE_CONN, 309 + 310 + /* 311 + * When this quirk is set, the command WRITE_AUTH_PAYLOAD_TIMEOUT is 312 + * skipped. This is required for the Actions Semiconductor ATS2851 313 + * based controllers, due to a race condition in pairing process. 314 + */ 315 + HCI_QUIRK_BROKEN_WRITE_AUTH_PAYLOAD_TIMEOUT, 304 316 305 317 /* When this quirk is set, MSFT extension monitor tracking by 306 318 * address filter is supported. Since tracking quantity of each ··· 699 683 #define HCI_RSSI_INVALID 127 700 684 701 685 #define HCI_SYNC_HANDLE_INVALID 0xffff 686 + #define HCI_SID_INVALID 0xff 702 687 703 688 #define HCI_ROLE_MASTER 0x00 704 689 #define HCI_ROLE_SLAVE 0x01

+80 -5

include/net/bluetooth/hci_core.h

··· 668 668 __u8 adv_instance; 669 669 __u16 handle; 670 670 __u16 sync_handle; 671 + __u8 sid; 671 672 __u16 state; 672 673 __u16 mtu; 673 674 __u8 mode; ··· 711 710 __s8 tx_power; 712 711 __s8 max_tx_power; 713 712 struct bt_iso_qos iso_qos; 713 + __u8 num_bis; 714 + __u8 bis[HCI_MAX_ISO_BIS]; 715 + 714 716 unsigned long flags; 715 717 716 718 enum conn_reasons conn_reason; ··· 949 945 HCI_CONN_PER_ADV, 950 946 HCI_CONN_BIG_CREATED, 951 947 HCI_CONN_CREATE_CIS, 948 + HCI_CONN_CREATE_BIG_SYNC, 952 949 HCI_CONN_BIG_SYNC, 953 950 HCI_CONN_BIG_SYNC_FAILED, 951 + HCI_CONN_CREATE_PA_SYNC, 954 952 HCI_CONN_PA_SYNC, 955 953 HCI_CONN_PA_SYNC_FAILED, 956 954 }; ··· 1100 1094 return c; 1101 1095 } 1102 1096 } 1097 + rcu_read_unlock(); 1098 + 1099 + return NULL; 1100 + } 1101 + 1102 + static inline struct hci_conn *hci_conn_hash_lookup_sid(struct hci_dev *hdev, 1103 + __u8 sid, 1104 + bdaddr_t *dst, 1105 + __u8 dst_type) 1106 + { 1107 + struct hci_conn_hash *h = &hdev->conn_hash; 1108 + struct hci_conn *c; 1109 + 1110 + rcu_read_lock(); 1111 + 1112 + list_for_each_entry_rcu(c, &h->list, list) { 1113 + if (c->type != ISO_LINK || bacmp(&c->dst, dst) || 1114 + c->dst_type != dst_type || c->sid != sid) 1115 + continue; 1116 + 1117 + rcu_read_unlock(); 1118 + return c; 1119 + } 1120 + 1103 1121 rcu_read_unlock(); 1104 1122 1105 1123 return NULL; ··· 1285 1255 rcu_read_lock(); 1286 1256 1287 1257 list_for_each_entry_rcu(c, &h->list, list) { 1288 - if (bacmp(&c->dst, BDADDR_ANY) || c->type != ISO_LINK) 1258 + if (c->type != ISO_LINK) 1259 + continue; 1260 + 1261 + /* An ISO_LINK hcon with BDADDR_ANY as destination 1262 + * address is a Broadcast connection. A Broadcast 1263 + * slave connection is associated with a PA train, 1264 + * so the sync_handle can be used to differentiate 1265 + * from unicast. 1266 + */ 1267 + if (bacmp(&c->dst, BDADDR_ANY) && 1268 + c->sync_handle == HCI_SYNC_HANDLE_INVALID) 1289 1269 continue; 1290 1270 1291 1271 if (handle == c->iso_qos.bcast.big) { 1272 + rcu_read_unlock(); 1273 + return c; 1274 + } 1275 + } 1276 + 1277 + rcu_read_unlock(); 1278 + 1279 + return NULL; 1280 + } 1281 + 1282 + static inline struct hci_conn * 1283 + hci_conn_hash_lookup_big_sync_pend(struct hci_dev *hdev, 1284 + __u8 handle, __u8 num_bis) 1285 + { 1286 + struct hci_conn_hash *h = &hdev->conn_hash; 1287 + struct hci_conn *c; 1288 + 1289 + rcu_read_lock(); 1290 + 1291 + list_for_each_entry_rcu(c, &h->list, list) { 1292 + if (c->type != ISO_LINK) 1293 + continue; 1294 + 1295 + if (handle == c->iso_qos.bcast.big && num_bis == c->num_bis) { 1292 1296 rcu_read_unlock(); 1293 1297 return c; 1294 1298 } ··· 1390 1326 1391 1327 list_for_each_entry_rcu(c, &h->list, list) { 1392 1328 if (c->type != ISO_LINK) 1329 + continue; 1330 + 1331 + /* Ignore the listen hcon, we are looking 1332 + * for the child hcon that was created as 1333 + * a result of the PA sync established event. 1334 + */ 1335 + if (c->state == BT_LISTEN) 1393 1336 continue; 1394 1337 1395 1338 if (c->sync_handle == sync_handle) { ··· 1516 1445 void hci_sco_setup(struct hci_conn *conn, __u8 status); 1517 1446 bool hci_iso_setup_path(struct hci_conn *conn); 1518 1447 int hci_le_create_cis_pending(struct hci_dev *hdev); 1448 + int hci_pa_create_sync_pending(struct hci_dev *hdev); 1449 + int hci_le_big_create_sync_pending(struct hci_dev *hdev); 1519 1450 int hci_conn_check_create_cis(struct hci_conn *conn); 1520 1451 1521 1452 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, ··· 1944 1871 !test_bit(HCI_QUIRK_BROKEN_EXT_SCAN, &(dev)->quirks)) 1945 1872 1946 1873 /* Use ext create connection if command is supported */ 1947 - #define use_ext_conn(dev) ((dev)->commands[37] & 0x80) 1948 - 1874 + #define use_ext_conn(dev) (((dev)->commands[37] & 0x80) && \ 1875 + !test_bit(HCI_QUIRK_BROKEN_EXT_CREATE_CONN, &(dev)->quirks)) 1949 1876 /* Extended advertising support */ 1950 1877 #define ext_adv_capable(dev) (((dev)->le_features[1] & HCI_LE_EXT_ADV)) 1951 1878 ··· 1958 1885 * C24: Mandatory if the LE Controller supports Connection State and either 1959 1886 * LE Feature (LL Privacy) or LE Feature (Extended Advertising) is supported 1960 1887 */ 1961 - #define use_enhanced_conn_complete(dev) (ll_privacy_capable(dev) || \ 1962 - ext_adv_capable(dev)) 1888 + #define use_enhanced_conn_complete(dev) ((ll_privacy_capable(dev) || \ 1889 + ext_adv_capable(dev)) && \ 1890 + !test_bit(HCI_QUIRK_BROKEN_EXT_CREATE_CONN, \ 1891 + &(dev)->quirks)) 1963 1892 1964 1893 /* Periodic advertising support */ 1965 1894 #define per_adv_capable(dev) (((dev)->le_features[1] & HCI_LE_PERIODIC_ADV))

+10

include/net/bluetooth/mgmt.h

··· 878 878 } __packed; 879 879 #define MGMT_MESH_SEND_CANCEL_SIZE 1 880 880 881 + #define MGMT_OP_HCI_CMD_SYNC 0x005B 882 + struct mgmt_cp_hci_cmd_sync { 883 + __le16 opcode; 884 + __u8 event; 885 + __u8 timeout; 886 + __le16 params_len; 887 + __u8 params[]; 888 + } __packed; 889 + #define MGMT_HCI_CMD_SYNC_SIZE 6 890 + 881 891 #define MGMT_EV_CMD_COMPLETE 0x0001 882 892 struct mgmt_ev_cmd_complete { 883 893 __le16 opcode;

+171 -65

net/bluetooth/hci_conn.c

··· 952 952 conn->tx_power = HCI_TX_POWER_INVALID; 953 953 conn->max_tx_power = HCI_TX_POWER_INVALID; 954 954 conn->sync_handle = HCI_SYNC_HANDLE_INVALID; 955 + conn->sid = HCI_SID_INVALID; 955 956 956 957 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 957 958 conn->disc_timeout = HCI_DISCONN_TIMEOUT; ··· 1128 1127 1129 1128 hci_conn_unlink(conn); 1130 1129 1131 - cancel_delayed_work_sync(&conn->disc_work); 1132 - cancel_delayed_work_sync(&conn->auto_accept_work); 1133 - cancel_delayed_work_sync(&conn->idle_work); 1130 + disable_delayed_work_sync(&conn->disc_work); 1131 + disable_delayed_work_sync(&conn->auto_accept_work); 1132 + disable_delayed_work_sync(&conn->idle_work); 1134 1133 1135 1134 if (conn->type == ACL_LINK) { 1136 1135 /* Unacked frames */ ··· 2063 2062 2064 2063 static void create_pa_complete(struct hci_dev *hdev, void *data, int err) 2065 2064 { 2066 - struct hci_cp_le_pa_create_sync *cp = data; 2067 - 2068 2065 bt_dev_dbg(hdev, ""); 2069 2066 2070 2067 if (err) 2071 2068 bt_dev_err(hdev, "Unable to create PA: %d", err); 2069 + } 2072 2070 2073 - kfree(cp); 2071 + static bool hci_conn_check_create_pa_sync(struct hci_conn *conn) 2072 + { 2073 + if (conn->type != ISO_LINK || conn->sid == HCI_SID_INVALID) 2074 + return false; 2075 + 2076 + return true; 2074 2077 } 2075 2078 2076 2079 static int create_pa_sync(struct hci_dev *hdev, void *data) 2077 2080 { 2078 - struct hci_cp_le_pa_create_sync *cp = data; 2079 - int err; 2081 + struct hci_cp_le_pa_create_sync cp = {0}; 2082 + struct hci_conn *conn; 2083 + int err = 0; 2080 2084 2081 - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC, 2082 - sizeof(*cp), cp, HCI_CMD_TIMEOUT); 2083 - if (err) { 2084 - hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2085 - return err; 2085 + hci_dev_lock(hdev); 2086 + 2087 + rcu_read_lock(); 2088 + 2089 + /* The spec allows only one pending LE Periodic Advertising Create 2090 + * Sync command at a time. If the command is pending now, don't do 2091 + * anything. We check for pending connections after each PA Sync 2092 + * Established event. 2093 + * 2094 + * BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E 2095 + * page 2493: 2096 + * 2097 + * If the Host issues this command when another HCI_LE_Periodic_ 2098 + * Advertising_Create_Sync command is pending, the Controller shall 2099 + * return the error code Command Disallowed (0x0C). 2100 + */ 2101 + list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 2102 + if (test_bit(HCI_CONN_CREATE_PA_SYNC, &conn->flags)) 2103 + goto unlock; 2086 2104 } 2087 2105 2088 - return hci_update_passive_scan_sync(hdev); 2106 + list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 2107 + if (hci_conn_check_create_pa_sync(conn)) { 2108 + struct bt_iso_qos *qos = &conn->iso_qos; 2109 + 2110 + cp.options = qos->bcast.options; 2111 + cp.sid = conn->sid; 2112 + cp.addr_type = conn->dst_type; 2113 + bacpy(&cp.addr, &conn->dst); 2114 + cp.skip = cpu_to_le16(qos->bcast.skip); 2115 + cp.sync_timeout = cpu_to_le16(qos->bcast.sync_timeout); 2116 + cp.sync_cte_type = qos->bcast.sync_cte_type; 2117 + 2118 + break; 2119 + } 2120 + } 2121 + 2122 + unlock: 2123 + rcu_read_unlock(); 2124 + 2125 + hci_dev_unlock(hdev); 2126 + 2127 + if (bacmp(&cp.addr, BDADDR_ANY)) { 2128 + hci_dev_set_flag(hdev, HCI_PA_SYNC); 2129 + set_bit(HCI_CONN_CREATE_PA_SYNC, &conn->flags); 2130 + 2131 + err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC, 2132 + sizeof(cp), &cp, HCI_CMD_TIMEOUT); 2133 + if (!err) 2134 + err = hci_update_passive_scan_sync(hdev); 2135 + 2136 + if (err) { 2137 + hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2138 + clear_bit(HCI_CONN_CREATE_PA_SYNC, &conn->flags); 2139 + } 2140 + } 2141 + 2142 + return err; 2143 + } 2144 + 2145 + int hci_pa_create_sync_pending(struct hci_dev *hdev) 2146 + { 2147 + /* Queue start pa_create_sync and scan */ 2148 + return hci_cmd_sync_queue(hdev, create_pa_sync, 2149 + NULL, create_pa_complete); 2089 2150 } 2090 2151 2091 2152 struct hci_conn *hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, 2092 2153 __u8 dst_type, __u8 sid, 2093 2154 struct bt_iso_qos *qos) 2094 2155 { 2095 - struct hci_cp_le_pa_create_sync *cp; 2096 2156 struct hci_conn *conn; 2097 - int err; 2098 - 2099 - if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC)) 2100 - return ERR_PTR(-EBUSY); 2101 2157 2102 2158 conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_SLAVE); 2103 2159 if (IS_ERR(conn)) 2104 2160 return conn; 2105 2161 2106 2162 conn->iso_qos = *qos; 2163 + conn->dst_type = dst_type; 2164 + conn->sid = sid; 2107 2165 conn->state = BT_LISTEN; 2108 2166 2109 2167 hci_conn_hold(conn); 2110 2168 2111 - cp = kzalloc(sizeof(*cp), GFP_KERNEL); 2112 - if (!cp) { 2113 - hci_dev_clear_flag(hdev, HCI_PA_SYNC); 2114 - hci_conn_drop(conn); 2115 - return ERR_PTR(-ENOMEM); 2116 - } 2117 - 2118 - cp->options = qos->bcast.options; 2119 - cp->sid = sid; 2120 - cp->addr_type = dst_type; 2121 - bacpy(&cp->addr, dst); 2122 - cp->skip = cpu_to_le16(qos->bcast.skip); 2123 - cp->sync_timeout = cpu_to_le16(qos->bcast.sync_timeout); 2124 - cp->sync_cte_type = qos->bcast.sync_cte_type; 2125 - 2126 - /* Queue start pa_create_sync and scan */ 2127 - err = hci_cmd_sync_queue(hdev, create_pa_sync, cp, create_pa_complete); 2128 - if (err < 0) { 2129 - hci_conn_drop(conn); 2130 - kfree(cp); 2131 - return ERR_PTR(err); 2132 - } 2169 + hci_pa_create_sync_pending(hdev); 2133 2170 2134 2171 return conn; 2172 + } 2173 + 2174 + static bool hci_conn_check_create_big_sync(struct hci_conn *conn) 2175 + { 2176 + if (!conn->num_bis) 2177 + return false; 2178 + 2179 + return true; 2180 + } 2181 + 2182 + static void big_create_sync_complete(struct hci_dev *hdev, void *data, int err) 2183 + { 2184 + bt_dev_dbg(hdev, ""); 2185 + 2186 + if (err) 2187 + bt_dev_err(hdev, "Unable to create BIG sync: %d", err); 2188 + } 2189 + 2190 + static int big_create_sync(struct hci_dev *hdev, void *data) 2191 + { 2192 + DEFINE_FLEX(struct hci_cp_le_big_create_sync, pdu, bis, num_bis, 0x11); 2193 + struct hci_conn *conn; 2194 + 2195 + rcu_read_lock(); 2196 + 2197 + pdu->num_bis = 0; 2198 + 2199 + /* The spec allows only one pending LE BIG Create Sync command at 2200 + * a time. If the command is pending now, don't do anything. We 2201 + * check for pending connections after each BIG Sync Established 2202 + * event. 2203 + * 2204 + * BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E 2205 + * page 2586: 2206 + * 2207 + * If the Host sends this command when the Controller is in the 2208 + * process of synchronizing to any BIG, i.e. the HCI_LE_BIG_Sync_ 2209 + * Established event has not been generated, the Controller shall 2210 + * return the error code Command Disallowed (0x0C). 2211 + */ 2212 + list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 2213 + if (test_bit(HCI_CONN_CREATE_BIG_SYNC, &conn->flags)) 2214 + goto unlock; 2215 + } 2216 + 2217 + list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 2218 + if (hci_conn_check_create_big_sync(conn)) { 2219 + struct bt_iso_qos *qos = &conn->iso_qos; 2220 + 2221 + set_bit(HCI_CONN_CREATE_BIG_SYNC, &conn->flags); 2222 + 2223 + pdu->handle = qos->bcast.big; 2224 + pdu->sync_handle = cpu_to_le16(conn->sync_handle); 2225 + pdu->encryption = qos->bcast.encryption; 2226 + memcpy(pdu->bcode, qos->bcast.bcode, 2227 + sizeof(pdu->bcode)); 2228 + pdu->mse = qos->bcast.mse; 2229 + pdu->timeout = cpu_to_le16(qos->bcast.timeout); 2230 + pdu->num_bis = conn->num_bis; 2231 + memcpy(pdu->bis, conn->bis, conn->num_bis); 2232 + 2233 + break; 2234 + } 2235 + } 2236 + 2237 + unlock: 2238 + rcu_read_unlock(); 2239 + 2240 + if (!pdu->num_bis) 2241 + return 0; 2242 + 2243 + return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC, 2244 + struct_size(pdu, bis, pdu->num_bis), pdu); 2245 + } 2246 + 2247 + int hci_le_big_create_sync_pending(struct hci_dev *hdev) 2248 + { 2249 + /* Queue big_create_sync */ 2250 + return hci_cmd_sync_queue_once(hdev, big_create_sync, 2251 + NULL, big_create_sync_complete); 2135 2252 } 2136 2253 2137 2254 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon, 2138 2255 struct bt_iso_qos *qos, 2139 2256 __u16 sync_handle, __u8 num_bis, __u8 bis[]) 2140 2257 { 2141 - DEFINE_FLEX(struct hci_cp_le_big_create_sync, pdu, bis, num_bis, 0x11); 2142 2258 int err; 2143 2259 2144 - if (num_bis < 0x01 || num_bis > pdu->num_bis) 2260 + if (num_bis < 0x01 || num_bis > ISO_MAX_NUM_BIS) 2145 2261 return -EINVAL; 2146 2262 2147 2263 err = qos_set_big(hdev, qos); 2148 2264 if (err) 2149 2265 return err; 2150 2266 2151 - if (hcon) 2152 - hcon->iso_qos.bcast.big = qos->bcast.big; 2267 + if (hcon) { 2268 + /* Update hcon QoS */ 2269 + hcon->iso_qos = *qos; 2153 2270 2154 - pdu->handle = qos->bcast.big; 2155 - pdu->sync_handle = cpu_to_le16(sync_handle); 2156 - pdu->encryption = qos->bcast.encryption; 2157 - memcpy(pdu->bcode, qos->bcast.bcode, sizeof(pdu->bcode)); 2158 - pdu->mse = qos->bcast.mse; 2159 - pdu->timeout = cpu_to_le16(qos->bcast.timeout); 2160 - pdu->num_bis = num_bis; 2161 - memcpy(pdu->bis, bis, num_bis); 2271 + hcon->num_bis = num_bis; 2272 + memcpy(hcon->bis, bis, num_bis); 2273 + } 2162 2274 2163 - return hci_send_cmd(hdev, HCI_OP_LE_BIG_CREATE_SYNC, 2164 - struct_size(pdu, bis, num_bis), pdu); 2275 + return hci_le_big_create_sync_pending(hdev); 2165 2276 } 2166 2277 2167 2278 static void create_big_complete(struct hci_dev *hdev, void *data, int err) ··· 2337 2224 conn->iso_qos.bcast.big); 2338 2225 if (parent && parent != conn) { 2339 2226 link = hci_conn_link(parent, conn); 2340 - if (!link) { 2341 - hci_conn_drop(conn); 2342 - return ERR_PTR(-ENOLINK); 2343 - } 2344 - 2345 - /* Link takes the refcount */ 2346 2227 hci_conn_drop(conn); 2228 + if (!link) 2229 + return ERR_PTR(-ENOLINK); 2347 2230 } 2348 2231 2349 2232 return conn; ··· 2429 2320 } 2430 2321 2431 2322 link = hci_conn_link(le, cis); 2323 + hci_conn_drop(cis); 2432 2324 if (!link) { 2433 2325 hci_conn_drop(le); 2434 - hci_conn_drop(cis); 2435 2326 return ERR_PTR(-ENOLINK); 2436 2327 } 2437 - 2438 - /* Link takes the refcount */ 2439 - hci_conn_drop(cis); 2440 2328 2441 2329 cis->state = BT_CONNECT; 2442 2330

+18 -8

net/bluetooth/hci_core.c

··· 3771 3771 /* ACL data packet */ 3772 3772 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) 3773 3773 { 3774 - struct hci_acl_hdr *hdr = (void *) skb->data; 3774 + struct hci_acl_hdr *hdr; 3775 3775 struct hci_conn *conn; 3776 3776 __u16 handle, flags; 3777 3777 3778 - skb_pull(skb, HCI_ACL_HDR_SIZE); 3778 + hdr = skb_pull_data(skb, sizeof(*hdr)); 3779 + if (!hdr) { 3780 + bt_dev_err(hdev, "ACL packet too small"); 3781 + goto drop; 3782 + } 3779 3783 3780 3784 handle = __le16_to_cpu(hdr->handle); 3781 3785 flags = hci_flags(handle); 3782 3786 handle = hci_handle(handle); 3783 3787 3784 - BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len, 3785 - handle, flags); 3788 + bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len, 3789 + handle, flags); 3786 3790 3787 3791 hdev->stat.acl_rx++; 3788 3792 ··· 3805 3801 handle); 3806 3802 } 3807 3803 3804 + drop: 3808 3805 kfree_skb(skb); 3809 3806 } 3810 3807 3811 3808 /* SCO data packet */ 3812 3809 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb) 3813 3810 { 3814 - struct hci_sco_hdr *hdr = (void *) skb->data; 3811 + struct hci_sco_hdr *hdr; 3815 3812 struct hci_conn *conn; 3816 3813 __u16 handle, flags; 3817 3814 3818 - skb_pull(skb, HCI_SCO_HDR_SIZE); 3815 + hdr = skb_pull_data(skb, sizeof(*hdr)); 3816 + if (!hdr) { 3817 + bt_dev_err(hdev, "SCO packet too small"); 3818 + goto drop; 3819 + } 3819 3820 3820 3821 handle = __le16_to_cpu(hdr->handle); 3821 3822 flags = hci_flags(handle); 3822 3823 handle = hci_handle(handle); 3823 3824 3824 - BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len, 3825 - handle, flags); 3825 + bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len, 3826 + handle, flags); 3826 3827 3827 3828 hdev->stat.sco_rx++; 3828 3829 ··· 3845 3836 handle); 3846 3837 } 3847 3838 3839 + drop: 3848 3840 kfree_skb(skb); 3849 3841 } 3850 3842

+45 -2

net/bluetooth/hci_event.c

··· 3626 3626 goto unlock; 3627 3627 } 3628 3628 3629 + /* We skip the WRITE_AUTH_PAYLOAD_TIMEOUT for ATS2851 based controllers 3630 + * to avoid unexpected SMP command errors when pairing. 3631 + */ 3632 + if (test_bit(HCI_QUIRK_BROKEN_WRITE_AUTH_PAYLOAD_TIMEOUT, 3633 + &hdev->quirks)) 3634 + goto notify; 3635 + 3629 3636 /* Set the default Authenticated Payload Timeout after 3630 3637 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B 3631 3638 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be ··· 6352 6345 struct hci_ev_le_pa_sync_established *ev = data; 6353 6346 int mask = hdev->link_mode; 6354 6347 __u8 flags = 0; 6355 - struct hci_conn *pa_sync; 6348 + struct hci_conn *pa_sync, *conn; 6356 6349 6357 6350 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6358 6351 6359 6352 hci_dev_lock(hdev); 6360 6353 6361 6354 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 6355 + 6356 + conn = hci_conn_hash_lookup_sid(hdev, ev->sid, &ev->bdaddr, 6357 + ev->bdaddr_type); 6358 + if (!conn) { 6359 + bt_dev_err(hdev, 6360 + "Unable to find connection for dst %pMR sid 0x%2.2x", 6361 + &ev->bdaddr, ev->sid); 6362 + goto unlock; 6363 + } 6364 + 6365 + clear_bit(HCI_CONN_CREATE_PA_SYNC, &conn->flags); 6366 + 6367 + conn->sync_handle = le16_to_cpu(ev->handle); 6368 + conn->sid = HCI_SID_INVALID; 6362 6369 6363 6370 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags); 6364 6371 if (!(mask & HCI_LM_ACCEPT)) { ··· 6400 6379 } 6401 6380 6402 6381 unlock: 6382 + /* Handle any other pending PA sync command */ 6383 + hci_pa_create_sync_pending(hdev); 6384 + 6403 6385 hci_dev_unlock(hdev); 6404 6386 } 6405 6387 ··· 6920 6896 struct sk_buff *skb) 6921 6897 { 6922 6898 struct hci_evt_le_big_sync_estabilished *ev = data; 6923 - struct hci_conn *bis; 6899 + struct hci_conn *bis, *conn; 6924 6900 int i; 6925 6901 6926 6902 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); ··· 6930 6906 return; 6931 6907 6932 6908 hci_dev_lock(hdev); 6909 + 6910 + conn = hci_conn_hash_lookup_big_sync_pend(hdev, ev->handle, 6911 + ev->num_bis); 6912 + if (!conn) { 6913 + bt_dev_err(hdev, 6914 + "Unable to find connection for big 0x%2.2x", 6915 + ev->handle); 6916 + goto unlock; 6917 + } 6918 + 6919 + clear_bit(HCI_CONN_CREATE_BIG_SYNC, &conn->flags); 6920 + 6921 + conn->num_bis = 0; 6922 + memset(conn->bis, 0, sizeof(conn->num_bis)); 6933 6923 6934 6924 for (i = 0; i < ev->num_bis; i++) { 6935 6925 u16 handle = le16_to_cpu(ev->bis[i]); ··· 6965 6927 /* Mark PA sync as established */ 6966 6928 set_bit(HCI_CONN_PA_SYNC, &bis->flags); 6967 6929 6930 + bis->sync_handle = conn->sync_handle; 6968 6931 bis->iso_qos.bcast.big = ev->handle; 6969 6932 memset(&interval, 0, sizeof(interval)); 6970 6933 memcpy(&interval, ev->latency, sizeof(ev->latency)); ··· 6994 6955 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags); 6995 6956 hci_connect_cfm(bis, ev->status); 6996 6957 } 6958 + 6959 + unlock: 6960 + /* Handle any other pending BIG sync command */ 6961 + hci_le_big_create_sync_pending(hdev); 6997 6962 6998 6963 hci_dev_unlock(hdev); 6999 6964 }

+8 -1

net/bluetooth/hci_sync.c

··· 4842 4842 HCI_QUIRK_BROKEN(SET_RPA_TIMEOUT, 4843 4843 "HCI LE Set Random Private Address Timeout command is " 4844 4844 "advertised, but not supported."), 4845 + HCI_QUIRK_BROKEN(EXT_CREATE_CONN, 4846 + "HCI LE Extended Create Connection command is " 4847 + "advertised, but not supported."), 4848 + HCI_QUIRK_BROKEN(WRITE_AUTH_PAYLOAD_TIMEOUT, 4849 + "HCI WRITE AUTH PAYLOAD TIMEOUT command leads " 4850 + "to unexpected SMP errors when pairing " 4851 + "and will not be used."), 4845 4852 HCI_QUIRK_BROKEN(LE_CODED, 4846 4853 "HCI LE Coded PHY feature bit is set, " 4847 4854 "but its usage is not supported.") ··· 6484 6477 &own_addr_type); 6485 6478 if (err) 6486 6479 goto done; 6487 - 6480 + /* Send command LE Extended Create Connection if supported */ 6488 6481 if (use_ext_conn(hdev)) { 6489 6482 err = hci_le_ext_create_conn_sync(hdev, conn, own_addr_type); 6490 6483 goto done;

+4 -11

net/bluetooth/hci_sysfs.c

··· 21 21 .release = bt_link_release, 22 22 }; 23 23 24 - /* 25 - * The rfcomm tty device will possibly retain even when conn 26 - * is down, and sysfs doesn't support move zombie device, 27 - * so we should move the device before conn device is destroyed. 28 - */ 29 - static int __match_tty(struct device *dev, void *data) 30 - { 31 - return !strncmp(dev_name(dev), "rfcomm", 6); 32 - } 33 - 34 24 void hci_conn_init_sysfs(struct hci_conn *conn) 35 25 { 36 26 struct hci_dev *hdev = conn->hdev; ··· 63 73 return; 64 74 } 65 75 76 + /* If there are devices using the connection as parent reset it to NULL 77 + * before unregistering the device. 78 + */ 66 79 while (1) { 67 80 struct device *dev; 68 81 69 - dev = device_find_child(&conn->dev, NULL, __match_tty); 82 + dev = device_find_any_child(&conn->dev); 70 83 if (!dev) 71 84 break; 72 85 device_move(dev, NULL, DPM_ORDER_DEV_LAST);

+100 -21

net/bluetooth/iso.c

··· 35 35 struct sk_buff *rx_skb; 36 36 __u32 rx_len; 37 37 __u16 tx_sn; 38 + struct kref ref; 38 39 }; 39 40 40 41 #define iso_conn_lock(c) spin_lock(&(c)->lock) ··· 94 93 #define ISO_CONN_TIMEOUT (HZ * 40) 95 94 #define ISO_DISCONN_TIMEOUT (HZ * 2) 96 95 96 + static void iso_conn_free(struct kref *ref) 97 + { 98 + struct iso_conn *conn = container_of(ref, struct iso_conn, ref); 99 + 100 + BT_DBG("conn %p", conn); 101 + 102 + if (conn->sk) 103 + iso_pi(conn->sk)->conn = NULL; 104 + 105 + if (conn->hcon) { 106 + conn->hcon->iso_data = NULL; 107 + hci_conn_drop(conn->hcon); 108 + } 109 + 110 + /* Ensure no more work items will run since hci_conn has been dropped */ 111 + disable_delayed_work_sync(&conn->timeout_work); 112 + 113 + kfree(conn); 114 + } 115 + 116 + static void iso_conn_put(struct iso_conn *conn) 117 + { 118 + if (!conn) 119 + return; 120 + 121 + BT_DBG("conn %p refcnt %d", conn, kref_read(&conn->ref)); 122 + 123 + kref_put(&conn->ref, iso_conn_free); 124 + } 125 + 126 + static struct iso_conn *iso_conn_hold_unless_zero(struct iso_conn *conn) 127 + { 128 + if (!conn) 129 + return NULL; 130 + 131 + BT_DBG("conn %p refcnt %u", conn, kref_read(&conn->ref)); 132 + 133 + if (!kref_get_unless_zero(&conn->ref)) 134 + return NULL; 135 + 136 + return conn; 137 + } 138 + 97 139 static struct sock *iso_sock_hold(struct iso_conn *conn) 98 140 { 99 141 if (!conn || !bt_sock_linked(&iso_sk_list, conn->sk)) ··· 153 109 timeout_work.work); 154 110 struct sock *sk; 155 111 112 + conn = iso_conn_hold_unless_zero(conn); 113 + if (!conn) 114 + return; 115 + 156 116 iso_conn_lock(conn); 157 117 sk = iso_sock_hold(conn); 158 118 iso_conn_unlock(conn); 119 + iso_conn_put(conn); 159 120 160 121 if (!sk) 161 122 return; ··· 198 149 { 199 150 struct iso_conn *conn = hcon->iso_data; 200 151 152 + conn = iso_conn_hold_unless_zero(conn); 201 153 if (conn) { 202 - if (!conn->hcon) 154 + if (!conn->hcon) { 155 + iso_conn_lock(conn); 203 156 conn->hcon = hcon; 157 + iso_conn_unlock(conn); 158 + } 159 + iso_conn_put(conn); 204 160 return conn; 205 161 } 206 162 ··· 213 159 if (!conn) 214 160 return NULL; 215 161 162 + kref_init(&conn->ref); 216 163 spin_lock_init(&conn->lock); 217 164 INIT_DELAYED_WORK(&conn->timeout_work, iso_sock_timeout); 218 165 ··· 233 178 struct sock *parent; 234 179 235 180 conn = iso_pi(sk)->conn; 181 + iso_pi(sk)->conn = NULL; 236 182 237 183 BT_DBG("sk %p, conn %p, err %d", sk, conn, err); 238 184 239 185 if (conn) { 240 186 iso_conn_lock(conn); 241 187 conn->sk = NULL; 242 - iso_pi(sk)->conn = NULL; 243 188 iso_conn_unlock(conn); 244 - 245 - if (conn->hcon) 246 - hci_conn_drop(conn->hcon); 189 + iso_conn_put(conn); 247 190 } 248 191 249 192 sk->sk_state = BT_CLOSED; ··· 263 210 struct iso_conn *conn = hcon->iso_data; 264 211 struct sock *sk; 265 212 213 + conn = iso_conn_hold_unless_zero(conn); 266 214 if (!conn) 267 215 return; 268 216 ··· 273 219 iso_conn_lock(conn); 274 220 sk = iso_sock_hold(conn); 275 221 iso_conn_unlock(conn); 222 + iso_conn_put(conn); 276 223 277 - if (sk) { 278 - lock_sock(sk); 279 - iso_sock_clear_timer(sk); 280 - iso_chan_del(sk, err); 281 - release_sock(sk); 282 - sock_put(sk); 224 + if (!sk) { 225 + iso_conn_put(conn); 226 + return; 283 227 } 284 228 285 - /* Ensure no more work items will run before freeing conn. */ 286 - cancel_delayed_work_sync(&conn->timeout_work); 287 - 288 - hcon->iso_data = NULL; 289 - kfree(conn); 229 + lock_sock(sk); 230 + iso_sock_clear_timer(sk); 231 + iso_chan_del(sk, err); 232 + release_sock(sk); 233 + sock_put(sk); 290 234 } 291 235 292 236 static int __iso_chan_add(struct iso_conn *conn, struct sock *sk, ··· 704 652 { 705 653 BT_DBG("sk %p", sk); 706 654 655 + iso_conn_put(iso_pi(sk)->conn); 656 + 707 657 skb_queue_purge(&sk->sk_receive_queue); 708 658 skb_queue_purge(&sk->sk_write_queue); 709 659 } ··· 765 711 */ 766 712 if (bis_sk) { 767 713 hcon->state = BT_OPEN; 714 + hcon->iso_data = NULL; 768 715 iso_pi(sk)->conn->hcon = NULL; 769 716 iso_sock_clear_timer(sk); 770 717 iso_chan_del(sk, bt_to_errno(hcon->abort_reason)); ··· 775 720 } 776 721 777 722 sk->sk_state = BT_DISCONN; 778 - iso_sock_set_timer(sk, ISO_DISCONN_TIMEOUT); 779 723 iso_conn_lock(iso_pi(sk)->conn); 780 724 hci_conn_drop(iso_pi(sk)->conn->hcon); 781 725 iso_pi(sk)->conn->hcon = NULL; ··· 1392 1338 if (!hdev) 1393 1339 return; 1394 1340 1341 + /* hci_le_big_create_sync requires hdev lock to be held, since 1342 + * it enqueues the HCI LE BIG Create Sync command via 1343 + * hci_cmd_sync_queue_once, which checks hdev flags that might 1344 + * change. 1345 + */ 1346 + hci_dev_lock(hdev); 1347 + 1395 1348 if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) { 1396 1349 err = hci_le_big_create_sync(hdev, iso_pi(sk)->conn->hcon, 1397 1350 &iso_pi(sk)->qos, ··· 1409 1348 bt_dev_err(hdev, "hci_le_big_create_sync: %d", 1410 1349 err); 1411 1350 } 1351 + 1352 + hci_dev_unlock(hdev); 1412 1353 } 1413 1354 1414 1355 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg, ··· 1796 1733 return ev->handle == iso_pi(sk)->qos.bcast.big; 1797 1734 } 1798 1735 1736 + static bool iso_match_big_hcon(struct sock *sk, void *data) 1737 + { 1738 + struct hci_conn *hcon = data; 1739 + 1740 + return hcon->iso_qos.bcast.big == iso_pi(sk)->qos.bcast.big; 1741 + } 1742 + 1799 1743 static bool iso_match_pa_sync_flag(struct sock *sk, void *data) 1800 1744 { 1801 1745 return test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags); ··· 1826 1756 if (!hcon) 1827 1757 return; 1828 1758 1829 - if (test_bit(HCI_CONN_BIG_SYNC, &hcon->flags) || 1830 - test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags)) { 1759 + if (test_bit(HCI_CONN_BIG_SYNC, &hcon->flags)) { 1760 + /* A BIS slave hcon is notified to the ISO layer 1761 + * after the Command Complete for the LE Setup 1762 + * ISO Data Path command is received. Get the 1763 + * parent socket that matches the hcon BIG handle. 1764 + */ 1765 + parent = iso_get_sock(&hcon->src, &hcon->dst, 1766 + BT_LISTEN, iso_match_big_hcon, 1767 + hcon); 1768 + } else if (test_bit(HCI_CONN_BIG_SYNC_FAILED, &hcon->flags)) { 1831 1769 ev = hci_recv_event_data(hcon->hdev, 1832 1770 HCI_EVT_LE_BIG_SYNC_ESTABILISHED); 1833 1771 ··· 1902 1824 if (!bacmp(&hcon->dst, BDADDR_ANY)) { 1903 1825 bacpy(&hcon->dst, &iso_pi(parent)->dst); 1904 1826 hcon->dst_type = iso_pi(parent)->dst_type; 1905 - hcon->sync_handle = iso_pi(parent)->sync_handle; 1906 1827 } 1907 1828 1908 1829 if (ev3) { ··· 2019 1942 2020 1943 if (sk) { 2021 1944 int err; 1945 + struct hci_conn *hcon = iso_pi(sk)->conn->hcon; 2022 1946 2023 1947 iso_pi(sk)->qos.bcast.encryption = ev2->encryption; 2024 1948 ··· 2028 1950 2029 1951 if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags) && 2030 1952 !test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) { 2031 - err = hci_le_big_create_sync(hdev, NULL, 1953 + err = hci_le_big_create_sync(hdev, 1954 + hcon, 2032 1955 &iso_pi(sk)->qos, 2033 1956 iso_pi(sk)->sync_handle, 2034 1957 iso_pi(sk)->bc_num_bis,

+60

net/bluetooth/mgmt.c

··· 132 132 MGMT_OP_MESH_READ_FEATURES, 133 133 MGMT_OP_MESH_SEND, 134 134 MGMT_OP_MESH_SEND_CANCEL, 135 + MGMT_OP_HCI_CMD_SYNC, 135 136 }; 136 137 137 138 static const u16 mgmt_events[] = { ··· 2512 2511 } 2513 2512 2514 2513 unlock: 2514 + hci_dev_unlock(hdev); 2515 + return err; 2516 + } 2517 + 2518 + static int send_hci_cmd_sync(struct hci_dev *hdev, void *data) 2519 + { 2520 + struct mgmt_pending_cmd *cmd = data; 2521 + struct mgmt_cp_hci_cmd_sync *cp = cmd->param; 2522 + struct sk_buff *skb; 2523 + 2524 + skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cp->opcode), 2525 + le16_to_cpu(cp->params_len), cp->params, 2526 + cp->event, cp->timeout ? 2527 + msecs_to_jiffies(cp->timeout * 1000) : 2528 + HCI_CMD_TIMEOUT); 2529 + if (IS_ERR(skb)) { 2530 + mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_HCI_CMD_SYNC, 2531 + mgmt_status(PTR_ERR(skb))); 2532 + goto done; 2533 + } 2534 + 2535 + mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_HCI_CMD_SYNC, 0, 2536 + skb->data, skb->len); 2537 + 2538 + kfree_skb(skb); 2539 + 2540 + done: 2541 + mgmt_pending_free(cmd); 2542 + 2543 + return 0; 2544 + } 2545 + 2546 + static int mgmt_hci_cmd_sync(struct sock *sk, struct hci_dev *hdev, 2547 + void *data, u16 len) 2548 + { 2549 + struct mgmt_cp_hci_cmd_sync *cp = data; 2550 + struct mgmt_pending_cmd *cmd; 2551 + int err; 2552 + 2553 + if (len < sizeof(*cp)) 2554 + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_HCI_CMD_SYNC, 2555 + MGMT_STATUS_INVALID_PARAMS); 2556 + 2557 + hci_dev_lock(hdev); 2558 + cmd = mgmt_pending_new(sk, MGMT_OP_HCI_CMD_SYNC, hdev, data, len); 2559 + if (!cmd) 2560 + err = -ENOMEM; 2561 + else 2562 + err = hci_cmd_sync_queue(hdev, send_hci_cmd_sync, cmd, NULL); 2563 + 2564 + if (err < 0) { 2565 + err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_HCI_CMD_SYNC, 2566 + MGMT_STATUS_FAILED); 2567 + 2568 + if (cmd) 2569 + mgmt_pending_free(cmd); 2570 + } 2571 + 2515 2572 hci_dev_unlock(hdev); 2516 2573 return err; 2517 2574 } ··· 9430 9371 { mesh_send, MGMT_MESH_SEND_SIZE, 9431 9372 HCI_MGMT_VAR_LEN }, 9432 9373 { mesh_send_cancel, MGMT_MESH_SEND_CANCEL_SIZE }, 9374 + { mgmt_hci_cmd_sync, MGMT_HCI_CMD_SYNC_SIZE, HCI_MGMT_VAR_LEN }, 9433 9375 }; 9434 9376 9435 9377 void mgmt_index_added(struct hci_dev *hdev)

+6 -4

net/bluetooth/rfcomm/sock.c

··· 729 729 struct sock *l2cap_sk; 730 730 struct l2cap_conn *conn; 731 731 struct rfcomm_conninfo cinfo; 732 - int len, err = 0; 732 + int err = 0; 733 + size_t len; 733 734 u32 opt; 734 735 735 736 BT_DBG("sk %p", sk); ··· 784 783 cinfo.hci_handle = conn->hcon->handle; 785 784 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); 786 785 787 - len = min_t(unsigned int, len, sizeof(cinfo)); 786 + len = min(len, sizeof(cinfo)); 788 787 if (copy_to_user(optval, (char *) &cinfo, len)) 789 788 err = -EFAULT; 790 789 ··· 803 802 { 804 803 struct sock *sk = sock->sk; 805 804 struct bt_security sec; 806 - int len, err = 0; 805 + int err = 0; 806 + size_t len; 807 807 808 808 BT_DBG("sk %p", sk); 809 809 ··· 829 827 sec.level = rfcomm_pi(sk)->sec_level; 830 828 sec.key_size = 0; 831 829 832 - len = min_t(unsigned int, len, sizeof(sec)); 830 + len = min(len, sizeof(sec)); 833 831 if (copy_to_user(optval, (char *) &sec, len)) 834 832 err = -EFAULT; 835 833

+71 -28

net/bluetooth/sco.c

··· 51 51 struct delayed_work timeout_work; 52 52 53 53 unsigned int mtu; 54 + struct kref ref; 54 55 }; 55 56 56 57 #define sco_conn_lock(c) spin_lock(&c->lock) ··· 77 76 #define SCO_CONN_TIMEOUT (HZ * 40) 78 77 #define SCO_DISCONN_TIMEOUT (HZ * 2) 79 78 79 + static void sco_conn_free(struct kref *ref) 80 + { 81 + struct sco_conn *conn = container_of(ref, struct sco_conn, ref); 82 + 83 + BT_DBG("conn %p", conn); 84 + 85 + if (conn->sk) 86 + sco_pi(conn->sk)->conn = NULL; 87 + 88 + if (conn->hcon) { 89 + conn->hcon->sco_data = NULL; 90 + hci_conn_drop(conn->hcon); 91 + } 92 + 93 + /* Ensure no more work items will run since hci_conn has been dropped */ 94 + disable_delayed_work_sync(&conn->timeout_work); 95 + 96 + kfree(conn); 97 + } 98 + 99 + static void sco_conn_put(struct sco_conn *conn) 100 + { 101 + if (!conn) 102 + return; 103 + 104 + BT_DBG("conn %p refcnt %d", conn, kref_read(&conn->ref)); 105 + 106 + kref_put(&conn->ref, sco_conn_free); 107 + } 108 + 109 + static struct sco_conn *sco_conn_hold_unless_zero(struct sco_conn *conn) 110 + { 111 + if (!conn) 112 + return NULL; 113 + 114 + BT_DBG("conn %p refcnt %u", conn, kref_read(&conn->ref)); 115 + 116 + if (!kref_get_unless_zero(&conn->ref)) 117 + return NULL; 118 + 119 + return conn; 120 + } 121 + 80 122 static struct sock *sco_sock_hold(struct sco_conn *conn) 81 123 { 82 124 if (!conn || !bt_sock_linked(&sco_sk_list, conn->sk)) ··· 136 92 timeout_work.work); 137 93 struct sock *sk; 138 94 95 + conn = sco_conn_hold_unless_zero(conn); 96 + if (!conn) 97 + return; 98 + 139 99 sco_conn_lock(conn); 140 100 if (!conn->hcon) { 141 101 sco_conn_unlock(conn); ··· 147 99 } 148 100 sk = sco_sock_hold(conn); 149 101 sco_conn_unlock(conn); 102 + sco_conn_put(conn); 150 103 151 104 if (!sk) 152 105 return; ··· 185 136 { 186 137 struct sco_conn *conn = hcon->sco_data; 187 138 139 + conn = sco_conn_hold_unless_zero(conn); 188 140 if (conn) { 189 - if (!conn->hcon) 141 + if (!conn->hcon) { 142 + sco_conn_lock(conn); 190 143 conn->hcon = hcon; 144 + sco_conn_unlock(conn); 145 + } 146 + sco_conn_put(conn); 191 147 return conn; 192 148 } 193 149 ··· 200 146 if (!conn) 201 147 return NULL; 202 148 149 + kref_init(&conn->ref); 203 150 spin_lock_init(&conn->lock); 204 151 INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout); 205 152 ··· 225 170 struct sco_conn *conn; 226 171 227 172 conn = sco_pi(sk)->conn; 173 + sco_pi(sk)->conn = NULL; 228 174 229 175 BT_DBG("sk %p, conn %p, err %d", sk, conn, err); 230 176 231 177 if (conn) { 232 178 sco_conn_lock(conn); 233 179 conn->sk = NULL; 234 - sco_pi(sk)->conn = NULL; 235 180 sco_conn_unlock(conn); 236 - 237 - if (conn->hcon) 238 - hci_conn_drop(conn->hcon); 181 + sco_conn_put(conn); 239 182 } 240 183 241 184 sk->sk_state = BT_CLOSED; ··· 248 195 struct sco_conn *conn = hcon->sco_data; 249 196 struct sock *sk; 250 197 198 + conn = sco_conn_hold_unless_zero(conn); 251 199 if (!conn) 252 200 return; 253 201 254 202 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); 255 203 256 - /* Kill socket */ 257 204 sco_conn_lock(conn); 258 205 sk = sco_sock_hold(conn); 259 206 sco_conn_unlock(conn); 207 + sco_conn_put(conn); 260 208 261 - if (sk) { 262 - lock_sock(sk); 263 - sco_sock_clear_timer(sk); 264 - sco_chan_del(sk, err); 265 - release_sock(sk); 266 - sock_put(sk); 209 + if (!sk) { 210 + sco_conn_put(conn); 211 + return; 267 212 } 268 213 269 - /* Ensure no more work items will run before freeing conn. */ 270 - cancel_delayed_work_sync(&conn->timeout_work); 271 - 272 - hcon->sco_data = NULL; 273 - kfree(conn); 214 + /* Kill socket */ 215 + lock_sock(sk); 216 + sco_sock_clear_timer(sk); 217 + sco_chan_del(sk, err); 218 + release_sock(sk); 219 + sock_put(sk); 274 220 } 275 221 276 222 static void __sco_chan_add(struct sco_conn *conn, struct sock *sk, ··· 453 401 { 454 402 BT_DBG("sk %p", sk); 455 403 404 + sco_conn_put(sco_pi(sk)->conn); 405 + 456 406 skb_queue_purge(&sk->sk_receive_queue); 457 407 skb_queue_purge(&sk->sk_write_queue); 458 408 } ··· 502 448 503 449 case BT_CONNECTED: 504 450 case BT_CONFIG: 505 - if (sco_pi(sk)->conn->hcon) { 506 - sk->sk_state = BT_DISCONN; 507 - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); 508 - sco_conn_lock(sco_pi(sk)->conn); 509 - hci_conn_drop(sco_pi(sk)->conn->hcon); 510 - sco_pi(sk)->conn->hcon = NULL; 511 - sco_conn_unlock(sco_pi(sk)->conn); 512 - } else 513 - sco_chan_del(sk, ECONNRESET); 514 - break; 515 - 516 451 case BT_CONNECT2: 517 452 case BT_CONNECT: 518 453 case BT_DISCONN: