From: Greg Kroah-Hartman Date: Mon, 13 May 2024 15:36:45 +0000 (+0200) Subject: 6.8-stable patches X-Git-Tag: v4.19.314~19 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0013c6924827cd00760b31027e124013ce926883;p=thirdparty%2Fkernel%2Fstable-queue.git 6.8-stable patches added patches: bluetooth-qca-add-missing-firmware-sanity-checks.patch bluetooth-qca-fix-firmware-check-error-path.patch bluetooth-qca-fix-info-leak-when-fetching-board-id.patch bluetooth-qca-fix-info-leak-when-fetching-fw-build-id.patch bluetooth-qca-fix-invalid-device-address-check.patch bluetooth-qca-fix-nvm-configuration-parsing.patch bluetooth-qca-fix-wcn3991-device-address-check.patch bluetooth-qca-generalise-device-address-check.patch --- diff --git a/queue-6.8/bluetooth-qca-add-missing-firmware-sanity-checks.patch b/queue-6.8/bluetooth-qca-add-missing-firmware-sanity-checks.patch new file mode 100644 index 00000000000..05e3e740780 --- /dev/null +++ b/queue-6.8/bluetooth-qca-add-missing-firmware-sanity-checks.patch @@ -0,0 +1,135 @@ +From 2e4edfa1e2bd821a317e7d006517dcf2f3fac68d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 30 Apr 2024 19:07:39 +0200 +Subject: Bluetooth: qca: add missing firmware sanity checks + +From: Johan Hovold + +commit 2e4edfa1e2bd821a317e7d006517dcf2f3fac68d upstream. + +Add the missing sanity checks when parsing the firmware files before +downloading them to avoid accessing and corrupting memory beyond the +vmalloced buffer. + +Fixes: 83e81961ff7e ("Bluetooth: btqca: Introduce generic QCA ROME support") +Cc: stable@vger.kernel.org # 4.10 +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 38 ++++++++++++++++++++++++++++++++------ + 1 file changed, 32 insertions(+), 6 deletions(-) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -268,9 +268,10 @@ int qca_send_pre_shutdown_cmd(struct hci + } + EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd); + +-static void qca_tlv_check_data(struct hci_dev *hdev, ++static int qca_tlv_check_data(struct hci_dev *hdev, + struct qca_fw_config *config, +- u8 *fw_data, enum qca_btsoc_type soc_type) ++ u8 *fw_data, size_t fw_size, ++ enum qca_btsoc_type soc_type) + { + const u8 *data; + u32 type_len; +@@ -286,6 +287,9 @@ static void qca_tlv_check_data(struct hc + + switch (config->type) { + case ELF_TYPE_PATCH: ++ if (fw_size < 7) ++ return -EINVAL; ++ + config->dnld_mode = QCA_SKIP_EVT_VSE_CC; + config->dnld_type = QCA_SKIP_EVT_VSE_CC; + +@@ -294,6 +298,9 @@ static void qca_tlv_check_data(struct hc + bt_dev_dbg(hdev, "File version : 0x%x", fw_data[6]); + break; + case TLV_TYPE_PATCH: ++ if (fw_size < sizeof(struct tlv_type_hdr) + sizeof(struct tlv_type_patch)) ++ return -EINVAL; ++ + tlv = (struct tlv_type_hdr *)fw_data; + type_len = le32_to_cpu(tlv->type_len); + tlv_patch = (struct tlv_type_patch *)tlv->data; +@@ -333,6 +340,9 @@ static void qca_tlv_check_data(struct hc + break; + + case TLV_TYPE_NVM: ++ if (fw_size < sizeof(struct tlv_type_hdr)) ++ return -EINVAL; ++ + tlv = (struct tlv_type_hdr *)fw_data; + + type_len = le32_to_cpu(tlv->type_len); +@@ -341,17 +351,26 @@ static void qca_tlv_check_data(struct hc + BT_DBG("TLV Type\t\t : 0x%x", type_len & 0x000000ff); + BT_DBG("Length\t\t : %d bytes", length); + ++ if (fw_size < length + (tlv->data - fw_data)) ++ return -EINVAL; ++ + idx = 0; + data = tlv->data; +- while (idx < length) { ++ while (idx < length - sizeof(struct tlv_type_nvm)) { + tlv_nvm = (struct tlv_type_nvm *)(data + idx); + + tag_id = le16_to_cpu(tlv_nvm->tag_id); + tag_len = le16_to_cpu(tlv_nvm->tag_len); + ++ if (length < idx + sizeof(struct tlv_type_nvm) + tag_len) ++ return -EINVAL; ++ + /* Update NVM tags as needed */ + switch (tag_id) { + case EDL_TAG_ID_HCI: ++ if (tag_len < 3) ++ return -EINVAL; ++ + /* HCI transport layer parameters + * enabling software inband sleep + * onto controller side. +@@ -367,6 +386,9 @@ static void qca_tlv_check_data(struct hc + break; + + case EDL_TAG_ID_DEEP_SLEEP: ++ if (tag_len < 1) ++ return -EINVAL; ++ + /* Sleep enable mask + * enabling deep sleep feature on controller. + */ +@@ -375,14 +397,16 @@ static void qca_tlv_check_data(struct hc + break; + } + +- idx += (sizeof(u16) + sizeof(u16) + 8 + tag_len); ++ idx += sizeof(struct tlv_type_nvm) + tag_len; + } + break; + + default: + BT_ERR("Unknown TLV type %d", config->type); +- break; ++ return -EINVAL; + } ++ ++ return 0; + } + + static int qca_tlv_send_segment(struct hci_dev *hdev, int seg_size, +@@ -532,7 +556,9 @@ static int qca_download_firmware(struct + memcpy(data, fw->data, size); + release_firmware(fw); + +- qca_tlv_check_data(hdev, config, data, soc_type); ++ ret = qca_tlv_check_data(hdev, config, data, size, soc_type); ++ if (ret) ++ return ret; + + segment = data; + remain = size; diff --git a/queue-6.8/bluetooth-qca-fix-firmware-check-error-path.patch b/queue-6.8/bluetooth-qca-fix-firmware-check-error-path.patch new file mode 100644 index 00000000000..53e75a3c1e3 --- /dev/null +++ b/queue-6.8/bluetooth-qca-fix-firmware-check-error-path.patch @@ -0,0 +1,35 @@ +From 40d442f969fb1e871da6fca73d3f8aef1f888558 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 May 2024 08:37:40 +0200 +Subject: Bluetooth: qca: fix firmware check error path + +From: Johan Hovold + +commit 40d442f969fb1e871da6fca73d3f8aef1f888558 upstream. + +A recent commit fixed the code that parses the firmware files before +downloading them to the controller but introduced a memory leak in case +the sanity checks ever fail. + +Make sure to free the firmware buffer before returning on errors. + +Fixes: f905ae0be4b7 ("Bluetooth: qca: add missing firmware sanity checks") +Cc: stable@vger.kernel.org # 4.19 +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -605,7 +605,7 @@ static int qca_download_firmware(struct + + ret = qca_tlv_check_data(hdev, config, data, size, soc_type); + if (ret) +- return ret; ++ goto out; + + segment = data; + remain = size; diff --git a/queue-6.8/bluetooth-qca-fix-info-leak-when-fetching-board-id.patch b/queue-6.8/bluetooth-qca-fix-info-leak-when-fetching-board-id.patch new file mode 100644 index 00000000000..814f7c835c7 --- /dev/null +++ b/queue-6.8/bluetooth-qca-fix-info-leak-when-fetching-board-id.patch @@ -0,0 +1,36 @@ +From 0adcf6be1445ed50bfd4a451a7a782568f270197 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 May 2024 14:34:53 +0200 +Subject: Bluetooth: qca: fix info leak when fetching board id + +From: Johan Hovold + +commit 0adcf6be1445ed50bfd4a451a7a782568f270197 upstream. + +Add the missing sanity check when fetching the board id to avoid leaking +slab data when later requesting the firmware. + +Fixes: a7f8dedb4be2 ("Bluetooth: qca: add support for QCA2066") +Cc: stable@vger.kernel.org # 6.7 +Cc: Tim Jiang +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -235,6 +235,11 @@ static int qca_read_fw_board_id(struct h + goto out; + } + ++ if (skb->len < 3) { ++ err = -EILSEQ; ++ goto out; ++ } ++ + *bid = (edl->data[1] << 8) + edl->data[2]; + bt_dev_dbg(hdev, "%s: bid = %x", __func__, *bid); + diff --git a/queue-6.8/bluetooth-qca-fix-info-leak-when-fetching-fw-build-id.patch b/queue-6.8/bluetooth-qca-fix-info-leak-when-fetching-fw-build-id.patch new file mode 100644 index 00000000000..98fd32cbebe --- /dev/null +++ b/queue-6.8/bluetooth-qca-fix-info-leak-when-fetching-fw-build-id.patch @@ -0,0 +1,86 @@ +From cda0d6a198e2a7ec6f176c36173a57bdd8af7af2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 May 2024 14:34:52 +0200 +Subject: Bluetooth: qca: fix info leak when fetching fw build id + +From: Johan Hovold + +commit cda0d6a198e2a7ec6f176c36173a57bdd8af7af2 upstream. + +Add the missing sanity checks and move the 255-byte build-id buffer off +the stack to avoid leaking stack data through debugfs in case the +build-info reply is malformed. + +Fixes: c0187b0bd3e9 ("Bluetooth: btqca: Add support to read FW build version for WCN3991 BTSoC") +Cc: stable@vger.kernel.org # 5.12 +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 25 +++++++++++++++++++++---- + drivers/bluetooth/btqca.h | 1 - + 2 files changed, 21 insertions(+), 5 deletions(-) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -99,7 +99,8 @@ static int qca_read_fw_build_info(struct + { + struct sk_buff *skb; + struct edl_event_hdr *edl; +- char cmd, build_label[QCA_FW_BUILD_VER_LEN]; ++ char *build_label; ++ char cmd; + int build_lbl_len, err = 0; + + bt_dev_dbg(hdev, "QCA read fw build info"); +@@ -114,6 +115,11 @@ static int qca_read_fw_build_info(struct + return err; + } + ++ if (skb->len < sizeof(*edl)) { ++ err = -EILSEQ; ++ goto out; ++ } ++ + edl = (struct edl_event_hdr *)(skb->data); + if (!edl) { + bt_dev_err(hdev, "QCA read fw build info with no header"); +@@ -129,14 +135,25 @@ static int qca_read_fw_build_info(struct + goto out; + } + ++ if (skb->len < sizeof(*edl) + 1) { ++ err = -EILSEQ; ++ goto out; ++ } ++ + build_lbl_len = edl->data[0]; +- if (build_lbl_len <= QCA_FW_BUILD_VER_LEN - 1) { +- memcpy(build_label, edl->data + 1, build_lbl_len); +- *(build_label + build_lbl_len) = '\0'; ++ ++ if (skb->len < sizeof(*edl) + 1 + build_lbl_len) { ++ err = -EILSEQ; ++ goto out; + } + ++ build_label = kstrndup(&edl->data[1], build_lbl_len, GFP_KERNEL); ++ if (!build_label) ++ goto out; ++ + hci_set_fw_info(hdev, "%s", build_label); + ++ kfree(build_label); + out: + kfree_skb(skb); + return err; +--- a/drivers/bluetooth/btqca.h ++++ b/drivers/bluetooth/btqca.h +@@ -48,7 +48,6 @@ + #define get_soc_ver(soc_id, rom_ver) \ + ((le32_to_cpu(soc_id) << 16) | (le16_to_cpu(rom_ver))) + +-#define QCA_FW_BUILD_VER_LEN 255 + #define QCA_HSP_GF_SOC_ID 0x1200 + #define QCA_HSP_GF_SOC_MASK 0x0000ff00 + diff --git a/queue-6.8/bluetooth-qca-fix-invalid-device-address-check.patch b/queue-6.8/bluetooth-qca-fix-invalid-device-address-check.patch new file mode 100644 index 00000000000..34fd3fa4f94 --- /dev/null +++ b/queue-6.8/bluetooth-qca-fix-invalid-device-address-check.patch @@ -0,0 +1,116 @@ +From 32868e126c78876a8a5ddfcb6ac8cb2fffcf4d27 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 16 Apr 2024 11:15:09 +0200 +Subject: Bluetooth: qca: fix invalid device address check + +From: Johan Hovold + +commit 32868e126c78876a8a5ddfcb6ac8cb2fffcf4d27 upstream. + +Qualcomm Bluetooth controllers may not have been provisioned with a +valid device address and instead end up using the default address +00:00:00:00:5a:ad. + +This was previously believed to be due to lack of persistent storage for +the address but it may also be due to integrators opting to not use the +on-chip OTP memory and instead store the address elsewhere (e.g. in +storage managed by secure world firmware). + +According to Qualcomm, at least WCN6750, WCN6855 and WCN7850 have +on-chip OTP storage for the address. + +As the device type alone cannot be used to determine when the address is +valid, instead read back the address during setup() and only set the +HCI_QUIRK_USE_BDADDR_PROPERTY flag when needed. + +This specifically makes sure that controllers that have been provisioned +with an address do not start as unconfigured. + +Reported-by: Janaki Ramaiah Thota +Link: https://lore.kernel.org/r/124a7d54-5a18-4be7-9a76-a12017f6cce5@quicinc.com/ +Fixes: 5971752de44c ("Bluetooth: hci_qca: Set HCI_QUIRK_USE_BDADDR_PROPERTY for wcn3990") +Fixes: e668eb1e1578 ("Bluetooth: hci_core: Don't stop BT if the BD address missing in dts") +Fixes: 6945795bc81a ("Bluetooth: fix use-bdaddr-property quirk") +Cc: stable@vger.kernel.org # 6.5 +Cc: Matthias Kaehlcke +Signed-off-by: Johan Hovold +Reported-by: Janaki Ramaiah Thota +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 38 ++++++++++++++++++++++++++++++++++++++ + drivers/bluetooth/hci_qca.c | 2 -- + 2 files changed, 38 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -15,6 +15,8 @@ + + #define VERSION "0.1" + ++#define QCA_BDADDR_DEFAULT (&(bdaddr_t) {{ 0xad, 0x5a, 0x00, 0x00, 0x00, 0x00 }}) ++ + int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver, + enum qca_btsoc_type soc_type) + { +@@ -612,6 +614,38 @@ int qca_set_bdaddr_rome(struct hci_dev * + } + EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome); + ++static int qca_check_bdaddr(struct hci_dev *hdev) ++{ ++ struct hci_rp_read_bd_addr *bda; ++ struct sk_buff *skb; ++ int err; ++ ++ if (bacmp(&hdev->public_addr, BDADDR_ANY)) ++ return 0; ++ ++ skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, ++ HCI_INIT_TIMEOUT); ++ if (IS_ERR(skb)) { ++ err = PTR_ERR(skb); ++ bt_dev_err(hdev, "Failed to read device address (%d)", err); ++ return err; ++ } ++ ++ if (skb->len != sizeof(*bda)) { ++ bt_dev_err(hdev, "Device address length mismatch"); ++ kfree_skb(skb); ++ return -EIO; ++ } ++ ++ bda = (struct hci_rp_read_bd_addr *)skb->data; ++ if (!bacmp(&bda->bdaddr, QCA_BDADDR_DEFAULT)) ++ set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); ++ ++ kfree_skb(skb); ++ ++ return 0; ++} ++ + static void qca_generate_hsp_nvm_name(char *fwname, size_t max_size, + struct qca_btsoc_version ver, u8 rom_ver, u16 bid) + { +@@ -818,6 +852,10 @@ int qca_uart_setup(struct hci_dev *hdev, + break; + } + ++ err = qca_check_bdaddr(hdev); ++ if (err) ++ return err; ++ + bt_dev_info(hdev, "QCA setup on UART is completed"); + + return 0; +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1908,8 +1908,6 @@ retry: + case QCA_WCN6750: + case QCA_WCN6855: + case QCA_WCN7850: +- set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); +- + qcadev = serdev_device_get_drvdata(hu->serdev); + if (qcadev->bdaddr_property_broken) + set_bit(HCI_QUIRK_BDADDR_PROPERTY_BROKEN, &hdev->quirks); diff --git a/queue-6.8/bluetooth-qca-fix-nvm-configuration-parsing.patch b/queue-6.8/bluetooth-qca-fix-nvm-configuration-parsing.patch new file mode 100644 index 00000000000..2867d77c040 --- /dev/null +++ b/queue-6.8/bluetooth-qca-fix-nvm-configuration-parsing.patch @@ -0,0 +1,91 @@ +From a112d3c72a227f2edbb6d8094472cc6e503e52af Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 30 Apr 2024 19:07:40 +0200 +Subject: Bluetooth: qca: fix NVM configuration parsing + +From: Johan Hovold + +commit a112d3c72a227f2edbb6d8094472cc6e503e52af upstream. + +The NVM configuration files used by WCN3988 and WCN3990/1/8 have two +sets of configuration tags that are enclosed by a type-length header of +type four which the current parser fails to account for. + +Instead the driver happily parses random data as if it were valid tags, +something which can lead to the configuration data being corrupted if it +ever encounters the words 0x0011 or 0x001b. + +As is clear from commit b63882549b2b ("Bluetooth: btqca: Fix the NVM +baudrate tag offcet for wcn3991") the intention has always been to +process the configuration data also for WCN3991 and WCN3998 which +encodes the baud rate at a different offset. + +Fix the parser so that it can handle the WCN3xxx configuration files, +which has an enclosing type-length header of type four and two sets of +TLV tags enclosed by a type-length header of type two and three, +respectively. + +Note that only the first set, which contains the tags the driver is +currently looking for, will be parsed for now. + +With the parser fixed, the software in-band sleep bit will now be set +for WCN3991 and WCN3998 (as it is for later controllers) and the default +baud rate 3200000 may be updated by the driver also for WCN3xxx +controllers. + +Notably the deep-sleep feature bit is already set by default in all +configuration files in linux-firmware. + +Fixes: 4219d4686875 ("Bluetooth: btqca: Add wcn3990 firmware download support.") +Cc: stable@vger.kernel.org # 4.19 +Cc: Matthias Kaehlcke +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -281,6 +281,7 @@ static int qca_tlv_check_data(struct hci + struct tlv_type_patch *tlv_patch; + struct tlv_type_nvm *tlv_nvm; + uint8_t nvm_baud_rate = config->user_baud_rate; ++ u8 type; + + config->dnld_mode = QCA_SKIP_EVT_NONE; + config->dnld_type = QCA_SKIP_EVT_NONE; +@@ -346,11 +347,30 @@ static int qca_tlv_check_data(struct hci + tlv = (struct tlv_type_hdr *)fw_data; + + type_len = le32_to_cpu(tlv->type_len); +- length = (type_len >> 8) & 0x00ffffff; ++ length = type_len >> 8; ++ type = type_len & 0xff; + +- BT_DBG("TLV Type\t\t : 0x%x", type_len & 0x000000ff); ++ /* Some NVM files have more than one set of tags, only parse ++ * the first set when it has type 2 for now. When there is ++ * more than one set there is an enclosing header of type 4. ++ */ ++ if (type == 4) { ++ if (fw_size < 2 * sizeof(struct tlv_type_hdr)) ++ return -EINVAL; ++ ++ tlv++; ++ ++ type_len = le32_to_cpu(tlv->type_len); ++ length = type_len >> 8; ++ type = type_len & 0xff; ++ } ++ ++ BT_DBG("TLV Type\t\t : 0x%x", type); + BT_DBG("Length\t\t : %d bytes", length); + ++ if (type != 2) ++ break; ++ + if (fw_size < length + (tlv->data - fw_data)) + return -EINVAL; + diff --git a/queue-6.8/bluetooth-qca-fix-wcn3991-device-address-check.patch b/queue-6.8/bluetooth-qca-fix-wcn3991-device-address-check.patch new file mode 100644 index 00000000000..0a5dc336675 --- /dev/null +++ b/queue-6.8/bluetooth-qca-fix-wcn3991-device-address-check.patch @@ -0,0 +1,64 @@ +From 66c39332d02d65e311ec89b0051130bfcd00c9ac Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 25 Apr 2024 09:55:03 +0200 +Subject: Bluetooth: qca: fix wcn3991 device address check + +From: Johan Hovold + +commit 66c39332d02d65e311ec89b0051130bfcd00c9ac upstream. + +Qualcomm Bluetooth controllers may not have been provisioned with a +valid device address and instead end up using the default address +00:00:00:00:5a:ad. + +This address is now used to determine if a controller has a valid +address or if one needs to be provided through devicetree or by user +space before the controller can be used. + +It turns out that the WCN3991 controllers used in Chromium Trogdor +machines use a different default address, 39:98:00:00:5a:ad, which also +needs to be marked as invalid so that the correct address is fetched +from the devicetree. + +Qualcomm has unfortunately not yet provided any answers as to whether +the 39:98 encodes a hardware id and if there are other variants of the +default address that needs to be handled by the driver. + +For now, add the Trogdor WCN3991 default address to the device address +check to avoid having these controllers start with the default address +instead of their assigned addresses. + +Fixes: 32868e126c78 ("Bluetooth: qca: fix invalid device address check") +Cc: stable@vger.kernel.org # 6.5 +Cc: Doug Anderson +Cc: Janaki Ramaiah Thota +Signed-off-by: Johan Hovold +Tested-by: Douglas Anderson +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -16,6 +16,7 @@ + #define VERSION "0.1" + + #define QCA_BDADDR_DEFAULT (&(bdaddr_t) {{ 0xad, 0x5a, 0x00, 0x00, 0x00, 0x00 }}) ++#define QCA_BDADDR_WCN3991 (&(bdaddr_t) {{ 0xad, 0x5a, 0x00, 0x00, 0x98, 0x39 }}) + + int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver, + enum qca_btsoc_type soc_type) +@@ -638,8 +639,10 @@ static int qca_check_bdaddr(struct hci_d + } + + bda = (struct hci_rp_read_bd_addr *)skb->data; +- if (!bacmp(&bda->bdaddr, QCA_BDADDR_DEFAULT)) ++ if (!bacmp(&bda->bdaddr, QCA_BDADDR_DEFAULT) || ++ !bacmp(&bda->bdaddr, QCA_BDADDR_WCN3991)) { + set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); ++ } + + kfree_skb(skb); + diff --git a/queue-6.8/bluetooth-qca-generalise-device-address-check.patch b/queue-6.8/bluetooth-qca-generalise-device-address-check.patch new file mode 100644 index 00000000000..d20bf046a79 --- /dev/null +++ b/queue-6.8/bluetooth-qca-generalise-device-address-check.patch @@ -0,0 +1,116 @@ +From dd336649ba89789c845618dcbc09867010aec673 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 30 Apr 2024 19:07:41 +0200 +Subject: Bluetooth: qca: generalise device address check + +From: Johan Hovold + +commit dd336649ba89789c845618dcbc09867010aec673 upstream. + +The default device address apparently comes from the NVM configuration +file and can differ quite a bit between controllers. + +Store the default address when parsing the configuration file and use it +to determine whether the controller has been provisioned with an +address. + +This makes sure that devices without a unique address start as +unconfigured unless a valid address has been provided in the devicetree. + +Fixes: 32868e126c78 ("Bluetooth: qca: fix invalid device address check") +Cc: stable@vger.kernel.org # 6.5 +Cc: Doug Anderson +Cc: Janaki Ramaiah Thota +Signed-off-by: Johan Hovold +Tested-by: Douglas Anderson +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 21 ++++++++++++--------- + drivers/bluetooth/btqca.h | 2 ++ + 2 files changed, 14 insertions(+), 9 deletions(-) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -15,9 +15,6 @@ + + #define VERSION "0.1" + +-#define QCA_BDADDR_DEFAULT (&(bdaddr_t) {{ 0xad, 0x5a, 0x00, 0x00, 0x00, 0x00 }}) +-#define QCA_BDADDR_WCN3991 (&(bdaddr_t) {{ 0xad, 0x5a, 0x00, 0x00, 0x98, 0x39 }}) +- + int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver, + enum qca_btsoc_type soc_type) + { +@@ -387,6 +384,14 @@ static int qca_tlv_check_data(struct hci + + /* Update NVM tags as needed */ + switch (tag_id) { ++ case EDL_TAG_ID_BD_ADDR: ++ if (tag_len != sizeof(bdaddr_t)) ++ return -EINVAL; ++ ++ memcpy(&config->bdaddr, tlv_nvm->data, sizeof(bdaddr_t)); ++ ++ break; ++ + case EDL_TAG_ID_HCI: + if (tag_len < 3) + return -EINVAL; +@@ -661,7 +666,7 @@ int qca_set_bdaddr_rome(struct hci_dev * + } + EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome); + +-static int qca_check_bdaddr(struct hci_dev *hdev) ++static int qca_check_bdaddr(struct hci_dev *hdev, const struct qca_fw_config *config) + { + struct hci_rp_read_bd_addr *bda; + struct sk_buff *skb; +@@ -685,10 +690,8 @@ static int qca_check_bdaddr(struct hci_d + } + + bda = (struct hci_rp_read_bd_addr *)skb->data; +- if (!bacmp(&bda->bdaddr, QCA_BDADDR_DEFAULT) || +- !bacmp(&bda->bdaddr, QCA_BDADDR_WCN3991)) { ++ if (!bacmp(&bda->bdaddr, &config->bdaddr)) + set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); +- } + + kfree_skb(skb); + +@@ -716,7 +719,7 @@ int qca_uart_setup(struct hci_dev *hdev, + enum qca_btsoc_type soc_type, struct qca_btsoc_version ver, + const char *firmware_name) + { +- struct qca_fw_config config; ++ struct qca_fw_config config = {}; + int err; + u8 rom_ver = 0; + u32 soc_ver; +@@ -901,7 +904,7 @@ int qca_uart_setup(struct hci_dev *hdev, + break; + } + +- err = qca_check_bdaddr(hdev); ++ err = qca_check_bdaddr(hdev, &config); + if (err) + return err; + +--- a/drivers/bluetooth/btqca.h ++++ b/drivers/bluetooth/btqca.h +@@ -29,6 +29,7 @@ + #define EDL_PATCH_CONFIG_RES_EVT (0x00) + #define QCA_DISABLE_LOGGING_SUB_OP (0x14) + ++#define EDL_TAG_ID_BD_ADDR 2 + #define EDL_TAG_ID_HCI (17) + #define EDL_TAG_ID_DEEP_SLEEP (27) + +@@ -94,6 +95,7 @@ struct qca_fw_config { + uint8_t user_baud_rate; + enum qca_tlv_dnld_mode dnld_mode; + enum qca_tlv_dnld_mode dnld_type; ++ bdaddr_t bdaddr; + }; + + struct edl_event_hdr { diff --git a/queue-6.8/series b/queue-6.8/series index cade049eacd..8a7589653e7 100644 --- a/queue-6.8/series +++ b/queue-6.8/series @@ -326,3 +326,11 @@ tracefs-reset-permissions-on-remount-if-permissions-are-options.patch tracefs-still-use-mount-point-as-default-permissions-for-instances.patch eventfs-do-not-differentiate-the-toplevel-events-directory.patch eventfs-do-not-treat-events-directory-different-than-other-directories.patch +bluetooth-qca-fix-invalid-device-address-check.patch +bluetooth-qca-fix-wcn3991-device-address-check.patch +bluetooth-qca-add-missing-firmware-sanity-checks.patch +bluetooth-qca-fix-nvm-configuration-parsing.patch +bluetooth-qca-generalise-device-address-check.patch +bluetooth-qca-fix-info-leak-when-fetching-board-id.patch +bluetooth-qca-fix-info-leak-when-fetching-fw-build-id.patch +bluetooth-qca-fix-firmware-check-error-path.patch