git: e908df969af2 - stable/14 - ng_ubt_intel: Ignore unexpected HCI events

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Vladimir Kondratyev <wulf_at_FreeBSD.org>
Date: Sun, 22 Dec 2024 03:37:57 UTC
The branch stable/14 has been updated by wulf:

URL: https://cgit.FreeBSD.org/src/commit/?id=e908df969af2384def482c0629ce1c83c018b415

commit e908df969af2384def482c0629ce1c83c018b415
Author:     Vladimir Kondratyev <wulf@FreeBSD.org>
AuthorDate: 2024-11-06 23:27:20 +0000
Commit:     Vladimir Kondratyev <wulf@FreeBSD.org>
CommitDate: 2024-12-22 03:35:08 +0000

    ng_ubt_intel: Ignore unexpected HCI events
    
    If Intel firmware is already in operational mode at boot that takes
    place at warm boot, BT adaptor can generate extra HCI events which
    interferes with firmware mode detection logic. Ignore them.
    
    Sponsored by:   Future Crew LLC
    MFC after:      1 month
    Reviewed by:    bz
    Differential Revision:  https://reviews.freebsd.org/D46736
    
    (cherry picked from commit 0b23c50ae834d11842810304e4ddad2754298ada)
---
 sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c       | 27 +++++++++++++++++++++++
 sys/netgraph/bluetooth/drivers/ubt/ng_ubt_intel.c |  5 +++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c b/sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c
index 649c479d1d9f..64b41c0a328d 100644
--- a/sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c
+++ b/sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c
@@ -530,6 +530,7 @@ static const STRUCT_USB_HOST_ID ubt_devs[] =
  * Size of both command and response buffers are passed in length field of
  * corresponding structures in "Parameter Total Length" format i.e.
  * not including HCI packet headers.
+ * Expected event code must be placed into "Event code" of the response buffer.
  *
  * Must not be used after USB transfers have been configured in attach routine.
  */
@@ -568,6 +569,12 @@ ubt_do_hci_request(struct usb_device *udev, struct ubt_hci_cmd *cmd,
 	if (evt == NULL)
 		return (USB_ERR_NORMAL_COMPLETION);
 
+	/* Save operation code if we expect completion event in response */
+	if(((struct ubt_hci_event *)evt)->header.event ==
+	    NG_HCI_EVENT_COMMAND_COMPL)
+		((struct ubt_hci_event_command_compl *)evt)->opcode =
+		  cmd->opcode;
+
 	/* Initialize INTR endpoint xfer and wait for response */
 	mtx_init(&mtx, "ubt pb", NULL, MTX_DEF | MTX_NEW);
 
@@ -841,6 +848,8 @@ ubt_probe_intr_callback(struct usb_xfer *xfer, usb_error_t error)
 	struct ubt_hci_event	*evt = usbd_xfer_softc(xfer);
 	struct usb_page_cache	*pc;
 	int			actlen;
+	struct ubt_hci_evhdr	evhdr;
+	uint16_t		opcode;
 
 	usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL);
 
@@ -848,7 +857,25 @@ ubt_probe_intr_callback(struct usb_xfer *xfer, usb_error_t error)
 	case USB_ST_TRANSFERRED:
 		if (actlen > UBT_HCI_EVENT_SIZE(evt))
 			actlen = UBT_HCI_EVENT_SIZE(evt);
+		if (actlen < sizeof(evhdr))
+			goto submit_next;
 		pc = usbd_xfer_get_frame(xfer, 0);
+		usbd_copy_out(pc, 0, &evhdr, sizeof(evhdr));
+		/* Check for expected event code */
+		if (evt->header.event != 0 &&
+		    (evt->header.event != evhdr.event))
+			goto submit_next;
+		/* For completion events check operation code as well */
+		if (evt->header.event == NG_HCI_EVENT_COMMAND_COMPL) {
+			if (actlen < sizeof(struct ubt_hci_event_command_compl))
+				goto submit_next;
+			usbd_copy_out(pc,
+			    offsetof(struct ubt_hci_event_command_compl, opcode),
+			    &opcode, sizeof(opcode));
+			if (opcode !=
+			    ((struct ubt_hci_event_command_compl *)evt)->opcode)
+				goto submit_next;
+		}
 		usbd_copy_out(pc, 0, evt, actlen);
 		/* OneShot mode */
 		wakeup(evt);
diff --git a/sys/netgraph/bluetooth/drivers/ubt/ng_ubt_intel.c b/sys/netgraph/bluetooth/drivers/ubt/ng_ubt_intel.c
index f93b74b264ad..c4410b7b2c80 100644
--- a/sys/netgraph/bluetooth/drivers/ubt/ng_ubt_intel.c
+++ b/sys/netgraph/bluetooth/drivers/ubt/ng_ubt_intel.c
@@ -119,14 +119,14 @@ ubt_intel_do_hci_request(struct usb_device *udev, uint16_t opcode,
 	cmd.opcode = htole16(opcode);
 	evt = malloc(offsetof(struct ubt_hci_event_command_compl, data) +
 	    resp_len, M_TEMP, M_ZERO | M_WAITOK);
+	evt->header.event = NG_HCI_EVENT_COMMAND_COMPL;
 	evt->header.length = resp_len + UBT_HCI_EVENT_COMPL_HEAD_SIZE;
 
 	error = ubt_do_hci_request(udev, &cmd, evt, UBT_INTEL_HCICMD_TIMEOUT);
 	if (error != USB_ERR_NORMAL_COMPLETION)
 		goto exit;
 
-	if (evt->header.event == NG_HCI_EVENT_COMMAND_COMPL &&
-	    evt->header.length == resp_len + UBT_HCI_EVENT_COMPL_HEAD_SIZE)
+	if (evt->header.length == resp_len + UBT_HCI_EVENT_COMPL_HEAD_SIZE)
 		memcpy(resp, evt->data, resp_len);
 	else
 		error = USB_ERR_INVAL;
@@ -150,6 +150,7 @@ ubt_intel_get_img_type(struct usb_device *udev)
 	uint8_t *data;
 
 	evt = malloc(UBT_INTEL_MAX_EVT_SIZE, M_TEMP, M_ZERO | M_WAITOK);
+	evt->header.event = NG_HCI_EVENT_COMMAND_COMPL;
 	evt->header.length =
 	    UBT_INTEL_MAX_EVT_SIZE - sizeof(struct ubt_hci_evhdr);