From ff4c03858e1e4e258fedf53bc4bec86b8fe2dd22 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 7 Jan 2021 07:45:39 -0600 Subject: Fix bluetooth controller initialization (rhbz 1898495) Signed-off-by: Justin M. Forbes --- ...pting-to-set-RPA-timeout-when-unsupported.patch | 56 ++++++++++++++++++++++ kernel.spec | 6 +++ 2 files changed, 62 insertions(+) create mode 100644 Bluetooth-hci_core-Fix-attempting-to-set-RPA-timeout-when-unsupported.patch diff --git a/Bluetooth-hci_core-Fix-attempting-to-set-RPA-timeout-when-unsupported.patch b/Bluetooth-hci_core-Fix-attempting-to-set-RPA-timeout-when-unsupported.patch new file mode 100644 index 000000000..f298a652e --- /dev/null +++ b/Bluetooth-hci_core-Fix-attempting-to-set-RPA-timeout-when-unsupported.patch @@ -0,0 +1,56 @@ +From MAILER-DAEMON Thu Jan 7 13:40:23 2021 +From: Edward Vear +To: linux-bluetooth@vger.kernel.org +Cc: edwardvear@gmail.com, marcel@holtmann.org, johan.hedberg@gmail.com, davem@davemloft.net, kuba@kernel.org +Subject: [PATCH] Bluetooth: hci_core: Fix attempting to set RPA timeout when unsupported +Date: Tue, 27 Oct 2020 00:02:03 -0700 +Message-Id: <20201027070203.13561-1-edwardvear@gmail.com> +List-ID: +X-Mailing-List: linux-bluetooth@vger.kernel.org +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +During controller initialization, an LE Set RPA Timeout command is sent +to the controller if supported. However, the value checked to determine +if the command is supported is incorrect. Page 1921 of the Bluetooth +Core Spec v5.2 shows that bit 2 of octet 35 of the Supported_Commands +field corresponds to the LE Set RPA Timeout command, but currently +bit 6 of octet 35 is checked. This patch checks the correct value +instead. + +This issue led to the error seen in the following btmon output during +initialization of an adapter (rtl8761b) and prevented initialization +from completing. + +< HCI Command: LE Set Resolvable Private Address Timeout (0x08|0x002e) plen 2 + Timeout: 900 seconds +> HCI Event: Command Complete (0x0e) plen 4 + LE Set Resolvable Private Address Timeout (0x08|0x002e) ncmd 2 + Status: Unsupported Remote Feature / Unsupported LMP Feature (0x1a) += Close Index: 00:E0:4C:6B:E5:03 + +The error did not appear when running with this patch. + +Signed-off-by: Edward Vear +--- + net/bluetooth/hci_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 502552d6e9af..c4aa2cbb9269 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -763,7 +763,7 @@ static int hci_init3_req(struct hci_request *req, unsigned long opt) + hci_req_add(req, HCI_OP_LE_CLEAR_RESOLV_LIST, 0, NULL); + } + +- if (hdev->commands[35] & 0x40) { ++ if (hdev->commands[35] & 0x04) { + __le16 rpa_timeout = cpu_to_le16(hdev->rpa_timeout); + + /* Set RPA timeout */ +-- +2.29.1 + + diff --git a/kernel.spec b/kernel.spec index 7c7ca988e..3ab65d91c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -852,6 +852,9 @@ Patch104: 0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch Patch105: 0001-ALSA-hda-via-Fix-runtime-PM-for-Clevo-W35xSS.patch +# rhbz 1898495 +Patch106: Bluetooth-hci_core-Fix-attempting-to-set-RPA-timeout-when-unsupported.patch + # END OF PATCH DEFINITIONS %endif @@ -2965,6 +2968,9 @@ fi # # %changelog +* Thu Jan 7 2021 Justin M. Forbes +- Fix bluetooth controller initialization (rhbz 1898495) + * Wed Jan 6 12:53:15 CST 2021 Justin M. Forbes - 5.10.5-200 - Linux v5.10.5 - Fix CVE-2020-36158 (rhbz 1913348 1913349) -- cgit