Commit graph

26 commits

Author SHA1 Message Date
Vladis Dronov
b36a1552d7 Bluetooth: hci_uart: check for missing tty operations
Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset()
functions which are called by the certain HCI UART protocols (hci_ath,
hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control()
or directly. This leads to an execution at NULL and can be triggered by
an unprivileged user. Fix this by adding a helper function and a check
for the missing tty operations in the protocols code.

This fixes CVE-2019-10207. The Fixes: lines list commits where calls to
tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART
protocols.

Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50
Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org # v2.6.36+
Fixes: b3190df628 ("Bluetooth: Support for Atheros AR300x serial chip")
Fixes: 118612fb91 ("Bluetooth: hci_bcm: Add suspend/resume PM functions")
Fixes: ff2895592f ("Bluetooth: hci_intel: Add Intel baudrate configuration support")
Fixes: 162f812f23 ("Bluetooth: hci_uart: Add Marvell support")
Fixes: fa9ad876b8 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990")
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: Yu-Chen, Cho <acho@suse.com>
Tested-by: Yu-Chen, Cho <acho@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-31 13:17:33 -07:00
Thomas Gleixner
1a59d1b8e0 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation either version 2 of the license or at
  your option any later version this program is distributed in the
  hope that it will be useful but without any warranty without even
  the implied warranty of merchantability or fitness for a particular
  purpose see the gnu general public license for more details you
  should have received a copy of the gnu general public license along
  with this program if not write to the free software foundation inc
  59 temple place suite 330 boston ma 02111 1307 usa

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-or-later

has been chosen to replace the boilerplate/reference in 1334 file(s).

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Reviewed-by: Richard Fontana <rfontana@redhat.com>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070033.113240726@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-05-30 11:26:35 -07:00
Jia-Ju Bai
688d6240e0 Bluetooth: hci_ath: Replace mdelay with msleep in ath_wakeup_ar3k
ath_wakeup_ar3k() is never called from atomic context.

It is only called by ath_hci_uart_work() that is only called in
ath_open() via INIT_WORK().
All of the above functions do not enter atomic context along the way.

Despite never getting called from atomic context, ath_wakeup_ar3k() calls
mdelay() for busy wait.
That is not necessary and can be replaced with msleep to avoid busy wait.

This is found by a static analysis tool named DCNS written by myself.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2018-02-07 09:47:04 +01:00
Marcel Holtmann
2064ee332e Bluetooth: Use bt_dev_err and bt_dev_info when possible
In case of using BT_ERR and BT_INFO, convert to bt_dev_err and
bt_dev_info when possible. This allows for controller specific
reporting.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2017-10-30 12:25:45 +02:00
Loic Poulain
13df5000d3 Bluetooth: hci_ath: Add ath_vendor_cmd helper
Introduce ath_vendor_cmd function which can be used to
configure 'tags' and patch the firmware.

ATH vendor command has the following format:
| OPCODE (u8) | INDEX (LE16) | DLEN (U8) | DATA (U8 * DLEN) |

BD address configuration tag is at index 0x0001.

Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2017-10-29 14:08:56 +01:00
Marcel Holtmann
618e8bc228 Bluetooth: Use new hci_skb_pkt_* wrappers for drivers
The new hci_skb_pkt_* wrappers are mainly intented for drivers to
require less knowledge about bt_cb(sbk) handling. So after converting
the core packet handling, convert all drivers.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-11-19 17:50:27 +01:00
Marcel Holtmann
aee61f7aa8 Bluetooth: hci_uart: Provide initial manufacturer information
Provide an early indication about the manufacturer information so that
it can be forwarded into monitor channel.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-10-21 07:20:44 +03:00
Chan-yeol Park
3713416763 Bluetooth: hci_uart: Fix dereferencing of ERR_PTR
If h4_recv_buf() return ERR_PTR instead sk_buff pointer, it should be
cleared once PTR_ERR is completed for the further dereference such as
h4_recv(), or h4_close().

Signed-off-by: Chan-yeol Park <chanyeol.park@samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2015-06-17 14:21:08 +02:00
Marcel Holtmann
4c876c0edb Bluetooth: hci_uart: Add Atheros support for address configuration
The Atheros support for missing the support for configuration of the
Bluetooth public address. Add support for the vendor specific command.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-30 01:05:29 +02:00
Marcel Holtmann
c0ba7acd48 Bluetooth: hci_uart: Reorder Atheros specific driver callbacks
The driver callbacks in the Atheros support were all in a random order
and did not help readability of this driver. So reorder them to make
them aligned with what other Bluetooth UART drivers do. This patch is
not changing any actual code.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-30 01:05:29 +02:00
Marcel Holtmann
79b8df9362 Bluetooth: hci_uart: Provide generic H:4 receive framework
Future H:4 based UART drivers require custom packet types and custom
receive functions. To support this, extended the h4_recv_buf function
with a packet definition table.

For the default H:4 packets types of ACL data, SCO data and events,
provide helpers to reduce the amount of code duplication.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-07 18:48:21 +02:00
Marcel Holtmann
01009eec70 Bluetooth: hci_uart: Remove the manual protocol init message
The init function for each HCI UART protocol prints the same on success
and failure. This information is so generic, remove it and let the main
HCI UART handling print it instead.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-07 18:47:10 +02:00
Marcel Holtmann
7c40fb8db1 Bluetooth: hci_uart: Add name information to hci_uart_proto struct
This adds an extra name field to the hci_uart_proto struct that provides
a simple way of adding a string identifier to the protocol.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-07 18:47:10 +02:00
Marcel Holtmann
4ee7ef1989 Bluetooth: hci_uart: Make struct hci_uart_proto always const
The usage of struct hci_uart_proto should always be const. Change the
function headers and individual protocol drivers.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-07 18:47:10 +02:00
Marcel Holtmann
d90aa68236 Bluetooth: hci_uart: Use h4_recv_buf helper for Atheros AR300x
Instead of using hci_recv_stream_fragment, use the local available
h4_recv_buf helper function.

To ensure that the function is available select BT_HCIUART_H4.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-07 18:47:10 +02:00
Marcel Holtmann
9d1c40ebb6 Bluetooth: hci_uart: Use const data pointer for received data
The TTY layer provides its data pointers as const, but the HCI UART
callbacks expect them as general data pointers. This is of course
wrong and instead of casting them, just fix the individual drivers
to actually take a const data pointer.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2015-04-07 18:47:09 +02:00
Peter Hurley
632f32e210 tty: Remove external interface for tty_set_termios()
tty_set_termios() is an internal helper intended for file scope use.

UART drivers which are capable of driving the RTS pin must
properly handle the tiocmset() method, regardless of termios settings.
A failure to do so is a UART driver bug and should be fixed there.
Do not use this interface to workaround UART driver bugs.

Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: <linux-bluetooth@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-02-02 10:11:28 -08:00
Fugang Duan
f662614086 Bluetooth: hci-uart-ath: Correct the comments in this driver
Correct the comments in this driver. Set the CRTSCTS flag means
automatic flow control is enabled.

Signed-off-by: Fugang Duan <B38611@freescale.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2014-11-11 00:21:18 +01:00
Alan Cox
adc8d746ca tty: move the termios object into the tty
This will let us sort out a whole pile of tty related races. The
alternative would be to keep points and refcount the termios objects.
However
1. They are tiny anyway
2. Many devices don't use the stored copies
3. We can remove a pty special case

Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2012-07-16 13:00:41 -07:00
David Herrmann
f5fd5baee3 Bluetooth: hci-uart-ath: Use GFP_ATOMIC in open()
The uart_proto open() callback is not called in atomic context so we can safely
sleep here. The caller hci_uart_set_proto() in hci_ldisc.c is an ioctl-handler
and therefore can sleep.

Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2012-02-13 17:01:22 +02:00
Jiejing Zhang
78b4a56c28 Bluetooth: hci_uart: check the return value of recv()
Check the return value of hu->proto->recv() in hci_uart_tty_receive()
the recv() may return error, check it, not add this to statistics.

Signed-off-by: Jiejing Zhang <jiejing.zhang@freescale.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
2011-04-13 12:20:03 -03:00
Alan Cox
afaae08442 hci_ath: Fix the mess in this driver
Was this exploitable - who knows, but it was certainly totally broken

Signed-of-by: Alan Cox <alan@linux.intel.com>

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2011-02-17 12:03:53 -08:00
Dan Carpenter
4ebaa4edf8 Bluetooth: Fix kfree() => kfree_skb() in hci_ath.c
sk_buffs have to be freed with kfree_skb() instead of kfree().

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2010-07-27 15:27:45 -07:00
Gustavo F. Padovan
f2b94bb9e0 Bluetooth: Add __init and __exit marks to UART drivers
Those marks are useful to save space in the binary and in the memory.

Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2010-07-27 12:35:58 -07:00
Gustavo F. Padovan
0bbdf6cba0 Bluetooth: Fix permission of hci_ath.c
.c file shall not have the 'x' permission.

Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2010-07-27 12:30:45 -07:00
Suraj Sumangala
b3190df628 Bluetooth: Support for Atheros AR300x serial chip
Implements Atheros AR300x serial HCI protocol.

This protocol extends H4 serial protocol to implement enhanced power
management features supported by Atheros AR300x serial Bluetooth chipsets.

Signed-off-by: Suraj Sumangala <suraj@atheros.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2010-07-21 10:39:14 -07:00