Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.18.3 2022-06-09T08:30:13Z 2022-06-09T08:30:13Z Sean Wang sean.wang@mediatek.com 2022-05-12T21:38:11Z urn:sha1:5704e6a063bc0aeedf3e67c03130bff43e1924d0 [ Upstream commit baabb7f530e8a3f0085d12f4ea0bada4115515d3 ] Sending WMT command during the reset in progress is invalid and would get no response from firmware until the reset is complete, so we ignore the WMT command here to resolve the issue which causes the whole reset process taking too long. Fixes: 8fafe702253d ("Bluetooth: mt7921s: support bluetooth reset mechanism") Co-developed-by: Yake Yang <yake.yang@mediatek.com> Signed-off-by: Yake Yang <yake.yang@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-06-09T08:30:13Z Sean Wang sean.wang@mediatek.com 2022-05-12T21:38:12Z urn:sha1:456f1dfb6a3df2206978eb3d033ee915a6c43f37 [ Upstream commit 7469720563e01f479ec5afe06bd6f440f965d523 ] According to FW advised sequence, mt7921s need to re-acquire privilege immediately after the firmware download is complete before normal running. Otherwise, it is still possible the bus may be stuck in an abnormal status that causes FW initialization failure in the current driver. Fixes: 752aea58489f ("Bluetooth: mt7921s: fix bus hang with wrong privilege") Co-developed-by: Yake Yang <yake.yang@mediatek.com> Signed-off-by: Yake Yang <yake.yang@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-06-09T08:30:13Z Sean Wang sean.wang@mediatek.com 2022-05-11T22:22:15Z urn:sha1:01c6a899fa6be4f4cbf60c4f44f0f6691155415f [ Upstream commit 0fab6361c4ba17d1b43a991bef4238a3c1754d35 ] We should not access skb buffer data anymore after hci_recv_frame was called. [ 39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0 [ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker [ 39.634962] Call trace: [ 39.634974] dump_backtrace+0x0/0x3b8 [ 39.634999] show_stack+0x20/0x2c [ 39.635016] dump_stack_lvl+0x60/0x78 [ 39.635040] print_address_description+0x70/0x2f0 [ 39.635062] kasan_report+0x154/0x194 [ 39.635079] __asan_report_load1_noabort+0x44/0x50 [ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4 [ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4 [ 39.635157] process_one_work+0x560/0xc5c [ 39.635177] worker_thread+0x7ec/0xcc0 [ 39.635195] kthread+0x2d0/0x3d0 [ 39.635215] ret_from_fork+0x10/0x20 [ 39.635247] Allocated by task 0: [ 39.635260] (stack is not available) [ 39.635281] Freed by task 2392: [ 39.635295] kasan_save_stack+0x38/0x68 [ 39.635319] kasan_set_track+0x28/0x3c [ 39.635338] kasan_set_free_info+0x28/0x4c [ 39.635357] ____kasan_slab_free+0x104/0x150 [ 39.635374] __kasan_slab_free+0x18/0x28 [ 39.635391] slab_free_freelist_hook+0x114/0x248 [ 39.635410] kfree+0xf8/0x2b4 [ 39.635427] skb_free_head+0x58/0x98 [ 39.635447] skb_release_data+0x2f4/0x410 [ 39.635464] skb_release_all+0x50/0x60 [ 39.635481] kfree_skb+0xc8/0x25c [ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth] [ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth] [ 39.635925] process_one_work+0x560/0xc5c [ 39.635951] worker_thread+0x7ec/0xcc0 [ 39.635970] kthread+0x2d0/0x3d0 [ 39.635990] ret_from_fork+0x10/0x20 [ 39.636021] The buggy address belongs to the object at ffffff80cf28a600 which belongs to the cache kmalloc-512 of size 512 [ 39.636039] The buggy address is located 13 bytes inside of 512-byte region [ffffff80cf28a600, ffffff80cf28a800) Fixes: 9aebfd4a2200 ("Bluetooth: mediatek: add support for MediaTek MT7663S and MT7668S SDIO devices") Co-developed-by: Yake Yang <yake.yang@mediatek.com> Signed-off-by: Yake Yang <yake.yang@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-06-09T08:30:13Z Sean Wang sean.wang@mediatek.com 2022-03-22T23:30:40Z urn:sha1:fa6a0df876dceaf836d6b25886fe06d8e218a4a7 [ Upstream commit 789f6b8ac3b15bca09b69d5699cad0bf6e2103aa ] Fix the incorrect pointer check on ven_data. Fixes: f41b91fa1783 ("Bluetooth: mt7921s: Add .btmtk_get_codec_config_data") Co-developed-by: Yake Yang <yake.yang@mediatek.com> Signed-off-by: Yake Yang <yake.yang@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-06-09T08:29:44Z Zijun Hu quic_zijuhu@quicinc.com 2022-04-27T02:16:51Z urn:sha1:a68763e57d330391f2b52c2b9fd7ff5306de8ac3 [ Upstream commit 247f226adadfb7be09dd537f177429f4415aef8e ] Set HCI_QUIRK_BROKEN_ERR_DATA_REPORTING for QCA controllers since they answer HCI_OP_READ_DEF_ERR_DATA_REPORTING with error code "UNKNOWN HCI COMMAND" as shown below: [ 580.517552] Bluetooth: hci0: unexpected cc 0x0c5a length: 1 < 2 [ 580.517660] Bluetooth: hci0: Opcode 0x c5a failed: -38 hcitool -i hci0 cmd 0x03 0x5a < HCI Command: ogf 0x03, ocf 0x005a, plen 0 > HCI Event: 0x0e plen 4 01 5A 0C 01 btmon log: < HCI Command: Read Default Erroneous Data Reporting (0x03|0x005a) plen 0 > HCI Event: Command Complete (0x0e) plen 4 Read Default Erroneous Data Reporting (0x03|0x005a) ncmd 1 Status: Unknown HCI Command (0x01) Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-06-09T08:29:44Z Luiz Augusto von Dentz luiz.von.dentz@intel.com 2022-04-01T23:38:25Z urn:sha1:4a6b0ea39b331eeb451ee05ae4edb50db33f3dca [ Upstream commit d44e1dbda36fff5d7c2586683c4adc0963aef908 ] This sets HCI_QUIRK_BROKEN_ENHANCED_SETUP_SYNC_CONN for QCA controllers since SCO appear to not work when using HCI_OP_ENHANCED_SETUP_SYNC_CONN. Link: https://bugzilla.kernel.org/show_bug.cgi?id=215576 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-06-06T06:48:57Z Steven Rostedt rostedt@goodmis.org 2022-04-05T14:02:00Z urn:sha1:2717654ae022e6ea959a4b7b762702fe1a4690c2 commit 72ef98445aca568a81c2da050532500a8345ad3a upstream. While looking at a crash report on a timer list being corrupted, which usually happens when a timer is freed while still active. This is commonly triggered by code calling del_timer() instead of del_timer_sync() just before freeing. One possible culprit is the hci_qca driver, which does exactly that. Eric mentioned that wake_retrans_timer could be rearmed via the work queue, so also move the destruction of the work queue before del_timer_sync(). Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: stable@vger.kernel.org Fixes: 0ff252c1976da ("Bluetooth: hciuart: Add support QCA chipset for UART") Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-03-18T16:12:09Z Mianhan Liu liumh1@shanghaitech.edu.cn 2021-09-28T19:47:30Z urn:sha1:726c0eb7cb15be3e5fe9a9f1c8aad12c5cbe4675 ath3k.c hasn't use any macro or function declared in linux/device.h. Thus, these files can be removed from ath3k.c safely without affecting the compilation of the ./drivers/bluetooth module Signed-off-by: Mianhan Liu <liumh1@shanghaitech.edu.cn> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2022-03-18T16:12:09Z Mianhan Liu liumh1@shanghaitech.edu.cn 2021-09-28T19:51:08Z urn:sha1:520e31a99100b786d82e518f89e4fd132570a349 bcm203x.c hasn't use any macro or function declared in linux/atomic.h. Thus, these files can be removed from bcm203x.c safely without affecting the compilation of the ./drivers/bluetooth module Signed-off-by: Mianhan Liu <liumh1@shanghaitech.edu.cn> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2022-03-18T16:12:08Z Hans de Goede hdegoede@redhat.com 2022-02-28T11:38:41Z urn:sha1:27e8527e006f1f4281adc335cf7aa744f649f398 The DSDT for the Asus TF103C specifies a IOAPIC IRQ for the HCI -> host IRQ but this is not correct. Unlike the previous entries in the table, this time the correct GPIO to use instead is known; and the TF103C is battery powered making runtime-pm support more important. Extend the bcm_broken_irq_dmi_table mechanism to allow specifying the right GPIO instead of just always disabling runtime-pm and add an entry to it for the Asus TF103C. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>