| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250929221553.84966-1-jgnieto@cs.stanford.edu>
Date: Mon, 29 Sep 2025 15:14:41 -0700
From: Javier Nieto <jgnieto@...stanford.edu>
To: luiz.dentz@...il.com,
marcel@...tmann.org
Cc: linux-bluetooth@...r.kernel.org,
linux-kernel@...r.kernel.org,
Javier Nieto <jgnieto@...stanford.edu>
Subject: [PATCH resubmit] Bluetooth: hci_h5: avoid sending two SYNC messages
Previously, h5_open() called h5_link_control() to send a SYNC message.
But h5_link_control() only enqueues the packet and requires the caller
to call hci_uart_tx_wakeup(). Thus, after H5_SYNC_TIMEOUT ran out
(100ms), h5_timed_event() would be called and, realizing that the state
was still H5_UNINITIALIZED, it would re-enqueue the SYNC and call
hci_uart_tx_wakeup(). Consequently, two SYNC packets would be sent and
initialization would unnecessarily wait for 100ms.
The naive solution of calling hci_uart_tx_wakeup() in h5_open() does not
work because it will only schedule tx work if the HCI_PROTO_READY bit is
set and hci_serdev only sets it after h5_open() returns. This patch
removes the extraneous SYNC being enqueued and makes h5_timed_event()
wake up on the next jiffy.
Signed-off-by: Javier Nieto <jgnieto@...stanford.edu>
---
My test environment is a MangoPi MQ-Pro board
(with a Realtek RTL8723DS Bluetooth chip) running the tip of
bluetooth-next, although I also observed this issue on 6.8 kernel.
Originally, I spotted it using a logic analyzer on the UART PCB traces.
I added a temporary log message to h5_link_control(), which prints the
first byte and the length of the packet being sent. Here is the relevant
part before the patch:
[ 67.328445] Bluetooth: h5_link_control sending 1 with len 2
[ 67.432393] Bluetooth: h5_link_control sending 1 with len 2
[ 67.436424] Bluetooth: h5_link_control sending 3 with len 3
[ 67.436592] Bluetooth: h5_link_control sending 2 with len 2
[ 67.436693] Bluetooth: h5_link_control sending 3 with len 3
[ 67.439510] Bluetooth: h5_link_control sending 2 with len 2
[ 67.440004] Bluetooth: h5_link_control sending 4 with len 2
[ 67.440030] Bluetooth: h5_link_control sending 3 with len 3
And here after the patch:
[ 67.498228] Bluetooth: h5_link_control sending 1 with len 2
[ 67.501444] Bluetooth: h5_link_control sending 3 with len 3
[ 67.501615] Bluetooth: h5_link_control sending 2 with len 2
[ 67.504976] Bluetooth: h5_link_control sending 2 with len 2
[ 67.505141] Bluetooth: h5_link_control sending 4 with len 2
[ 67.505168] Bluetooth: h5_link_control sending 3 with len 3
Notice that in the first case, two SYNC packets (type 1) are sent, one 100ms
after the other, while in the second case only one is sent. In both
cases, using bluetoothctl to connect to a device later on works fine.
---
drivers/bluetooth/hci_h5.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index d0d4420c1a0f..863ee93dd8a8 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -213,7 +213,6 @@ static void h5_peer_reset(struct hci_uart *hu)
static int h5_open(struct hci_uart *hu)
{
struct h5 *h5;
- const unsigned char sync[] = { 0x01, 0x7e };
BT_DBG("hu %p", hu);
@@ -243,9 +242,11 @@ static int h5_open(struct hci_uart *hu)
set_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags);
- /* Send initial sync request */
- h5_link_control(hu, sync, sizeof(sync));
- mod_timer(&h5->timer, jiffies + H5_SYNC_TIMEOUT);
+ /*
+ * Wait one jiffy because the UART layer won't set HCI_UART_PROTO_READY,
+ * which allows us to send link packets, until this function returns.
+ */
+ mod_timer(&h5->timer, jiffies + 1);
return 0;
}
--
2.43.0
Powered by blists - more mailing lists