[PATCH V4 0/4] Bluetooth: btusb: Fix regression in the initialization of fake Bluetooth controllers

[PATCH V4 0/4] Bluetooth: btusb: Fix regression in the initialization of fake Bluetooth controllers

[Pedro Nishiyama]

These fake controllers cannot be initialized because they return a smaller 
report than expected for READ_VOICE_SETTING and READ_PAGE_SCAN_TYPE.

This affects fake controllers reusing the 0A12:0001 VID/PID.

Fixes: c8992cffbe74 ("Bluetooth: hci_event: Use of a function table to handle Command Complete")
Signed-off-by: Pedro Nishiyama <nishiyama.pedro@gmail.com>
---
Changes in v4:
- Check commands for READ_VOICE_SETTING.
- Disable SCO support if READ_VOICE_SETTING is unsupported/broken. 

Changes in v3:
- Correct the fixes commit. 

Changes in v2:
- Separate the driver changes from the quirks changes.

---
Pedro Nishiyama (4):
  Bluetooth: Add quirk for broken READ_VOICE_SETTING
  Bluetooth: Add quirk for broken READ_PAGE_SCAN_TYPE
  Bluetooth: Disable SCO support if READ_VOICE_SETTING is
    unsupported/broken
  Bluetooth: btusb: Fix regression in the initialization of fake
    Bluetooth controllers

 drivers/bluetooth/btusb.c        |  2 ++
 include/net/bluetooth/hci.h      | 16 ++++++++++++++++
 include/net/bluetooth/hci_core.h |  4 ++++
 net/bluetooth/hci_event.c        |  4 ++++
 net/bluetooth/hci_sync.c         |  6 +++++-
 5 files changed, 31 insertions(+), 1 deletion(-)

-- 
2.48.1

[PATCH V4 1/4] Bluetooth: Add quirk for broken READ_VOICE_SETTING

[Pedro Nishiyama]

Some fake controllers cannot be initialized because they return a smaller 
report than expected for READ_VOICE_SETTING.

Signed-off-by: Pedro Nishiyama <nishiyama.pedro@gmail.com>
---
 include/net/bluetooth/hci.h      | 8 ++++++++
 include/net/bluetooth/hci_core.h | 4 ++++
 net/bluetooth/hci_sync.c         | 3 +++
 3 files changed, 15 insertions(+)

diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 0d51970d809f..6886962eca78 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -354,6 +354,14 @@ enum {
 	 * during the hdev->setup vendor callback.
 	 */
 	HCI_QUIRK_FIXUP_LE_EXT_ADV_REPORT_PHY,
+
+	/* When this quirk is set, the HCI_OP_READ_VOICE_SETTING command is
+	 * skipped. This is required for a subset of the CSR controller clones
+	 * which erroneously claim to support it.
+	 *
+	 * This quirk must be set before hci_register_dev is called.
+	 */
+	HCI_QUIRK_BROKEN_READ_VOICE_SETTING,
 };
 
 /* HCI device flags */
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index f756fac95488..5e0534d8b1df 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -1924,6 +1924,10 @@ void hci_conn_del_sysfs(struct hci_conn *conn);
 	((dev)->commands[20] & 0x10 && \
 	 !test_bit(HCI_QUIRK_BROKEN_READ_ENC_KEY_SIZE, &hdev->quirks))
 
+#define read_voice_setting_capable(dev) \
+	((dev)->commands[9] & 0x04 && \
+	 !test_bit(HCI_QUIRK_BROKEN_READ_VOICE_SETTING, &(dev)->quirks))
+
 /* Use enhanced synchronous connection if command is supported and its quirk
  * has not been set.
  */
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index dd770ef5ec36..0c6a85abba2c 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -3696,6 +3696,9 @@ static int hci_read_local_name_sync(struct hci_dev *hdev)
 /* Read Voice Setting */
 static int hci_read_voice_setting_sync(struct hci_dev *hdev)
 {
+	if (!read_voice_setting_capable(hdev))
+		return 0;
+
 	return __hci_cmd_sync_status(hdev, HCI_OP_READ_VOICE_SETTING,
 				     0, NULL, HCI_CMD_TIMEOUT);
 }
-- 
2.48.1

[PATCH V4 2/4] Bluetooth: Add quirk for broken READ_PAGE_SCAN_TYPE

[Pedro Nishiyama]

Some fake controllers cannot be initialized because they return a smaller 
report than expected for READ_PAGE_SCAN_TYPE.

Signed-off-by: Pedro Nishiyama <nishiyama.pedro@gmail.com>
---
 include/net/bluetooth/hci.h | 8 ++++++++
 net/bluetooth/hci_sync.c    | 3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 6886962eca78..b99818df8ee7 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -362,6 +362,14 @@ enum {
 	 * This quirk must be set before hci_register_dev is called.
 	 */
 	HCI_QUIRK_BROKEN_READ_VOICE_SETTING,
+
+	/* When this quirk is set, the HCI_OP_READ_PAGE_SCAN_TYPE command is
+	 * skipped. This is required for a subset of the CSR controller clones
+	 * which erroneously claim to support it.
+	 *
+	 * This quirk must be set before hci_register_dev is called.
+	 */
+	HCI_QUIRK_BROKEN_READ_PAGE_SCAN_TYPE,
 };
 
 /* HCI device flags */
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 0c6a85abba2c..cf60a8da943a 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -4132,7 +4132,8 @@ static int hci_read_page_scan_type_sync(struct hci_dev *hdev)
 	 * support the Read Page Scan Type command. Check support for
 	 * this command in the bit mask of supported commands.
 	 */
-	if (!(hdev->commands[13] & 0x01))
+	if (!(hdev->commands[13] & 0x01) ||
+	    test_bit(HCI_QUIRK_BROKEN_READ_PAGE_SCAN_TYPE, &hdev->quirks))
 		return 0;
 
 	return __hci_cmd_sync_status(hdev, HCI_OP_READ_PAGE_SCAN_TYPE,
-- 
2.48.1

[PATCH V4 3/4] Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken

[Pedro Nishiyama]

A SCO connection without the proper voice_setting can cause 
the controller to lock up.

Signed-off-by: Pedro Nishiyama <nishiyama.pedro@gmail.com>
---
 net/bluetooth/hci_event.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 2cc7a9306350..88011fdb3673 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -930,6 +930,9 @@ static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
 		hdev->sco_pkts = 8;
 	}
 
+	if (!read_voice_setting_capable(hdev))
+		hdev->sco_pkts = 0;
+
 	hdev->acl_cnt = hdev->acl_pkts;
 	hdev->sco_cnt = hdev->sco_pkts;
 
-- 
2.48.1

[PATCH V4 4/4] Bluetooth: btusb: Fix regression in the initialization of fake Bluetooth controllers

[Pedro Nishiyama]

Set HCI_READ_VOICE_SETTING and HCI_READ_PAGE_SCAN_TYPE as broken.

Once the min/max length of the commands began to be asserted, these fake 
controllers can no longer be initialized because they return a smaller 
report for these commands.

This affects various fake controllers reusing the 0A12:0001 VID/PID.

Fixes: c8992cffbe74 ("Bluetooth: hci_event: Use of a function table to handle Command Complete")
Signed-off-by: Pedro Nishiyama <nishiyama.pedro@gmail.com>
---
 drivers/bluetooth/btusb.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 8149e53fd0a7..903361456acf 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2436,6 +2436,8 @@ static int btusb_setup_csr(struct hci_dev *hdev)
 		set_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks);
 		set_bit(HCI_QUIRK_BROKEN_FILTER_CLEAR_ALL, &hdev->quirks);
 		set_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks);
+		set_bit(HCI_QUIRK_BROKEN_READ_VOICE_SETTING, &hdev->quirks);
+		set_bit(HCI_QUIRK_BROKEN_READ_PAGE_SCAN_TYPE, &hdev->quirks);
 
 		/* Clear the reset quirk since this is not an actual
 		 * early Bluetooth 1.1 device from CSR.
-- 
2.48.1

RE: Bluetooth: btusb: Fix regression in the initialization of fake Bluetooth controllers

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 2150 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=939232

---Test result---

Test Summary:
CheckPatch                    PENDING   0.29 seconds
GitLint                       PENDING   0.20 seconds
SubjectPrefix                 PASS      0.35 seconds
BuildKernel                   PASS      24.21 seconds
CheckAllWarning               PASS      26.45 seconds
CheckSparse                   WARNING   30.12 seconds
BuildKernel32                 PASS      23.86 seconds
TestRunnerSetup               PASS      425.32 seconds
TestRunner_l2cap-tester       PASS      20.66 seconds
TestRunner_iso-tester         PASS      35.46 seconds
TestRunner_bnep-tester        PASS      4.72 seconds
TestRunner_mgmt-tester        FAIL      117.97 seconds
TestRunner_rfcomm-tester      PASS      7.80 seconds
TestRunner_sco-tester         PASS      11.62 seconds
TestRunner_ioctl-tester       PASS      8.22 seconds
TestRunner_mesh-tester        PASS      5.90 seconds
TestRunner_smp-tester         PASS      7.19 seconds
TestRunner_userchan-tester    PASS      4.89 seconds
IncrementalBuild              PENDING   0.72 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h):
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 490, Passed: 485 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
LL Privacy - Add Device 3 (AL is full)               Failed       0.195 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH V4 0/4] Bluetooth: btusb: Fix regression in the initialization of fake Bluetooth controllers

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sat,  1 Mar 2025 03:22:57 -0300 you wrote:
> These fake controllers cannot be initialized because they return a smaller
> report than expected for READ_VOICE_SETTING and READ_PAGE_SCAN_TYPE.
> 
> This affects fake controllers reusing the 0A12:0001 VID/PID.
> 
> Fixes: c8992cffbe74 ("Bluetooth: hci_event: Use of a function table to handle Command Complete")
> Signed-off-by: Pedro Nishiyama <nishiyama.pedro@gmail.com>
> 
> [...]

Here is the summary with links:
  - [V4,1/4] Bluetooth: Add quirk for broken READ_VOICE_SETTING
    https://git.kernel.org/bluetooth/bluetooth-next/c/173b1b3e9d6c
  - [V4,2/4] Bluetooth: Add quirk for broken READ_PAGE_SCAN_TYPE
    https://git.kernel.org/bluetooth/bluetooth-next/c/700ef3e1674a
  - [V4,3/4] Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken
    https://git.kernel.org/bluetooth/bluetooth-next/c/d8cba796e61f
  - [V4,4/4] Bluetooth: btusb: Fix regression in the initialization of fake Bluetooth controllers
    https://git.kernel.org/bluetooth/bluetooth-next/c/c2fe96fc96f7

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html