mirror of
https://github.com/FEX-Emu/linux.git
synced 2024-12-21 08:53:41 +00:00
c257820291
This patch adds a check HCI_UART_REGISTERED before reading UART data in the HCI UART H4 driver. UART data could arrive when inside the hci_uart_tty_ioctl function after calling test_and_set_bit for HCI_UART_PROTO_SET but before the hci_uart_set_proto function has returned. Backtrace: [<c05f27ec>] (hci_recv_stream_fragment+0x0/0x74) from [<c04126f4>] (h4_recv+0x18/0x40) r7:eb1d4d1c r6:eb7683b0 r5:eae8e800 r4:0000000c [<c04126dc>] (h4_recv+0x0/0x40) from [<c0411870>] (hci_uart_tty_receive+0x6c/0x94) r5:eae8e800 r4:eb768380 [<c0411804>] (hci_uart_tty_receive+0x0/0x94) from [<c027be88>] (flush_to_ldisc+0x16c/0x17c) r6:eae8e8d8 r5:eae8e800 r4:eae8e8c8 [<c027bd1c>] (flush_to_ldisc+0x0/0x17c) from [<c0050ae8>] (process_one_work+0x144/0x4d4) [<c00509a4>] (process_one_work+0x0/0x4d4) from [<c0051208>] (worker_thread+0x180/0x370) [<c0051088>] (worker_thread+0x0/0x370) from [<c005617c>] (kthread+0x90/0x9c) [<c00560ec>] (kthread+0x0/0x9c) from [<c003a3a0>] (do_exit+0x0/0x7ec) Signed-off-by: Chan-yeol Park <chanyeol.park@samsung.com> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
200 lines
4.0 KiB
C
200 lines
4.0 KiB
C
/*
|
|
*
|
|
* Bluetooth HCI UART driver
|
|
*
|
|
* Copyright (C) 2000-2001 Qualcomm Incorporated
|
|
* Copyright (C) 2002-2003 Maxim Krasnyansky <maxk@qualcomm.com>
|
|
* Copyright (C) 2004-2005 Marcel Holtmann <marcel@holtmann.org>
|
|
*
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/init.h>
|
|
#include <linux/types.h>
|
|
#include <linux/fcntl.h>
|
|
#include <linux/interrupt.h>
|
|
#include <linux/ptrace.h>
|
|
#include <linux/poll.h>
|
|
|
|
#include <linux/slab.h>
|
|
#include <linux/tty.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/string.h>
|
|
#include <linux/signal.h>
|
|
#include <linux/ioctl.h>
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <net/bluetooth/bluetooth.h>
|
|
#include <net/bluetooth/hci_core.h>
|
|
|
|
#include "hci_uart.h"
|
|
|
|
#define VERSION "1.2"
|
|
|
|
struct h4_struct {
|
|
unsigned long rx_state;
|
|
unsigned long rx_count;
|
|
struct sk_buff *rx_skb;
|
|
struct sk_buff_head txq;
|
|
};
|
|
|
|
/* H4 receiver States */
|
|
#define H4_W4_PACKET_TYPE 0
|
|
#define H4_W4_EVENT_HDR 1
|
|
#define H4_W4_ACL_HDR 2
|
|
#define H4_W4_SCO_HDR 3
|
|
#define H4_W4_DATA 4
|
|
|
|
/* Initialize protocol */
|
|
static int h4_open(struct hci_uart *hu)
|
|
{
|
|
struct h4_struct *h4;
|
|
|
|
BT_DBG("hu %p", hu);
|
|
|
|
h4 = kzalloc(sizeof(*h4), GFP_KERNEL);
|
|
if (!h4)
|
|
return -ENOMEM;
|
|
|
|
skb_queue_head_init(&h4->txq);
|
|
|
|
hu->priv = h4;
|
|
return 0;
|
|
}
|
|
|
|
/* Flush protocol data */
|
|
static int h4_flush(struct hci_uart *hu)
|
|
{
|
|
struct h4_struct *h4 = hu->priv;
|
|
|
|
BT_DBG("hu %p", hu);
|
|
|
|
skb_queue_purge(&h4->txq);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Close protocol */
|
|
static int h4_close(struct hci_uart *hu)
|
|
{
|
|
struct h4_struct *h4 = hu->priv;
|
|
|
|
hu->priv = NULL;
|
|
|
|
BT_DBG("hu %p", hu);
|
|
|
|
skb_queue_purge(&h4->txq);
|
|
|
|
kfree_skb(h4->rx_skb);
|
|
|
|
hu->priv = NULL;
|
|
kfree(h4);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Enqueue frame for transmittion (padding, crc, etc) */
|
|
static int h4_enqueue(struct hci_uart *hu, struct sk_buff *skb)
|
|
{
|
|
struct h4_struct *h4 = hu->priv;
|
|
|
|
BT_DBG("hu %p skb %p", hu, skb);
|
|
|
|
/* Prepend skb with frame type */
|
|
memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1);
|
|
skb_queue_tail(&h4->txq, skb);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static inline int h4_check_data_len(struct h4_struct *h4, int len)
|
|
{
|
|
int room = skb_tailroom(h4->rx_skb);
|
|
|
|
BT_DBG("len %d room %d", len, room);
|
|
|
|
if (!len) {
|
|
hci_recv_frame(h4->rx_skb);
|
|
} else if (len > room) {
|
|
BT_ERR("Data length is too large");
|
|
kfree_skb(h4->rx_skb);
|
|
} else {
|
|
h4->rx_state = H4_W4_DATA;
|
|
h4->rx_count = len;
|
|
return len;
|
|
}
|
|
|
|
h4->rx_state = H4_W4_PACKET_TYPE;
|
|
h4->rx_skb = NULL;
|
|
h4->rx_count = 0;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Recv data */
|
|
static int h4_recv(struct hci_uart *hu, void *data, int count)
|
|
{
|
|
int ret;
|
|
|
|
if (!test_bit(HCI_UART_REGISTERED, &hu->flags))
|
|
return -EUNATCH;
|
|
|
|
ret = hci_recv_stream_fragment(hu->hdev, data, count);
|
|
if (ret < 0) {
|
|
BT_ERR("Frame Reassembly Failed");
|
|
return ret;
|
|
}
|
|
|
|
return count;
|
|
}
|
|
|
|
static struct sk_buff *h4_dequeue(struct hci_uart *hu)
|
|
{
|
|
struct h4_struct *h4 = hu->priv;
|
|
return skb_dequeue(&h4->txq);
|
|
}
|
|
|
|
static struct hci_uart_proto h4p = {
|
|
.id = HCI_UART_H4,
|
|
.open = h4_open,
|
|
.close = h4_close,
|
|
.recv = h4_recv,
|
|
.enqueue = h4_enqueue,
|
|
.dequeue = h4_dequeue,
|
|
.flush = h4_flush,
|
|
};
|
|
|
|
int __init h4_init(void)
|
|
{
|
|
int err = hci_uart_register_proto(&h4p);
|
|
|
|
if (!err)
|
|
BT_INFO("HCI H4 protocol initialized");
|
|
else
|
|
BT_ERR("HCI H4 protocol registration failed");
|
|
|
|
return err;
|
|
}
|
|
|
|
int __exit h4_deinit(void)
|
|
{
|
|
return hci_uart_unregister_proto(&h4p);
|
|
}
|