summaryrefslogtreecommitdiff
path: root/drivers/bluetooth/hci_ath.c
AgeCommit message (Collapse)Author
2019-07-31Bluetooth: hci_uart: check for missing tty operationsVladis Dronov
Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset() functions which are called by the certain HCI UART protocols (hci_ath, hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control() or directly. This leads to an execution at NULL and can be triggered by an unprivileged user. Fix this by adding a helper function and a check for the missing tty operations in the protocols code. This fixes CVE-2019-10207. The Fixes: lines list commits where calls to tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART protocols. Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50 Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com Cc: stable@vger.kernel.org # v2.6.36+ Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial chip") Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM functions") Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate configuration support") Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support") Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990") Signed-off-by: Vladis Dronov <vdronov@redhat.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Reviewed-by: Yu-Chen, Cho <acho@suse.com> Tested-by: Yu-Chen, Cho <acho@suse.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-05-30treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156Thomas Gleixner
Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license or at your option any later version this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not write to the free software foundation inc 59 temple place suite 330 boston ma 02111 1307 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-or-later has been chosen to replace the boilerplate/reference in 1334 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Richard Fontana <rfontana@redhat.com> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190527070033.113240726@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-02-07Bluetooth: hci_ath: Replace mdelay with msleep in ath_wakeup_ar3kJia-Ju Bai
ath_wakeup_ar3k() is never called from atomic context. It is only called by ath_hci_uart_work() that is only called in ath_open() via INIT_WORK(). All of the above functions do not enter atomic context along the way. Despite never getting called from atomic context, ath_wakeup_ar3k() calls mdelay() for busy wait. That is not necessary and can be replaced with msleep to avoid busy wait. This is found by a static analysis tool named DCNS written by myself. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2017-10-30Bluetooth: Use bt_dev_err and bt_dev_info when possibleMarcel Holtmann
In case of using BT_ERR and BT_INFO, convert to bt_dev_err and bt_dev_info when possible. This allows for controller specific reporting. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2017-10-29Bluetooth: hci_ath: Add ath_vendor_cmd helperLoic Poulain
Introduce ath_vendor_cmd function which can be used to configure 'tags' and patch the firmware. ATH vendor command has the following format: | OPCODE (u8) | INDEX (LE16) | DLEN (U8) | DATA (U8 * DLEN) | BD address configuration tag is at index 0x0001. Signed-off-by: Loic Poulain <loic.poulain@linaro.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2015-11-19Bluetooth: Use new hci_skb_pkt_* wrappers for driversMarcel Holtmann
The new hci_skb_pkt_* wrappers are mainly intented for drivers to require less knowledge about bt_cb(sbk) handling. So after converting the core packet handling, convert all drivers. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-10-21Bluetooth: hci_uart: Provide initial manufacturer informationMarcel Holtmann
Provide an early indication about the manufacturer information so that it can be forwarded into monitor channel. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-06-17Bluetooth: hci_uart: Fix dereferencing of ERR_PTRChan-yeol Park
If h4_recv_buf() return ERR_PTR instead sk_buff pointer, it should be cleared once PTR_ERR is completed for the further dereference such as h4_recv(), or h4_close(). Signed-off-by: Chan-yeol Park <chanyeol.park@samsung.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2015-04-30Bluetooth: hci_uart: Add Atheros support for address configurationMarcel Holtmann
The Atheros support for missing the support for configuration of the Bluetooth public address. Add support for the vendor specific command. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-30Bluetooth: hci_uart: Reorder Atheros specific driver callbacksMarcel Holtmann
The driver callbacks in the Atheros support were all in a random order and did not help readability of this driver. So reorder them to make them aligned with what other Bluetooth UART drivers do. This patch is not changing any actual code. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-07Bluetooth: hci_uart: Provide generic H:4 receive frameworkMarcel Holtmann
Future H:4 based UART drivers require custom packet types and custom receive functions. To support this, extended the h4_recv_buf function with a packet definition table. For the default H:4 packets types of ACL data, SCO data and events, provide helpers to reduce the amount of code duplication. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-07Bluetooth: hci_uart: Remove the manual protocol init messageMarcel Holtmann
The init function for each HCI UART protocol prints the same on success and failure. This information is so generic, remove it and let the main HCI UART handling print it instead. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-07Bluetooth: hci_uart: Add name information to hci_uart_proto structMarcel Holtmann
This adds an extra name field to the hci_uart_proto struct that provides a simple way of adding a string identifier to the protocol. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-07Bluetooth: hci_uart: Make struct hci_uart_proto always constMarcel Holtmann
The usage of struct hci_uart_proto should always be const. Change the function headers and individual protocol drivers. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-07Bluetooth: hci_uart: Use h4_recv_buf helper for Atheros AR300xMarcel Holtmann
Instead of using hci_recv_stream_fragment, use the local available h4_recv_buf helper function. To ensure that the function is available select BT_HCIUART_H4. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-07Bluetooth: hci_uart: Use const data pointer for received dataMarcel Holtmann
The TTY layer provides its data pointers as const, but the HCI UART callbacks expect them as general data pointers. This is of course wrong and instead of casting them, just fix the individual drivers to actually take a const data pointer. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-02-02tty: Remove external interface for tty_set_termios()Peter Hurley
tty_set_termios() is an internal helper intended for file scope use. UART drivers which are capable of driving the RTS pin must properly handle the tiocmset() method, regardless of termios settings. A failure to do so is a UART driver bug and should be fixed there. Do not use this interface to workaround UART driver bugs. Cc: Johan Hedberg <johan.hedberg@gmail.com> Cc: <linux-bluetooth@vger.kernel.org> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-11-11Bluetooth: hci-uart-ath: Correct the comments in this driverFugang Duan
Correct the comments in this driver. Set the CRTSCTS flag means automatic flow control is enabled. Signed-off-by: Fugang Duan <B38611@freescale.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2012-07-16tty: move the termios object into the ttyAlan Cox
This will let us sort out a whole pile of tty related races. The alternative would be to keep points and refcount the termios objects. However 1. They are tiny anyway 2. Many devices don't use the stored copies 3. We can remove a pty special case Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2012-02-13Bluetooth: hci-uart-ath: Use GFP_ATOMIC in open()David Herrmann
The uart_proto open() callback is not called in atomic context so we can safely sleep here. The caller hci_uart_set_proto() in hci_ldisc.c is an ioctl-handler and therefore can sleep. Signed-off-by: David Herrmann <dh.herrmann@googlemail.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2011-04-13Bluetooth: hci_uart: check the return value of recv()Jiejing Zhang
Check the return value of hu->proto->recv() in hci_uart_tty_receive() the recv() may return error, check it, not add this to statistics. Signed-off-by: Jiejing Zhang <jiejing.zhang@freescale.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
2011-02-17hci_ath: Fix the mess in this driverAlan Cox
Was this exploitable - who knows, but it was certainly totally broken Signed-of-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-07-27Bluetooth: Fix kfree() => kfree_skb() in hci_ath.cDan Carpenter
sk_buffs have to be freed with kfree_skb() instead of kfree(). Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2010-07-27Bluetooth: Add __init and __exit marks to UART driversGustavo F. Padovan
Those marks are useful to save space in the binary and in the memory. Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2010-07-27Bluetooth: Fix permission of hci_ath.cGustavo F. Padovan
.c file shall not have the 'x' permission. Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2010-07-21Bluetooth: Support for Atheros AR300x serial chipSuraj Sumangala
Implements Atheros AR300x serial HCI protocol. This protocol extends H4 serial protocol to implement enhanced power management features supported by Atheros AR300x serial Bluetooth chipsets. Signed-off-by: Suraj Sumangala <suraj@atheros.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>