Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp2182852lqa; Tue, 30 Apr 2024 10:09:14 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV7GnrmjFpi5cYRYvQvhRFFldwmdf4e/cKgYVK7+EZ0uTM7bYCNuno8bA6j/1FunmhPllVdl8pyrXDYOHENNqRQG62Ed87GQ/oMEC/zJg== X-Google-Smtp-Source: AGHT+IGYLrNtZEOUx8MFVOFoSUabCvPTkLliJ0dl6lDbjibSBzJDYy7TKAr7q6TMbjm8czl714EV X-Received: by 2002:a50:a456:0:b0:572:a158:8a7c with SMTP id v22-20020a50a456000000b00572a1588a7cmr273445edb.42.1714496954500; Tue, 30 Apr 2024 10:09:14 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714496954; cv=pass; d=google.com; s=arc-20160816; b=LvVgaPzUtYYzvGCtejbkPDllU4a/E6GrQHFZcLBxkbaCDPEZzguCAnyyr3C+Zaj/NP 4EPty6mgD5C+jq8sO4n6V/HNVyV3lyM8MiaGNJI6YZcYTvqv4kUV64BkoL2y1t50N0Ya SDQSURjhNP+IaFIzUdd1fMvAXKKw/RHijivq0HFaGZjCePtlB8cSzOFs+f3nQMoxqAxL aMHsXDC/xHcpS+AHQdjnackGjuRmyOk5gYlfnEcL3KX3c2BtY1cTOhRo/dYv8BpeUmC/ Wn+hvezT84RjPuldk/041PIn5xnyWTJDA8Sxp1vrFbiZTEpupQ7zObkQtFZBjmu9lyjy B7Mg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=R35/17aCbVeDIG0PBbpAdtW3NyLah7TeSVDY5MQ1jEE=; fh=jHM3IfE3oKoXT07kuiKCgsIoaNH9afhgO63oFRS6/Nc=; b=yV8GD5Xd7pNJNzg+4AWCHM8AgSl6yD9m3SYU3G4RbFgDK/Jb5rTk5/ur3vvZ/Gw+Ll ZqUUGFoFT+B2BvWPCfc/thzzDpirVX7aB1eWIa8+9KqPThRkiUwzpem7Oab4cN98H5Wz TQGo0suXMqkg3uercZuY/ukIz9OVQPT1dhdPiM3LLB5wKy0KMxAOW8TjZOsDKz4HGIKf wvRAFqf5LVRags1ZN1RESdOwQ3QUziXjPuUPXoNVYtNlAfiMwlKAbLziwwUfiCaPgkzp P0vNbPIuR55gllqS8lsEc7t4rPa06ZKvjpxJMsXNzGnpcRik21DE2pz2OYcvbVvqQAbg x1ZQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=G6nuSieo; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-bluetooth+bounces-4196-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4196-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id c11-20020a50f60b000000b005727d086042si3029721edn.62.2024.04.30.10.09.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Apr 2024 10:09:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-4196-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=G6nuSieo; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-bluetooth+bounces-4196-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4196-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 3FA441F21539 for ; Tue, 30 Apr 2024 17:09:14 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C7C3C1802A5; Tue, 30 Apr 2024 17:08:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="G6nuSieo" X-Original-To: linux-bluetooth@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1CC1B179654; Tue, 30 Apr 2024 17:08:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714496931; cv=none; b=QwL2ZobTHIVDHeUjwS+RXSCmC30FJT8VTRljvobku/KgO35UKd2XlbKaBnLVfNWV2Xc2BOAEbdYmBsaHQBJ50VpY3Gotv73jiyd3Ge87Pffc3KIcRX7wKkFVnKWwSRZSnR5DMdyF4jL4AeeuxRDT6oW5DuUKMVwyiXMmKH9n/f0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714496931; c=relaxed/simple; bh=AX8yI9iwutmkI36edFM3VBu7s37eedkRHUTRb8bbzHQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=vBU2JW7WAmo22POa7C81u8OlDWJDcXJmJ/i+FFEXJjiuvCoUa2SnuzlM/Urk4WhEt5kE0V+AikE1LolOvSqdacG3ZezZLd3t7dHPmXlBqTQo5nQLs9MMd9a8TdI6D6VL0jTQbGPCicX9XeZMM004/CLfYYytnPYGpaZs7DVFmDM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=G6nuSieo; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id CDF9BC4AF19; Tue, 30 Apr 2024 17:08:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1714496930; bh=AX8yI9iwutmkI36edFM3VBu7s37eedkRHUTRb8bbzHQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=G6nuSieoPK06bektIcj9zymhUw2IeblFndf3ZhqlLVnoI1/6lJdELM+PtEvFdtBFu bM42/2FZfIQ5UyThRzZpSt4swo0ZT1HttL1zrxew/rctRUcOhEMrTSE9hmGS0qA+xa +9bH+IBK2mUfYee7C88w1uLRC7ysVjtGEI15HLvcO0wXAomNhbMrbZA2+8SxCePOnE y91tN1hQdQP5ZW1J1iqpb18mQADKilqOnm9gw5TUVn6ncJ9vw8D94Mtq9APFDilRGB GAZiEPCNahY4RX9rLS529E5S6tAOZ+Ify3fBLK9ne4Jo8yFbNZAOsjZ3HlYjS3mtPS 7nw0rshcF9aCw== Received: from johan by xi.lan with local (Exim 4.97.1) (envelope-from ) id 1s1qyK-0000000047a-3Dm7; Tue, 30 Apr 2024 19:08:52 +0200 From: Johan Hovold To: Marcel Holtmann , Luiz Augusto von Dentz Cc: Doug Anderson , Janaki Ramaiah Thota , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org, Matthias Kaehlcke Subject: [PATCH v2 2/3] Bluetooth: qca: fix NVM configuration parsing Date: Tue, 30 Apr 2024 19:07:40 +0200 Message-ID: <20240430170741.15742-3-johan+linaro@kernel.org> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240430170741.15742-1-johan+linaro@kernel.org> References: <20240430170741.15742-1-johan+linaro@kernel.org> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The NVM configuration files used by WCN3988 and WCN3990/1/8 have two sets of configuration tags that are enclosed by a type-length header of type four which the current parser fails to account for. Instead the driver happily parses random data as if it were valid tags, something which can lead to the configuration data being corrupted if it ever encounters the words 0x0011 or 0x001b. As is clear from commit b63882549b2b ("Bluetooth: btqca: Fix the NVM baudrate tag offcet for wcn3991") the intention has always been to process the configuration data also for WCN3991 and WCN3998 which encodes the baud rate at a different offset. Fix the parser so that it can handle the WCN3xxx configuration files, which has an enclosing type-length header of type four and two sets of TLV tags enclosed by a type-length header of type two and three, respectively. Note that only the first set, which contains the tags the driver is currently looking for, will be parsed for now. With the parser fixed, the software in-band sleep bit will now be set for WCN3991 and WCN3998 (as it is for later controllers) and the default baud rate 3200000 may be updated by the driver also for WCN3xxx controllers. Notably the deep-sleep feature bit is already set by default in all configuration files in linux-firmware. Fixes: 4219d4686875 ("Bluetooth: btqca: Add wcn3990 firmware download support.") Cc: stable@vger.kernel.org # 4.19 Cc: Matthias Kaehlcke Signed-off-by: Johan Hovold --- drivers/bluetooth/btqca.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c index 6743b0a79d7a..f6c9f89a6311 100644 --- a/drivers/bluetooth/btqca.c +++ b/drivers/bluetooth/btqca.c @@ -281,6 +281,7 @@ static int qca_tlv_check_data(struct hci_dev *hdev, struct tlv_type_patch *tlv_patch; struct tlv_type_nvm *tlv_nvm; uint8_t nvm_baud_rate = config->user_baud_rate; + u8 type; config->dnld_mode = QCA_SKIP_EVT_NONE; config->dnld_type = QCA_SKIP_EVT_NONE; @@ -346,11 +347,30 @@ static int qca_tlv_check_data(struct hci_dev *hdev, tlv = (struct tlv_type_hdr *)fw_data; type_len = le32_to_cpu(tlv->type_len); - length = (type_len >> 8) & 0x00ffffff; + length = type_len >> 8; + type = type_len & 0xff; - BT_DBG("TLV Type\t\t : 0x%x", type_len & 0x000000ff); + /* Some NVM files have more than one set of tags, only parse + * the first set when it has type 2 for now. When there is + * more than one set there is an enclosing header of type 4. + */ + if (type == 4) { + if (fw_size < 2 * sizeof(struct tlv_type_hdr)) + return -EINVAL; + + tlv++; + + type_len = le32_to_cpu(tlv->type_len); + length = type_len >> 8; + type = type_len & 0xff; + } + + BT_DBG("TLV Type\t\t : 0x%x", type); BT_DBG("Length\t\t : %d bytes", length); + if (type != 2) + break; + if (fw_size < length + (tlv->data - fw_data)) return -EINVAL; -- 2.43.2