Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 69fb7812 authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'for-upstream' of... 

Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next



Johan Hedberg says:

====================
pull request: bluetooth-next 2016-04-12

Here's a set of Bluetooth & 802.15.4 patches intended for the 4.7 kernel:

 - Fix for race condition in vhci driver
 - Memory leak fix for ieee802154/adf7242 driver
 - Improvements to deal with single-mode (LE-only) Bluetooth controllers
 - Fix for allowing the BT_SECURITY_FIPS security level
 - New BCM2E71 ACPI ID
 - NULL pointer dereference fix fox hci_ldisc driver

Let me know if there are any issues pulling. Thanks.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 9a6f2b01 8805eea2

drivers/bluetooth/hci_bcm.c

+1 −0
Original line number Original line Diff line number Diff line
@@ -825,6 +825,7 @@ static const struct acpi_device_id bcm_acpi_match[] = { 
	{ "BCM2E64", 0 },

	{ "BCM2E64", 0 },

	{ "BCM2E65", 0 },

	{ "BCM2E65", 0 },

	{ "BCM2E67", 0 },

	{ "BCM2E67", 0 },

	{ "BCM2E71", 0 },

	{ "BCM2E7B", 0 },

	{ "BCM2E7B", 0 },

	{ "BCM2E7C", 0 },

	{ "BCM2E7C", 0 },

	{ },

	{ },

drivers/bluetooth/hci_bcsp.c

+31 −26
Original line number Original line Diff line number Diff line
@@ -102,12 +102,11 @@ static const u16 crc_table[] = { 
/* Initialise the crc calculator */

/* Initialise the crc calculator */

#define BCSP_CRC_INIT(x) x = 0xffff

#define BCSP_CRC_INIT(x) x = 0xffff





/*

/* Update crc with next data byte

   Update crc with next data byte

 *



 * Implementation note

   Implementation note

 *     The data byte is treated as two nibbles.  The crc is generated

        The data byte is treated as two nibbles.  The crc is generated

 *     in reverse, i.e., bits are fed into the register from the top.

        in reverse, i.e., bits are fed into the register from the top.

 */

 */

static void bcsp_crc_update(u16 *crc, u8 d)

static void bcsp_crc_update(u16 *crc, u8 d)

{

{
@@ -223,9 +222,10 @@ static struct sk_buff *bcsp_prepare_pkt(struct bcsp_struct *bcsp, u8 *data, 
	}

	}





	/* Max len of packet: (original len +4(bcsp hdr) +2(crc))*2

	/* Max len of packet: (original len +4(bcsp hdr) +2(crc))*2

	   (because bytes 0xc0 and 0xdb are escaped, worst case is

	 * (because bytes 0xc0 and 0xdb are escaped, worst case is

	   when the packet is all made of 0xc0 and 0xdb :) )

	 * when the packet is all made of 0xc0 and 0xdb :) )

	   + 2 (0xc0 delimiters at start and end). */

	 * + 2 (0xc0 delimiters at start and end).

	 */





	nskb = alloc_skb((len + 6) * 2 + 2, GFP_ATOMIC);

	nskb = alloc_skb((len + 6) * 2 + 2, GFP_ATOMIC);

	if (!nskb)

	if (!nskb)
@@ -305,8 +305,9 @@ static struct sk_buff *bcsp_dequeue(struct hci_uart *hu) 
	}

	}





	/* Now, try to send a reliable pkt. We can only send a

	/* Now, try to send a reliable pkt. We can only send a

	   reliable packet if the number of packets sent but not yet ack'ed

	 * reliable packet if the number of packets sent but not yet ack'ed

	   is < than the winsize */

	 * is < than the winsize

	 */





	spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);

	spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);
@@ -332,12 +333,14 @@ static struct sk_buff *bcsp_dequeue(struct hci_uart *hu) 
	spin_unlock_irqrestore(&bcsp->unack.lock, flags);

	spin_unlock_irqrestore(&bcsp->unack.lock, flags);





	/* We could not send a reliable packet, either because there are

	/* We could not send a reliable packet, either because there are

	   none or because there are too many unack'ed pkts. Did we receive

	 * none or because there are too many unack'ed pkts. Did we receive

	   any packets we have not acknowledged yet ? */

	 * any packets we have not acknowledged yet ?

	 */





	if (bcsp->txack_req) {

	if (bcsp->txack_req) {

		/* if so, craft an empty ACK pkt and send it on BCSP unreliable

		/* if so, craft an empty ACK pkt and send it on BCSP unreliable

		   channel 0 */

		 * channel 0

		 */

		struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, NULL, 0, BCSP_ACK_PKT);

		struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, NULL, 0, BCSP_ACK_PKT);

		return nskb;

		return nskb;

	}

	}
@@ -399,8 +402,9 @@ static void bcsp_pkt_cull(struct bcsp_struct *bcsp) 
}

}





/* Handle BCSP link-establishment packets. When we

/* Handle BCSP link-establishment packets. When we

   detect a "sync" packet, symptom that the BT module has reset,

 * detect a "sync" packet, symptom that the BT module has reset,

   we do nothing :) (yet) */

 * we do nothing :) (yet)

 */

static void bcsp_handle_le_pkt(struct hci_uart *hu)

static void bcsp_handle_le_pkt(struct hci_uart *hu)

{

{

	struct bcsp_struct *bcsp = hu->priv;

	struct bcsp_struct *bcsp = hu->priv;
@@ -654,7 +658,8 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count) 




				/* Do not increment ptr or decrement count

				/* Do not increment ptr or decrement count

				 * Allocate packet. Max len of a BCSP pkt=

				 * Allocate packet. Max len of a BCSP pkt=

				 * 0xFFF (payload) +4 (header) +2 (crc) */

				 * 0xFFF (payload) +4 (header) +2 (crc)

				 */





				bcsp->rx_skb = bt_skb_alloc(0x1005, GFP_ATOMIC);

				bcsp->rx_skb = bt_skb_alloc(0x1005, GFP_ATOMIC);

				if (!bcsp->rx_skb) {

				if (!bcsp->rx_skb) {

drivers/bluetooth/hci_ldisc.c

+7 −4
Original line number Original line Diff line number Diff line
@@ -227,7 +227,7 @@ static int hci_uart_flush(struct hci_dev *hdev) 
	tty_ldisc_flush(tty);

	tty_ldisc_flush(tty);

	tty_driver_flush_buffer(tty);

	tty_driver_flush_buffer(tty);





	if (test_bit(HCI_UART_PROTO_SET, &hu->flags))

	if (test_bit(HCI_UART_PROTO_READY, &hu->flags))

		hu->proto->flush(hu);

		hu->proto->flush(hu);





	return 0;

	return 0;
@@ -492,7 +492,7 @@ static void hci_uart_tty_close(struct tty_struct *tty) 




	cancel_work_sync(&hu->write_work);

	cancel_work_sync(&hu->write_work);





	if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {

	if (test_and_clear_bit(HCI_UART_PROTO_READY, &hu->flags)) {

		if (hdev) {

		if (hdev) {

			if (test_bit(HCI_UART_REGISTERED, &hu->flags))

			if (test_bit(HCI_UART_REGISTERED, &hu->flags))

				hci_unregister_dev(hdev);

				hci_unregister_dev(hdev);
@@ -500,6 +500,7 @@ static void hci_uart_tty_close(struct tty_struct *tty) 
		}

		}

		hu->proto->close(hu);

		hu->proto->close(hu);

	}

	}

	clear_bit(HCI_UART_PROTO_SET, &hu->flags);





	kfree(hu);

	kfree(hu);

}

}
@@ -526,7 +527,7 @@ static void hci_uart_tty_wakeup(struct tty_struct *tty) 
	if (tty != hu->tty)

	if (tty != hu->tty)

		return;

		return;





	if (test_bit(HCI_UART_PROTO_SET, &hu->flags))

	if (test_bit(HCI_UART_PROTO_READY, &hu->flags))

		hci_uart_tx_wakeup(hu);

		hci_uart_tx_wakeup(hu);

}

}
@@ -550,7 +551,7 @@ static void hci_uart_tty_receive(struct tty_struct *tty, const u8 *data, 
	if (!hu || tty != hu->tty)

	if (!hu || tty != hu->tty)

		return;

		return;





	if (!test_bit(HCI_UART_PROTO_SET, &hu->flags))

	if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))

		return;

		return;





	/* It does not need a lock here as it is already protected by a mutex in

	/* It does not need a lock here as it is already protected by a mutex in
@@ -638,9 +639,11 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) 
		return err;

		return err;





	hu->proto = p;

	hu->proto = p;

	set_bit(HCI_UART_PROTO_READY, &hu->flags);





	err = hci_uart_register_dev(hu);

	err = hci_uart_register_dev(hu);

	if (err) {

	if (err) {

		clear_bit(HCI_UART_PROTO_READY, &hu->flags);

		p->close(hu);

		p->close(hu);

		return err;

		return err;

	}

	}

drivers/bluetooth/hci_uart.h

+1 −0
Original line number Original line Diff line number Diff line
@@ -95,6 +95,7 @@ struct hci_uart { 
/* HCI_UART proto flag bits */

/* HCI_UART proto flag bits */

#define HCI_UART_PROTO_SET	0

#define HCI_UART_PROTO_SET	0

#define HCI_UART_REGISTERED	1

#define HCI_UART_REGISTERED	1

#define HCI_UART_PROTO_READY	2





/* TX states  */

/* TX states  */

#define HCI_UART_SENDING	1

#define HCI_UART_SENDING	1

drivers/bluetooth/hci_vhci.c

+6 −3
Original line number Original line Diff line number Diff line
@@ -189,13 +189,13 @@ static inline ssize_t vhci_get_user(struct vhci_data *data, 
		break;

		break;





	case HCI_VENDOR_PKT:

	case HCI_VENDOR_PKT:

		cancel_delayed_work_sync(&data->open_timeout);



		if (data->hdev) {

		if (data->hdev) {

			kfree_skb(skb);

			kfree_skb(skb);

			return -EBADFD;

			return -EBADFD;

		}

		}





		cancel_delayed_work_sync(&data->open_timeout);



		opcode = *((__u8 *) skb->data);

		opcode = *((__u8 *) skb->data);

		skb_pull(skb, 1);

		skb_pull(skb, 1);
@@ -333,15 +333,18 @@ static int vhci_open(struct inode *inode, struct file *file) 
static int vhci_release(struct inode *inode, struct file *file)

static int vhci_release(struct inode *inode, struct file *file)

{

{

	struct vhci_data *data = file->private_data;

	struct vhci_data *data = file->private_data;

	struct hci_dev *hdev = data->hdev;

	struct hci_dev *hdev;





	cancel_delayed_work_sync(&data->open_timeout);

	cancel_delayed_work_sync(&data->open_timeout);





	hdev = data->hdev;



	if (hdev) {

	if (hdev) {

		hci_unregister_dev(hdev);

		hci_unregister_dev(hdev);

		hci_free_dev(hdev);

		hci_free_dev(hdev);

	}

	}





	skb_queue_purge(&data->readq);

	file->private_data = NULL;

	file->private_data = NULL;

	kfree(data);

	kfree(data);