* Re: [PATCH v5] Bluetooth: btrtl: Add firmware format v3 support
From: Paul Menzel @ 2026-06-24 8:06 UTC (permalink / raw)
To: Hilda Wu
Cc: marcel, luiz.dentz, linux-bluetooth, linux-kernel, alex_lu,
jason_mao, zoey_zhou, max.chou, kidman
In-Reply-To: <20260624053334.3151885-1-hildawu@realtek.com>
Dear Hilda,
Thank you for your patch.
Am 24.06.26 um 07:33 schrieb Hilda Wu:
> Realtek updated its Bluetooth firmware format to v3.
Please name the specification document, and state whether it’s
publically accessible.
> This patch extends the btrtl driver to recognise and parse the new v3 file
> format, including:
> - New signature string and image ID definitions
> - Extension of btrtl_device_info to store v3-specific metadata
> - Logic to extract and load firmware data out of v3 images
> - Maintains compatibility with existing v2 firmware format
>
> This is required for future Realtek Bluetooth chips that ship with
> v3 firmware.
Please add a blank line between paragraphs or do not wrap the line after
the sentence.
> The RTL8922D is the first IC to use firmware format V3, so the following
> example uses the RTL8922D's log as expected fw format v3 output:
>
> Bluetooth: btrtl_read_chip_id() hci0: RTL: chip_id status=0x00 id=0x37
> Bluetooth: btrtl_initialize() hci0: RTL: examining hci_ver=0d
> hci_rev=000d lmp_ver=0d lmp_subver=8922
Please do not wrap the lines of the pasted lines. If you keep the
timestamp in the front, `checkpatch.pl` should not complain.
> Bluetooth: rtl_read_rom_version() hci0: RTL: rom_version status=0 version=1
> Bluetooth: btrtl_initialize() hci0: RTL: btrtl_initialize: key id 0
> Bluetooth: rtl_load_file() hci0: RTL: loading rtl_bt/rtl8922du_fw.bin
> Bluetooth: rtl_load_file() hci0: RTL: loading rtl_bt/rtl8922du_config.bin
> Bluetooth: rtlbt_parse_firmware_v3() hci0: RTL: key id 0
> Bluetooth: rtlbt_parse_section_v3() hci0: RTL: image (f000:00), chip id
> 55, cut 0x02, len 00007185
> Bluetooth: rtlbt_parse_section_v3() hci0: RTL: image version: 35fd7908
> Bluetooth: rtlbt_parse_config() hci0: RTL: config file:
> rtl_bt/rtl8922du_config_f000.bin
> Bluetooth: rtlbt_parse_section_v3() hci0: RTL: image (f002:00), chip id
> 55, cut 0x02, len 000078f5
> Bluetooth: rtlbt_parse_section_v3() hci0: RTL: image version: 47b6874d
> Bluetooth: rtlbt_parse_config() hci0: RTL: config file:
> rtl_bt/rtl8922du_config_f002.bin
> Bluetooth: rtlbt_parse_firmware_v3() hci0: RTL: image payload total len:
> 0x0000ea7a
> Bluetooth: rtl_finalize_download() hci0: RTL: Watchdog reset status 00
> Bluetooth: rtl_finalize_download() hci0: RTL: fw version 0x47b6874d
How big in the firmware file, and how long did it take to load it?
> Signed-off-by: Alex Lu <alex_lu@realsil.com.cn>
> Signed-off-by: Zoey Zhou <zoey_zhou@realsil.com.cn>
> Signed-off-by: Hilda Wu <hildawu@realtek.com>
>
> ---
> V4 -> V5::
> - Add independent support for RTL8922D section
> - Introduce macros to improve code readability
> - Document firmware format v3 and its differences
> - Align implementation with reviewer feedback
>
> V3 -> V4:
> - Rework skb->data access and add clarifying comments
> - Fix latent issues
>
> V2 -> V3:
> - Address coccinelle warning
>
> V1 -> V2:
> - Add missing symbols
> - Resolve build warnings
> ---
> drivers/bluetooth/btrtl.c | 698 +++++++++++++++++++++++++++++++++++++-
> drivers/bluetooth/btrtl.h | 102 ++++++
The files get bigger. Would it be good to split the firmware handling
out into a separate file?
> drivers/bluetooth/btusb.c | 3 +
> 3 files changed, 786 insertions(+), 17 deletions(-)
For easier review, would it be possible to split out the refactoring
like defining the macros FW_TYPE_V0, … and using them?
[…]
Kind regards,
Paul
^ permalink raw reply
* [PATCH v5 3/3] Bluetooth: btmtk: Add MT7928 support
From: Chris Lu @ 2026-06-24 7:55 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Von Dentz
Cc: Sean Wang, Will Lee, SS Wu, Steve Lee, linux-bluetooth,
linux-kernel, linux-mediatek, Chris Lu, Paul Menzel
In-Reply-To: <20260624075505.1318804-1-chris.lu@mediatek.com>
Add support for MT7928 (internal device ID is MT7935) which requires
additional firmware (CBMCU firmware) loading before Bluetooth firmware.
CBMCU is a new component on MT7928 to handle common part shared across
the combo chip (Wi-Fi/Bluetooth's subsystem), providing a better user
experience through improved coordination between subsystems.
Implement two-phase CBMCU firmware download: Phase 1 loads section with
type 0x5 containing global descriptor, section maps and signature data;
Phase 2 loads remaining firmware sections. Add retry mechanism for
concurrent download protection.
After CBMCU firmware loads successfully, the driver continues to load
corresponding BT firmware based on device ID through fallthrough to
case 0x7922/0x7925.
The firmware(CBMCU_CODE_MT7935_1_1.bin/BT_RAM_CODE_MT7935_1_1_hdr.bin)
required for MT7928 will be scheduled for upload to linux-firmware at
a later stage.
MT7928 bring-up kernel log:
[ 159.784050] usb 1-3: New USB device found, idVendor=0e8d, idProduct=7935, bcdDevice= 1.00
[ 159.784107] usb 1-3: New USB device strings: Mfr=5, Product=6, SerialNumber=7
[ 159.784140] usb 1-3: Product: Wireless_Device
[ 159.784166] usb 1-3: Manufacturer: MediaTek Inc.
[ 159.784192] usb 1-3: SerialNumber: 000000000
[ 159.795736] Bluetooth: hci1: Loading CBMCU firmware: mediatek/mt7928/CBMCU_CODE_MT7935_1_1.bin
[ 159.807197] Bluetooth: hci1: CBMCU HW ver: 0x7935, SW ver: 0x0000, Build Time: 20260601T161751+0800
[ 160.123155] Bluetooth: hci1: CBMCU firmware download completed
[ 160.143013] Bluetooth: hci1: Loading BT firmware: mediatek/mt7928/BT_RAM_CODE_MT7935_1_1_hdr.bin
[ 160.152775] Bluetooth: hci1: BT HW ver: 0x7935, SW ver: 0x0000, Build Time: 20260527000816
[ 163.242266] Bluetooth: hci1: Device setup in 3367430 usecs
[ 163.242280] Bluetooth: hci1: HCI Enhanced Setup Synchronous Connection command is advertised, but not supported.
[ 163.355900] Bluetooth: hci1: AOSP extensions version v2.00
[ 163.355956] Bluetooth: hci1: AOSP quality report is supported
[ 163.357902] Bluetooth: MGMT ver 1.23
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Sean Wang <sean.wang@mediatek.com>
---
drivers/bluetooth/btmtk.c | 355 +++++++++++++++++++++++++++++++++++++-
drivers/bluetooth/btmtk.h | 3 +
2 files changed, 357 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index dc40820bfea0..1b08db862c20 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -21,6 +21,12 @@
#define MTK_FW_ROM_PATCH_SEC_MAP_SIZE 64
#define MTK_SEC_MAP_COMMON_SIZE 12
#define MTK_SEC_MAP_NEED_SEND_SIZE 52
+#define MTK_SEC_MAP_LENGTH_SIZE 4
+#define MTK_SEC_CBMCU_DESC 0x5
+
+/* CBMCU WMT command flags */
+#define BTMTK_CBMCU_FLAG_QUERY_STATUS 0xF0
+#define BTMTK_CBMCU_FLAG_ENABLE_PATCH 0xF1
/* It is for mt79xx iso data transmission setting */
#define MTK_ISO_THRESHOLD 264
@@ -120,6 +126,11 @@ void btmtk_fw_get_filename(char *buf, size_t size, u32 dev_id, u32 fw_ver,
snprintf(buf, size,
"mediatek/mt%04x/BT_RAM_CODE_MT%04x_1_%x_hdr.bin",
dev_id & 0xffff, dev_id & 0xffff, (fw_ver & 0xff) + 1);
+ /* MT7928 */
+ else if (dev_id == 0x7935)
+ snprintf(buf, size,
+ "mediatek/mt7928/BT_RAM_CODE_MT%04x_1_1_hdr.bin",
+ dev_id & 0xffff);
else if (dev_id == 0x7961 && fw_flavor)
snprintf(buf, size,
"mediatek/BT_RAM_CODE_MT%04x_1a_%x_hdr.bin",
@@ -736,6 +747,7 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
status = BTMTK_WMT_ON_UNDONE;
break;
case BTMTK_WMT_PATCH_DWNLD:
+ case BTMTK_WMT_CBMCU_DWNLD:
if (wmt_evt->whdr.flag == 2)
status = BTMTK_WMT_PATCH_DONE;
else if (wmt_evt->whdr.flag == 1)
@@ -872,6 +884,336 @@ static u32 btmtk_usb_reset_done(struct hci_dev *hdev)
return val & MTK_BT_RST_DONE;
}
+static int btmtk_cbmcu_patch_status(struct hci_dev *hdev,
+ wmt_cmd_sync_func_t wmt_cmd_sync,
+ u8 *patch_status)
+{
+ struct btmtk_hci_wmt_params wmt_params;
+ int status, err, retry = 20;
+
+ do {
+ wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
+ wmt_params.flag = BTMTK_CBMCU_FLAG_QUERY_STATUS;
+ wmt_params.dlen = 0;
+ wmt_params.data = NULL;
+ wmt_params.status = &status;
+
+ err = wmt_cmd_sync(hdev, &wmt_params);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to query CBMCU patch status (%d)", err);
+ return err;
+ }
+
+ *patch_status = (u8)status;
+
+ if (*patch_status == BTMTK_WMT_PATCH_PROGRESS) {
+ msleep(100);
+ retry--;
+ } else {
+ break;
+ }
+ } while (retry > 0);
+
+ return 0;
+}
+
+static int btmtk_query_cbmcu_section(struct hci_dev *hdev,
+ wmt_cmd_sync_func_t wmt_cmd_sync,
+ u8 cbmcu_type,
+ const u8 *section_map,
+ u32 cert_len)
+{
+ struct btmtk_hci_wmt_params wmt_params;
+ u8 cmd[64];
+ int status, err;
+
+ cmd[0] = 0;
+ cmd[1] = cbmcu_type;
+
+ if (cbmcu_type == 0)
+ put_unaligned_le32(cert_len, &cmd[2]);
+ else
+ memcpy(&cmd[2], section_map, MTK_SEC_MAP_NEED_SEND_SIZE);
+
+ wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
+ wmt_params.flag = 0;
+ wmt_params.dlen = cbmcu_type ?
+ MTK_SEC_MAP_NEED_SEND_SIZE + 2 :
+ MTK_SEC_MAP_LENGTH_SIZE + 2;
+ wmt_params.data = cmd;
+ wmt_params.status = &status;
+
+ err = wmt_cmd_sync(hdev, &wmt_params);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to query CBMCU section (%d)", err);
+ return err;
+ }
+
+ /* Query should return UNDONE status for successful section query */
+ if (status != BTMTK_WMT_PATCH_UNDONE) {
+ bt_dev_err(hdev, "CBMCU section query status error (%d)", status);
+ return -EIO;
+ }
+
+ return 0;
+}
+
+static int btmtk_download_cbmcu_section(struct hci_dev *hdev,
+ wmt_cmd_sync_func_t wmt_cmd_sync,
+ const u8 *fw_data,
+ u32 dl_size)
+{
+ struct btmtk_hci_wmt_params wmt_params;
+ u32 sent_len, total_size = dl_size;
+ int err;
+
+ wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
+ wmt_params.status = NULL;
+
+ while (dl_size > 0) {
+ sent_len = min_t(u32, 250, dl_size);
+
+ if (dl_size == total_size)
+ wmt_params.flag = BTMTK_WMT_PKT_START;
+ else if (dl_size == sent_len)
+ wmt_params.flag = BTMTK_WMT_PKT_END;
+ else
+ wmt_params.flag = BTMTK_WMT_PKT_CONTINUE;
+
+ wmt_params.dlen = sent_len;
+ wmt_params.data = fw_data;
+
+ err = wmt_cmd_sync(hdev, &wmt_params);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to send CBMCU section data (%d)", err);
+ return err;
+ }
+
+ dl_size -= sent_len;
+ fw_data += sent_len;
+ }
+
+ return 0;
+}
+
+static int btmtk_enable_cbmcu_patch(struct hci_dev *hdev,
+ wmt_cmd_sync_func_t wmt_cmd_sync)
+{
+ struct btmtk_hci_wmt_params wmt_params;
+ int err;
+
+ wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
+ wmt_params.flag = BTMTK_CBMCU_FLAG_ENABLE_PATCH;
+ wmt_params.dlen = 0;
+ wmt_params.data = NULL;
+ wmt_params.status = NULL;
+
+ err = wmt_cmd_sync(hdev, &wmt_params);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to enable CBMCU patch (%d)", err);
+ return err;
+ }
+
+ return 0;
+}
+
+static int btmtk_load_cbmcu_firmware(struct hci_dev *hdev,
+ const char *fwname,
+ wmt_cmd_sync_func_t wmt_cmd_sync,
+ u32 dev_id)
+{
+ struct btmtk_patch_header *hdr;
+ struct btmtk_global_desc *globaldesc;
+ struct btmtk_section_map *sectionmap;
+ const struct firmware *fw;
+ const u8 *fw_ptr;
+ u8 *cert_buf = NULL;
+ u32 section_num, section_offset, dl_size, cert_len;
+ int i, err;
+
+ err = request_firmware(&fw, fwname, &hdev->dev);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to load CBMCU firmware file %s (%d)",
+ fwname, err);
+ return err;
+ }
+
+ if (fw->size < MTK_FW_ROM_PATCH_HEADER_SIZE + MTK_FW_ROM_PATCH_GD_SIZE) {
+ bt_dev_err(hdev, "CBMCU firmware too small: size=%zu, min=%u",
+ fw->size,
+ MTK_FW_ROM_PATCH_HEADER_SIZE + MTK_FW_ROM_PATCH_GD_SIZE);
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
+ fw_ptr = fw->data;
+ hdr = (struct btmtk_patch_header *)fw_ptr;
+ globaldesc = (struct btmtk_global_desc *)(fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE);
+ section_num = le32_to_cpu(globaldesc->section_num);
+
+ if (fw->size < MTK_FW_ROM_PATCH_HEADER_SIZE + MTK_FW_ROM_PATCH_GD_SIZE +
+ (size_t)MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num) {
+ bt_dev_err(hdev, "CBMCU firmware truncated: size=%zu, expected=%zu (section_num=%u)",
+ fw->size,
+ MTK_FW_ROM_PATCH_HEADER_SIZE + MTK_FW_ROM_PATCH_GD_SIZE +
+ (size_t)MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num,
+ section_num);
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
+ bt_dev_info(hdev, "CBMCU HW ver: 0x%04x, SW ver: 0x%04x, Build Time: %s",
+ dev_id & 0xffff, le16_to_cpu(hdr->swver), hdr->datetime);
+
+ /* Phase 1: Download section type MTK_SEC_CBMCU_DESC */
+ for (i = 0; i < section_num; i++) {
+ sectionmap = (struct btmtk_section_map *)
+ (fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE +
+ MTK_FW_ROM_PATCH_GD_SIZE +
+ MTK_FW_ROM_PATCH_SEC_MAP_SIZE * i);
+
+ /* Only process MTK_SEC_CBMCU_DESC section in Phase 1 */
+ if ((le32_to_cpu(sectionmap->sectype) & 0xFFFF) != MTK_SEC_CBMCU_DESC)
+ continue;
+
+ section_offset = le32_to_cpu(sectionmap->secoffset);
+ dl_size = le32_to_cpu(sectionmap->secsize);
+
+ if (dl_size == 0)
+ continue;
+
+ if (section_offset > fw->size ||
+ dl_size > fw->size - section_offset) {
+ bt_dev_err(hdev, "CBMCU Phase 1 section out of bounds");
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
+ cert_len = MTK_FW_ROM_PATCH_GD_SIZE +
+ MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num +
+ dl_size;
+
+ /* Query cbmcu section */
+ err = btmtk_query_cbmcu_section(hdev, wmt_cmd_sync, 0, NULL,
+ cert_len);
+ if (err < 0)
+ goto err_release_fw;
+
+ cert_buf = kmalloc(cert_len, GFP_KERNEL);
+ if (!cert_buf) {
+ err = -ENOMEM;
+ goto err_release_fw;
+ }
+
+ /* Copy Global Descriptor + All Section Maps */
+ memcpy(cert_buf,
+ fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE,
+ MTK_FW_ROM_PATCH_GD_SIZE + MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num);
+
+ /* Copy Phase 1 section data */
+ memcpy(cert_buf + MTK_FW_ROM_PATCH_GD_SIZE +
+ MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num,
+ fw_ptr + section_offset,
+ dl_size);
+
+ /* Download Phase 1 section */
+ err = btmtk_download_cbmcu_section(hdev, wmt_cmd_sync,
+ cert_buf, cert_len);
+ kfree(cert_buf);
+ cert_buf = NULL;
+
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to download CBMCU Phase 1 section (%d)", err);
+ goto err_release_fw;
+ }
+
+ break;
+ }
+
+ /* Phase 2: Download other sections (type != MTK_SEC_CBMCU_DESC) */
+ for (i = 0; i < section_num; i++) {
+ sectionmap = (struct btmtk_section_map *)
+ (fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE +
+ MTK_FW_ROM_PATCH_GD_SIZE +
+ MTK_FW_ROM_PATCH_SEC_MAP_SIZE * i);
+
+ /* Skip MTK_SEC_CBMCU_DESC section in Phase 2 */
+ if ((le32_to_cpu(sectionmap->sectype) & 0xFFFF) == MTK_SEC_CBMCU_DESC)
+ continue;
+
+ section_offset = le32_to_cpu(sectionmap->secoffset);
+ dl_size = le32_to_cpu(sectionmap->bin_info_spec.dlsize);
+
+ if (dl_size == 0)
+ continue;
+
+ if (section_offset > fw->size ||
+ dl_size > fw->size - section_offset) {
+ bt_dev_err(hdev, "CBMCU Phase 2 section %d out of bounds", i);
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
+ /* Query cbmcu section */
+ err = btmtk_query_cbmcu_section(hdev, wmt_cmd_sync, 1,
+ (u8 *)§ionmap->bin_info_spec,
+ 0);
+ if (err < 0)
+ goto err_release_fw;
+
+ /* Download section data */
+ err = btmtk_download_cbmcu_section(hdev, wmt_cmd_sync,
+ fw_ptr + section_offset,
+ dl_size);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to download CBMCU section %d (%d)", i, err);
+ goto err_release_fw;
+ }
+ }
+
+ bt_dev_info(hdev, "CBMCU firmware download completed");
+
+err_release_fw:
+ release_firmware(fw);
+ return err;
+}
+
+static int btmtk_setup_cbmcu_firmware(struct hci_dev *hdev,
+ wmt_cmd_sync_func_t wmt_cmd_sync,
+ u32 dev_id)
+{
+ char cbmcu_fwname[64];
+ u8 patch_status;
+ int err;
+
+ err = btmtk_cbmcu_patch_status(hdev, wmt_cmd_sync, &patch_status);
+ if (err < 0)
+ return err;
+
+ bt_dev_dbg(hdev, "CBMCU patch status: 0x%02x", patch_status);
+
+ if (patch_status != BTMTK_WMT_PATCH_UNDONE)
+ return 0;
+
+ snprintf(cbmcu_fwname, sizeof(cbmcu_fwname),
+ "mediatek/mt7928/CBMCU_CODE_MT%04x_1_1.bin",
+ dev_id & 0xffff);
+
+ bt_dev_info(hdev, "Loading CBMCU firmware: %s", cbmcu_fwname);
+
+ err = btmtk_load_cbmcu_firmware(hdev, cbmcu_fwname, wmt_cmd_sync, dev_id);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to download CBMCU firmware (%d)", err);
+ return err;
+ }
+
+ err = btmtk_enable_cbmcu_patch(hdev, wmt_cmd_sync);
+ if (err < 0)
+ return err;
+
+ return 0;
+}
+
int btmtk_usb_subsys_reset(struct hci_dev *hdev, u32 dev_id)
{
u32 val;
@@ -896,7 +1238,7 @@ int btmtk_usb_subsys_reset(struct hci_dev *hdev, u32 dev_id)
if (err < 0)
return err;
msleep(100);
- } else if (dev_id == 0x7925 || dev_id == 0x6639) {
+ } else if (dev_id == 0x7925 || dev_id == 0x6639 || dev_id == 0x7935) {
err = btmtk_usb_uhw_reg_read(hdev, MTK_BT_RESET_REG_CONNV3, &val);
if (err < 0)
return err;
@@ -1381,6 +1723,15 @@ int btmtk_usb_setup(struct hci_dev *hdev)
case 0x7668:
fwname = FIRMWARE_MT7668;
break;
+ case 0x7935:
+ /* Requires CBMCU firmware before BT firmware */
+ err = btmtk_setup_cbmcu_firmware(hdev, btmtk_usb_hci_wmt_sync,
+ dev_id);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to set up CBMCU firmware (%d)", err);
+ return err;
+ }
+ fallthrough;
case 0x7922:
case 0x7925:
/*
@@ -1598,3 +1949,5 @@ MODULE_FIRMWARE(FIRMWARE_MT7922);
MODULE_FIRMWARE(FIRMWARE_MT7961);
MODULE_FIRMWARE(FIRMWARE_MT7925);
MODULE_FIRMWARE(FIRMWARE_MT7927);
+MODULE_FIRMWARE(FIRMWARE_MT7928);
+MODULE_FIRMWARE(FIRMWARE_MT7928_CBMCU);
diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h
index 51c18dde0a80..5fe4964b031b 100644
--- a/drivers/bluetooth/btmtk.h
+++ b/drivers/bluetooth/btmtk.h
@@ -9,6 +9,8 @@
#define FIRMWARE_MT7961 "mediatek/BT_RAM_CODE_MT7961_1_2_hdr.bin"
#define FIRMWARE_MT7925 "mediatek/mt7925/BT_RAM_CODE_MT7925_1_1_hdr.bin"
#define FIRMWARE_MT7927 "mediatek/mt7927/BT_RAM_CODE_MT6639_2_1_hdr.bin"
+#define FIRMWARE_MT7928 "mediatek/mt7928/BT_RAM_CODE_MT7935_1_1_hdr.bin"
+#define FIRMWARE_MT7928_CBMCU "mediatek/mt7928/CBMCU_CODE_MT7935_1_1.bin"
#define HCI_EV_WMT 0xe4
#define HCI_WMT_MAX_EVENT_SIZE 64
@@ -54,6 +56,7 @@ enum {
BTMTK_WMT_RST = 0x7,
BTMTK_WMT_REGISTER = 0x8,
BTMTK_WMT_SEMAPHORE = 0x17,
+ BTMTK_WMT_CBMCU_DWNLD = 0x58,
};
enum {
--
2.45.2
^ permalink raw reply related
* [PATCH v5 0/3] Bluetooth: btmtk: Add MT7928 support
From: Chris Lu @ 2026-06-24 7:55 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Von Dentz
Cc: Sean Wang, Will Lee, SS Wu, Steve Lee, linux-bluetooth,
linux-kernel, linux-mediatek, Chris Lu
This patch series adds support for MT7928 (device ID 0x7935) to the
btmtk driver, which requires a new two-stage firmware loading process
with CBMCU firmware.
Patch 1 refactors existing firmware download code by replacing magic
numbers with a descriptive BTMTK_WMT_PKT_* enum, making the packet
sequencing logic clearer.
Patch 2 improves BT firmware logging to provide more useful information
for debugging: adds firmware filename before loading and displays chip ID
as HW version instead of firmware's hwver field.
Patch 3 implements MT7928 firmware download flow, which requires loading
CBMCU firmware before Bluetooth firmware. The CBMCU firmware uses a
two-phase download sequence: Phase 1 downloads the section containing
global descriptor and signature data, Phase 2 downloads the remaining
firmware sections. After CBMCU firmware completes, the driver continues
to load the Bluetooth firmware following the standard flow.
Tested on MT7928 hardware with successful firmware loading and
Bluetooth functionality verification.
Changes in v5:
- Split into three patches: refactoring, logging improvement, and
new feature
- Add Patch 2 to improve BT firmware logging independently
* Add firmware filename before loading
* Display chip ID (dev_id) as HW version
* Use clearer log format with separate HW/SW version fields
- Apply same logging improvements to CBMCU firmware in Patch 3
- Better separation of concerns for easier review
Changes in v4:
- Split into two patches: refactoring and new feature
- Add BTMTK_WMT_PKT_* enum to improve code readability
- Replace magic numbers (0xF0, 0xF1) with descriptive macros
- Define MTK_SEC_CBMCU_DESC macro for section type
- Add MT7928 marketing name comment
- Include firmware filename in error messages
- Add detailed size information in firmware validation errors
- Use BTMTK_WMT_PKT_* enum in CBMCU download function
Changes in v3:
- Add firmware size validation with bounds checking
- Improve error messages with context information
- Add section offset validation for both phases
Changes in v2:
- Simplified enum usage by consolidating status definitions
- Improved code maintainability
Chris Lu (3):
Bluetooth: btmtk: Replace magic numbers with WMT packet flag enum
Bluetooth: btmtk: Improve BT firmware logging
Bluetooth: btmtk: Add MT7928 support
drivers/bluetooth/btmtk.c | 365 +++++++++++++++++++++++++++++++++++++-
drivers/bluetooth/btmtk.h | 9 +
2 files changed, 370 insertions(+), 4 deletions(-)
--
2.45.2
^ permalink raw reply
* [PATCH v5 1/3] Bluetooth: btmtk: Replace magic numbers with WMT packet flag enum
From: Chris Lu @ 2026-06-24 7:55 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Von Dentz
Cc: Sean Wang, Will Lee, SS Wu, Steve Lee, linux-bluetooth,
linux-kernel, linux-mediatek, Chris Lu, Paul Menzel
In-Reply-To: <20260624075505.1318804-1-chris.lu@mediatek.com>
Add BTMTK_WMT_PKT_* enum to represent WMT download packet sequence flags,
improving code readability. Replace magic numbers (1, 2, 3) in
btmtk_setup_firmware_79xx() with descriptive enum values:
- BTMTK_WMT_PKT_START (1): First packet of a sequence
- BTMTK_WMT_PKT_CONTINUE (2): Continuation packet
- BTMTK_WMT_PKT_END (3): Final packet of a sequence
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
---
drivers/bluetooth/btmtk.c | 6 +++---
drivers/bluetooth/btmtk.h | 6 ++++++
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 02a96342e964..21c08ee1cdbf 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -230,12 +230,12 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
while (dl_size > 0) {
dlen = min_t(int, 250, dl_size);
if (first_block == 1) {
- flag = 1;
+ flag = BTMTK_WMT_PKT_START;
first_block = 0;
} else if (dl_size - dlen <= 0) {
- flag = 3;
+ flag = BTMTK_WMT_PKT_END;
} else {
- flag = 2;
+ flag = BTMTK_WMT_PKT_CONTINUE;
}
wmt_params.flag = flag;
diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h
index c83c24897c95..51c18dde0a80 100644
--- a/drivers/bluetooth/btmtk.h
+++ b/drivers/bluetooth/btmtk.h
@@ -66,6 +66,12 @@ enum {
BTMTK_WMT_ON_PROGRESS,
};
+enum {
+ BTMTK_WMT_PKT_START = 1,
+ BTMTK_WMT_PKT_CONTINUE = 2,
+ BTMTK_WMT_PKT_END = 3,
+};
+
struct btmtk_wmt_hdr {
u8 dir;
u8 op;
--
2.45.2
^ permalink raw reply related
* [PATCH v5 2/3] Bluetooth: btmtk: Improve BT firmware logging
From: Chris Lu @ 2026-06-24 7:55 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Von Dentz
Cc: Sean Wang, Will Lee, SS Wu, Steve Lee, linux-bluetooth,
linux-kernel, linux-mediatek, Chris Lu
In-Reply-To: <20260624075505.1318804-1-chris.lu@mediatek.com>
Improve firmware loading log messages to provide more useful information:
- Add firmware filename before loading to help identify which file
is being loaded
- Display chip ID (dev_id) as HW version instead of firmware's hwver
field, which provides more meaningful hardware identification
log output with MT7922
[ 212.878783] Bluetooth: hci1: Loading BT firmware: mediatek/BT_RAM_CODE_MT7922_1_1_hdr.bin
[ 212.889614] Bluetooth: hci1: BT HW ver: 0x7922, SW ver: 0x008a, Build Time: 20260224103448
[ 216.048877] Bluetooth: hci1: Device setup in 3096530 usecs
[ 216.048890] Bluetooth: hci1: HCI Enhanced Setup Synchronous Connection command is advertised, but not supported.
[ 216.114179] Bluetooth: hci1: AOSP extensions version v1.00
[ 216.114220] Bluetooth: hci1: AOSP quality report is supported
[ 216.116782] Bluetooth: MGMT ver 1.23
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
---
drivers/bluetooth/btmtk.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 21c08ee1cdbf..dc40820bfea0 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -147,6 +147,8 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
u32 section_num, dl_size, section_offset;
u8 cmd[64];
+ bt_dev_info(hdev, "Loading BT firmware: %s", fwname);
+
err = request_firmware(&fw, fwname, &hdev->dev);
if (err < 0) {
bt_dev_err(hdev, "Failed to load firmware file (%d)", err);
@@ -159,8 +161,8 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
globaldesc = (struct btmtk_global_desc *)(fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE);
section_num = le32_to_cpu(globaldesc->section_num);
- bt_dev_info(hdev, "HW/SW Version: 0x%04x%04x, Build Time: %s",
- le16_to_cpu(hdr->hwver), le16_to_cpu(hdr->swver), hdr->datetime);
+ bt_dev_info(hdev, "BT HW ver: 0x%04x, SW ver: 0x%04x, Build Time: %s",
+ dev_id & 0xffff, le16_to_cpu(hdr->swver), hdr->datetime);
for (i = 0; i < section_num; i++) {
first_block = 1;
--
2.45.2
^ permalink raw reply related
* RE: [PATCH V2 1/8] PCI: imx6: Add skip_pwrctrl_off flag support
From: Sherry Sun @ 2026-06-24 7:09 UTC (permalink / raw)
To: Frank Li (OSS), Sherry Sun (OSS)
Cc: robh@kernel.org, krzk+dt@kernel.org, conor+dt@kernel.org,
Frank Li, s.hauer@pengutronix.de, kernel@pengutronix.de,
festevam@gmail.com, Amitkumar Karwar, Neeraj Sanjay Kale,
marcel@holtmann.org, luiz.dentz@gmail.com, Hongxing Zhu,
l.stach@pengutronix.de, lpieralisi@kernel.org,
kwilczynski@kernel.org, mani@kernel.org, bhelgaas@google.com,
brgl@kernel.org, imx@lists.linux.dev, linux-pci@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, devicetree@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-bluetooth@vger.kernel.org,
linux-pm@vger.kernel.org
In-Reply-To: <ajqZBM6IkbDLiVu2@SMW015318>
> Subject: Re: [PATCH V2 1/8] PCI: imx6: Add skip_pwrctrl_off flag support
>
> On Tue, Jun 23, 2026 at 11:07:28AM +0800, Sherry Sun (OSS) wrote:
> > From: Sherry Sun <sherry.sun@nxp.com>
> >
> > Use dw_pcie_rp::skip_pwrctrl_off to avoid powering off devices during
> > suspend to preserve wakeup capability of the devices and also not to
> > power on the devices in the init path.
> > This allows controller power-off to be skipped when some devices(e.g.
> > M.2 cards key E without auxiliary power) required to support PCIe L2
> > link state and wake-up mechanisms.
> >
> > Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
> > ---
> > drivers/pci/controller/dwc/pci-imx6.c | 36
> > +++++++++++++++++----------
> > 1 file changed, 23 insertions(+), 13 deletions(-)
> >
> > diff --git a/drivers/pci/controller/dwc/pci-imx6.c
> > b/drivers/pci/controller/dwc/pci-imx6.c
> > index 0fa716d1ed75..ff5a9565dbbf 100644
> > --- a/drivers/pci/controller/dwc/pci-imx6.c
> > +++ b/drivers/pci/controller/dwc/pci-imx6.c
> > @@ -1382,16 +1382,20 @@ static int imx_pcie_host_init(struct dw_pcie_rp
> *pp)
> > }
> > }
> >
> > - ret = pci_pwrctrl_create_devices(dev);
> > - if (ret) {
> > - dev_err(dev, "failed to create pwrctrl devices\n");
> > - goto err_reg_disable;
> > + if (!pci->suspended) {
> > + ret = pci_pwrctrl_create_devices(dev);
>
> Is possible move pci_pwrctrl_create_devices() of pci_pwrctrl_create_devices
>
> and call it direct at probe() function, like other regulator_get function.
>
Hi Frank,
That makes sense. However, if we move pci_pwrctrl_create_devices () to
probe(), we may need to add the following goto err_pwrctrl_destroy path
in imx_pcie_probe() to properly handle errors from
pci_pwrctrl_power_on_devices(), is that acceptable?
@@ -1960,11 +1949,15 @@ static int imx_pcie_probe(struct platform_device *pdev)
if (ret)
return ret;
+ ret = pci_pwrctrl_create_devices(dev);
+ if (ret)
+ return dev_err_probe(dev, ret, "failed to create pwrctrl devices\n");
+
pci->use_parent_dt_ranges = true;
if (imx_pcie->drvdata->mode == DW_PCIE_EP_TYPE) {
ret = imx_add_pcie_ep(imx_pcie, pdev);
if (ret < 0)
- return ret;
+ goto err_pwrctrl_destroy;
/*
* FIXME: Only single Device (EPF) is supported due to the
@@ -1979,7 +1972,7 @@ static int imx_pcie_probe(struct platform_device *pdev)
pci->pp.use_atu_msg = true;
ret = dw_pcie_host_init(&pci->pp);
if (ret < 0)
- return ret;
+ goto err_pwrctrl_destroy;
if (pci_msi_enabled()) {
u8 offset = dw_pcie_find_capability(pci, PCI_CAP_ID_MSI);
@@ -1991,6 +1984,11 @@ static int imx_pcie_probe(struct platform_device *pdev)
}
return 0;
+
+err_pwrctrl_destroy:
+ if (ret != -EPROBE_DEFER)
+ pci_pwrctrl_destroy_devices(dev);
+ return ret;
}
Best Regards
Sherry
>
> > + if (ret) {
> > + dev_err(dev, "failed to create pwrctrl devices\n");
> > + goto err_reg_disable;
> > + }
> > }
> >
> > - ret = pci_pwrctrl_power_on_devices(dev);
> > - if (ret) {
> > - dev_err(dev, "failed to power on pwrctrl devices\n");
> > - goto err_pwrctrl_destroy;
> > + if (!pp->skip_pwrctrl_off) {
> > + ret = pci_pwrctrl_power_on_devices(dev);
> > + if (ret) {
> > + dev_err(dev, "failed to power on pwrctrl devices\n");
> > + goto err_pwrctrl_destroy;
> > + }
> > }
> >
> > ret = imx_pcie_clk_enable(imx_pcie); @@ -1460,9 +1464,10 @@
> static
> > int imx_pcie_host_init(struct dw_pcie_rp *pp)
> > err_clk_disable:
> > imx_pcie_clk_disable(imx_pcie);
> > err_pwrctrl_power_off:
> > - pci_pwrctrl_power_off_devices(dev);
> > + if (!pp->skip_pwrctrl_off)
> > + pci_pwrctrl_power_off_devices(dev);
> > err_pwrctrl_destroy:
> > - if (ret != -EPROBE_DEFER)
> > + if (ret != -EPROBE_DEFER && !pci->suspended)
> > pci_pwrctrl_destroy_devices(dev);
> > err_reg_disable:
> > if (imx_pcie->vpcie)
> > @@ -1482,7 +1487,8 @@ static void imx_pcie_host_exit(struct dw_pcie_rp
> *pp)
> > }
> > imx_pcie_clk_disable(imx_pcie);
> >
> > - pci_pwrctrl_power_off_devices(pci->dev);
> > + if (!pci->pp.skip_pwrctrl_off)
> > + pci_pwrctrl_power_off_devices(pci->dev);
> > if (imx_pcie->vpcie)
> > regulator_disable(imx_pcie->vpcie);
> > }
> > @@ -1990,12 +1996,16 @@ static int imx_pcie_probe(struct
> > platform_device *pdev) static void imx_pcie_shutdown(struct
> > platform_device *pdev) {
> > struct imx_pcie *imx_pcie = platform_get_drvdata(pdev);
> > + struct dw_pcie *pci = imx_pcie->pci;
> > + struct dw_pcie_rp *pp = &pci->pp;
> >
> > /* bring down link, so bootloader gets clean state in case of reboot */
> > imx_pcie_assert_core_reset(imx_pcie);
> > imx_pcie_assert_perst(imx_pcie, true);
> > - pci_pwrctrl_power_off_devices(&pdev->dev);
> > - pci_pwrctrl_destroy_devices(&pdev->dev);
> > + if (!pp->skip_pwrctrl_off)
> > + pci_pwrctrl_power_off_devices(&pdev->dev);
> > + if (!pci->suspended)
> > + pci_pwrctrl_destroy_devices(&pdev->dev);
> > }
> >
> > static const struct imx_pcie_drvdata drvdata[] = {
> > --
> > 2.50.1
> >
> >
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-06-24 5:39 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1100171
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [PATCH v5] Bluetooth: btrtl: Add firmware format v3 support
From: Hilda Wu @ 2026-06-24 5:33 UTC (permalink / raw)
To: marcel
Cc: luiz.dentz, linux-bluetooth, linux-kernel, alex_lu, jason_mao,
zoey_zhou, max.chou, kidman
In-Reply-To: <CABBYNZ+_aocMGOdugwF3uP9h3NN4Dv5XYRyiN50W0AJ3rSETTA@mail.gmail.com>
Realtek updated its Bluetooth firmware format to v3.
This patch extends the btrtl driver to recognise and parse the new v3 file
format, including:
- New signature string and image ID definitions
- Extension of btrtl_device_info to store v3-specific metadata
- Logic to extract and load firmware data out of v3 images
- Maintains compatibility with existing v2 firmware format
This is required for future Realtek Bluetooth chips that ship with
v3 firmware.
The RTL8922D is the first IC to use firmware format V3, so the following
example uses the RTL8922D's log as expected fw format v3 output:
Bluetooth: btrtl_read_chip_id() hci0: RTL: chip_id status=0x00 id=0x37
Bluetooth: btrtl_initialize() hci0: RTL: examining hci_ver=0d
hci_rev=000d lmp_ver=0d lmp_subver=8922
Bluetooth: rtl_read_rom_version() hci0: RTL: rom_version status=0 version=1
Bluetooth: btrtl_initialize() hci0: RTL: btrtl_initialize: key id 0
Bluetooth: rtl_load_file() hci0: RTL: loading rtl_bt/rtl8922du_fw.bin
Bluetooth: rtl_load_file() hci0: RTL: loading rtl_bt/rtl8922du_config.bin
Bluetooth: rtlbt_parse_firmware_v3() hci0: RTL: key id 0
Bluetooth: rtlbt_parse_section_v3() hci0: RTL: image (f000:00), chip id
55, cut 0x02, len 00007185
Bluetooth: rtlbt_parse_section_v3() hci0: RTL: image version: 35fd7908
Bluetooth: rtlbt_parse_config() hci0: RTL: config file:
rtl_bt/rtl8922du_config_f000.bin
Bluetooth: rtlbt_parse_section_v3() hci0: RTL: image (f002:00), chip id
55, cut 0x02, len 000078f5
Bluetooth: rtlbt_parse_section_v3() hci0: RTL: image version: 47b6874d
Bluetooth: rtlbt_parse_config() hci0: RTL: config file:
rtl_bt/rtl8922du_config_f002.bin
Bluetooth: rtlbt_parse_firmware_v3() hci0: RTL: image payload total len:
0x0000ea7a
Bluetooth: rtl_finalize_download() hci0: RTL: Watchdog reset status 00
Bluetooth: rtl_finalize_download() hci0: RTL: fw version 0x47b6874d
Signed-off-by: Alex Lu <alex_lu@realsil.com.cn>
Signed-off-by: Zoey Zhou <zoey_zhou@realsil.com.cn>
Signed-off-by: Hilda Wu <hildawu@realtek.com>
---
V4 -> V5::
- Add independent support for RTL8922D section
- Introduce macros to improve code readability
- Document firmware format v3 and its differences
- Align implementation with reviewer feedback
V3 -> V4:
- Rework skb->data access and add clarifying comments
- Fix latent issues
V2 -> V3:
- Address coccinelle warning
V1 -> V2:
- Add missing symbols
- Resolve build warnings
---
drivers/bluetooth/btrtl.c | 698 +++++++++++++++++++++++++++++++++++++-
drivers/bluetooth/btrtl.h | 102 ++++++
drivers/bluetooth/btusb.c | 3 +
3 files changed, 786 insertions(+), 17 deletions(-)
diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
index 49ecb18fea45..450b32bcfa63 100644
--- a/drivers/bluetooth/btrtl.c
+++ b/drivers/bluetooth/btrtl.c
@@ -22,6 +22,12 @@
#define RTL_CHIP_8723CS_XX 5
#define RTL_EPATCH_SIGNATURE "Realtech"
#define RTL_EPATCH_SIGNATURE_V2 "RTBTCore"
+#define RTL_EPATCH_SIGNATURE_V3 "BTNIC003"
+#define RTL_PATCH_V3_1 0x01
+#define RTL_PATCH_V3_2 0x02
+#define IMAGE_ID_F000 0xf000
+#define IMAGE_ID_F001 0xf001
+#define IMAGE_ID_F002 0xf002
#define RTL_ROM_LMP_8703B 0x8703
#define RTL_ROM_LMP_8723A 0x1200
#define RTL_ROM_LMP_8723B 0x8723
@@ -33,7 +39,14 @@
#define RTL_ROM_LMP_8922A 0x8922
#define RTL_CONFIG_MAGIC 0x8723ab55
-#define RTL_VSC_OP_COREDUMP 0xfcff
+#define RTL_VSC_OP_DOWNLOAD_CMD 0xfc20
+#define RTL_VSC_OP_READ_VENDER 0xfc61
+#define RTL_VSC_OP_WRITE_VENDOR 0xfc62
+#define RTL_VSC_OP_READ_ROM_VER 0xfc6d
+#define RTL_VSC_OP_READ_CHIP_ID 0xfc6f
+#define RTL_VSC_OP_COREDUMP 0xfcff
+#define RTL_VSC_OP_CHECK_DOWNLOAD_STATE 0xfdcf
+#define RTL_VSC_OP_WDG_RESET_CMD 0xfc8e
#define IC_MATCH_FL_LMPSUBV (1 << 0)
#define IC_MATCH_FL_HCIREV (1 << 1)
@@ -50,12 +63,16 @@
#define RTL_CHIP_SUBVER (&(struct rtl_vendor_cmd) {{0x10, 0x38, 0x04, 0x28, 0x80}})
#define RTL_CHIP_REV (&(struct rtl_vendor_cmd) {{0x10, 0x3A, 0x04, 0x28, 0x80}})
-#define RTL_SEC_PROJ (&(struct rtl_vendor_cmd) {{0x10, 0xA4, 0xAD, 0x00, 0xb0}})
+#define RTL_SEC_PROJ_V2 (&(struct rtl_vendor_cmd) {{0x10, 0xA4, 0xAD, 0x00, 0xb0}})
+#define RTL_SEC_PROJ_V3 (&(struct rtl_vendor_cmd) {{0x10, 0xA4, 0x0D, 0x01, 0xa0}})
#define RTL_PATCH_SNIPPETS 0x01
#define RTL_PATCH_DUMMY_HEADER 0x02
#define RTL_PATCH_SECURITY_HEADER 0x03
+#define CHIP_ID_V3_BASE 55
+#define RTL_VENDOR_WRITE_TYPE 0x21
+
enum btrtl_chip_id {
CHIP_ID_8723A,
CHIP_ID_8723B,
@@ -99,8 +116,11 @@ struct btrtl_device_info {
int cfg_len;
bool drop_fw;
int project_id;
+ u32 opcode;
+ u8 fw_type;
u8 key_id;
struct list_head patch_subsecs;
+ struct list_head patch_images;
};
static const struct id_table ic_id_table[] = {
@@ -371,6 +391,33 @@ static const struct id_table *btrtl_match_ic(u16 lmp_subver, u16 hci_rev,
return &ic_id_table[i];
}
+static int btrtl_read_chip_id(struct hci_dev *hdev, u8 *chip_id)
+{
+ struct rtl_rp_read_chip_id *rp;
+ struct sk_buff *skb;
+ int ret = 0;
+
+ skb = __hci_cmd_sync(hdev, RTL_VSC_OP_READ_CHIP_ID, 0, NULL, HCI_INIT_TIMEOUT);
+ if (IS_ERR(skb))
+ return PTR_ERR(skb);
+
+ rp = skb_pull_data(skb, sizeof(*rp));
+ if (!rp) {
+ ret = -EIO;
+ goto out;
+ }
+
+ rtl_dev_info(hdev, "chip_id status=0x%02x id=0x%02x",
+ rp->status, rp->chip_id);
+
+ if (chip_id)
+ *chip_id = rp->chip_id;
+
+out:
+ kfree_skb(skb);
+ return ret;
+}
+
static struct sk_buff *btrtl_read_local_version(struct hci_dev *hdev)
{
struct sk_buff *skb;
@@ -397,8 +444,7 @@ static int rtl_read_rom_version(struct hci_dev *hdev, u8 *version)
struct rtl_rom_version_evt *rom_version;
struct sk_buff *skb;
- /* Read RTL ROM version command */
- skb = __hci_cmd_sync(hdev, 0xfc6d, 0, NULL, HCI_INIT_TIMEOUT);
+ skb = __hci_cmd_sync(hdev, RTL_VSC_OP_READ_ROM_VER, 0, NULL, HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
rtl_dev_err(hdev, "Read ROM version failed (%ld)",
PTR_ERR(skb));
@@ -427,7 +473,7 @@ static int btrtl_vendor_read_reg16(struct hci_dev *hdev,
struct sk_buff *skb;
int err = 0;
- skb = __hci_cmd_sync(hdev, 0xfc61, sizeof(*cmd), cmd,
+ skb = __hci_cmd_sync(hdev, RTL_VSC_OP_READ_VENDER, sizeof(*cmd), cmd,
HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
err = PTR_ERR(skb);
@@ -449,6 +495,26 @@ static int btrtl_vendor_read_reg16(struct hci_dev *hdev,
return 0;
}
+static int btrtl_vendor_write_mem(struct hci_dev *hdev, u32 addr, u32 val)
+{
+ struct rtl_vendor_write_cmd cp;
+ struct sk_buff *skb;
+ int err = 0;
+
+ cp.type = RTL_VENDOR_WRITE_TYPE;
+ cp.addr = cpu_to_le32(addr);
+ cp.val = cpu_to_le32(val);
+ skb = __hci_cmd_sync(hdev, RTL_VSC_OP_WRITE_VENDOR, sizeof(cp), &cp, HCI_INIT_TIMEOUT);
+ if (IS_ERR(skb)) {
+ err = PTR_ERR(skb);
+ bt_dev_err(hdev, "RTL: Write mem32 failed (%d)", err);
+ return err;
+ }
+
+ kfree_skb(skb);
+ return 0;
+}
+
static void *rtl_iov_pull_data(struct rtl_iovec *iov, u32 len)
{
void *data = iov->data;
@@ -462,6 +528,31 @@ static void *rtl_iov_pull_data(struct rtl_iovec *iov, u32 len)
return data;
}
+
+static void btrtl_insert_ordered_patch_image(struct rtl_section_patch_image *image,
+ struct btrtl_device_info *btrtl_dev)
+{
+ struct list_head *pos;
+ struct list_head *next;
+ struct rtl_section_patch_image *node;
+
+ list_for_each_safe(pos, next, &btrtl_dev->patch_images) {
+ node = list_entry(pos, struct rtl_section_patch_image, list);
+
+ if (node->image_id > image->image_id) {
+ __list_add(&image->list, pos->prev, pos);
+ return;
+ }
+
+ if (node->image_id == image->image_id &&
+ node->index > image->index) {
+ __list_add(&image->list, pos->prev, pos);
+ return;
+ }
+ }
+ __list_add(&image->list, pos->prev, pos);
+}
+
static void btrtl_insert_ordered_subsec(struct rtl_subsection *node,
struct btrtl_device_info *btrtl_dev)
{
@@ -633,6 +724,279 @@ static int rtlbt_parse_firmware_v2(struct hci_dev *hdev,
}
*_buf = ptr;
+ btrtl_dev->fw_type = FW_TYPE_V2;
+ return len;
+}
+
+static int rtlbt_parse_config(struct hci_dev *hdev,
+ struct rtl_section_patch_image *patch_image,
+ struct btrtl_device_info *btrtl_dev)
+{
+ const struct id_table *ic_info = NULL;
+ const struct firmware *fw;
+ char tmp_name[32];
+ char filename[64];
+ u8 *cfg_buf;
+ char *str;
+ char *p;
+ size_t len;
+ int ret;
+
+ if (btrtl_dev && btrtl_dev->ic_info)
+ ic_info = btrtl_dev->ic_info;
+
+ if (!ic_info)
+ return -EINVAL;
+
+ str = ic_info->cfg_name;
+ if (btrtl_dev->fw_type == FW_TYPE_V3_1) {
+ if (!patch_image->image_id && !patch_image->index) {
+ snprintf(filename, sizeof(filename), "%s.bin", str);
+ goto load_fw;
+ }
+ goto done;
+ }
+
+ len = strlen(str);
+ if (len > sizeof(tmp_name) - 1)
+ len = sizeof(tmp_name) - 1;
+ memcpy(tmp_name, str, len);
+ tmp_name[len] = '\0';
+
+ str = tmp_name;
+ p = strsep(&str, ".");
+
+ ret = snprintf(filename, sizeof(filename), "%s", p);
+ if (patch_image->config_rule && patch_image->need_config) {
+ switch (patch_image->image_id) {
+ case IMAGE_ID_F000:
+ case IMAGE_ID_F001:
+ case IMAGE_ID_F002:
+ ret += snprintf(filename + ret, sizeof(filename) - ret,
+ "_%04x", patch_image->image_id);
+ break;
+ default:
+ goto done;
+ }
+ } else {
+ goto done;
+ }
+
+ snprintf(filename + ret, sizeof(filename) - ret, ".%s", str ? str : "bin");
+
+load_fw:
+ rtl_dev_info(hdev, "config file: %s", filename);
+ ret = request_firmware(&fw, filename, &hdev->dev);
+ if (ret < 0) {
+ if (btrtl_dev->fw_type == FW_TYPE_V3_2) {
+ len = 4;
+ cfg_buf = kvmalloc(len, GFP_KERNEL);
+ if (!cfg_buf)
+ return -ENOMEM;
+
+ memset(cfg_buf, 0xff, len);
+ patch_image->cfg_buf = cfg_buf;
+ patch_image->cfg_len = len;
+ return 0;
+ }
+ goto err_req_fw;
+ }
+ rtl_dev_info(hdev, "config file: %s found", filename);
+ cfg_buf = kvmalloc(fw->size, GFP_KERNEL);
+ if (!cfg_buf) {
+ ret = -ENOMEM;
+ goto err;
+ }
+ memcpy(cfg_buf, fw->data, fw->size);
+ len = fw->size;
+ release_firmware(fw);
+
+ patch_image->cfg_buf = cfg_buf;
+ patch_image->cfg_len = len;
+done:
+ return 0;
+err:
+ release_firmware(fw);
+err_req_fw:
+ rtl_dev_info(hdev, "config file: [%s] not found", filename);
+ return ret;
+}
+
+static int rtlbt_parse_section_v3(struct hci_dev *hdev,
+ struct btrtl_device_info *btrtl_dev,
+ u32 opcode, u8 *data, u32 len)
+{
+ struct rtl_section_patch_image *patch_image;
+ struct rtl_patch_image_hdr *hdr;
+ u16 image_id;
+ u16 chip_id;
+ size_t patch_image_len;
+ u8 *ptr;
+ int ret = 0;
+ size_t i;
+ struct rtl_iovec iov = {
+ .data = data,
+ .len = len,
+ };
+
+ hdr = rtl_iov_pull_data(&iov, sizeof(*hdr));
+ if (!hdr)
+ return -EINVAL;
+
+ if (btrtl_dev->opcode && btrtl_dev->opcode != opcode) {
+ rtl_dev_err(hdev, "invalid opcode 0x%02x", opcode);
+ return -EINVAL;
+ }
+
+ if (!btrtl_dev->opcode) {
+ btrtl_dev->opcode = opcode;
+ switch (btrtl_dev->opcode) {
+ case RTL_PATCH_V3_1:
+ btrtl_dev->fw_type = FW_TYPE_V3_1;
+ break;
+ case RTL_PATCH_V3_2:
+ btrtl_dev->fw_type = FW_TYPE_V3_2;
+ break;
+ default:
+ return -EINVAL;
+ }
+ }
+
+ patch_image_len = (u32)le64_to_cpu(hdr->patch_image_len);
+ chip_id = le16_to_cpu(hdr->chip_id);
+ image_id = le16_to_cpu(hdr->image_id);
+ rtl_dev_info(hdev, "image (%04x:%02x), chip id %u, cut 0x%02x, len %08zx"
+ , image_id, hdr->index, chip_id, hdr->ic_cut,
+ patch_image_len);
+
+ if (btrtl_dev->key_id != hdr->key_id) {
+ rtl_dev_err(hdev, "invalid key_id (%u, %u)", hdr->key_id,
+ btrtl_dev->key_id);
+ return -EINVAL;
+ }
+
+ if (hdr->ic_cut != btrtl_dev->rom_version + 1) {
+ rtl_dev_info(hdev, "unused ic_cut (%u, %u)", hdr->ic_cut,
+ btrtl_dev->rom_version + 1);
+ return -EINVAL;
+ }
+
+ if (btrtl_dev->fw_type == FW_TYPE_V3_1 && !btrtl_dev->project_id)
+ btrtl_dev->project_id = chip_id;
+
+ if (btrtl_dev->fw_type == FW_TYPE_V3_2 &&
+ chip_id != btrtl_dev->project_id) {
+ rtl_dev_err(hdev, "invalid chip_id (%u, %d)", chip_id,
+ btrtl_dev->project_id);
+ return -EINVAL;
+ }
+
+ ptr = rtl_iov_pull_data(&iov, patch_image_len);
+ if (!ptr)
+ return -ENODATA;
+
+ patch_image = kzalloc_obj(*patch_image);
+ if (!patch_image)
+ return -ENOMEM;
+ patch_image->index = hdr->index;
+ patch_image->image_id = image_id;
+ patch_image->config_rule = hdr->config_rule;
+ patch_image->need_config = hdr->need_config;
+
+ for (i = 0; i < DL_FIX_ADDR_MAX; i++) {
+ patch_image->fix[i].addr =
+ (u32)le64_to_cpu(hdr->addr_fix[i * 2]);
+ patch_image->fix[i].value =
+ (u32)le64_to_cpu(hdr->addr_fix[i * 2 + 1]);
+ }
+
+ patch_image->image_len = patch_image_len;
+ patch_image->image_data = kvmalloc(patch_image_len, GFP_KERNEL);
+ if (!patch_image->image_data) {
+ ret = -ENOMEM;
+ goto err;
+ }
+ memcpy(patch_image->image_data, ptr, patch_image_len);
+ patch_image->image_ver =
+ get_unaligned_le32(ptr + patch_image->image_len - 4);
+ rtl_dev_info(hdev, "image version: %08x", patch_image->image_ver);
+
+ rtlbt_parse_config(hdev, patch_image, btrtl_dev);
+
+ ret = patch_image->image_len;
+
+ btrtl_insert_ordered_patch_image(patch_image, btrtl_dev);
+
+ return ret;
+err:
+ kfree(patch_image);
+ return ret;
+}
+
+static int rtlbt_parse_firmware_v3(struct hci_dev *hdev,
+ struct btrtl_device_info *btrtl_dev)
+{
+ struct rtl_epatch_header_v3 *hdr;
+ int rc;
+ u32 num_sections;
+ struct rtl_section_v3 *section;
+ u32 section_len;
+ u32 opcode;
+ int len = 0;
+ int i;
+ u8 *ptr;
+ struct rtl_iovec iov = {
+ .data = btrtl_dev->fw_data,
+ .len = btrtl_dev->fw_len,
+ };
+
+ rtl_dev_info(hdev, "key id %u", btrtl_dev->key_id);
+
+ hdr = rtl_iov_pull_data(&iov, sizeof(*hdr));
+ if (!hdr)
+ return -EINVAL;
+ num_sections = le32_to_cpu(hdr->num_sections);
+
+ rtl_dev_dbg(hdev, "timpstamp %08x-%08x", *((u32 *)hdr->timestamp),
+ *((u32 *)(hdr->timestamp + 4)));
+
+ for (i = 0; i < num_sections; i++) {
+ section = rtl_iov_pull_data(&iov, sizeof(*section));
+ if (!section)
+ break;
+
+ section_len = (u32)le64_to_cpu(section->len);
+ opcode = le32_to_cpu(section->opcode);
+
+ rtl_dev_dbg(hdev, "opcode 0x%04x", section->opcode);
+
+ ptr = rtl_iov_pull_data(&iov, section_len);
+ if (!ptr)
+ break;
+
+ rc = 0;
+ switch (opcode) {
+ case RTL_PATCH_V3_1:
+ case RTL_PATCH_V3_2:
+ rc = rtlbt_parse_section_v3(hdev, btrtl_dev, opcode,
+ ptr, section_len);
+ break;
+ default:
+ rtl_dev_warn(hdev, "Unknown opcode %08x", opcode);
+ break;
+ }
+ if (rc < 0) {
+ rtl_dev_err(hdev, "Parse section (%u) err (%d)",
+ opcode, rc);
+ continue;
+ }
+ len += rc;
+ }
+
+ rtl_dev_info(hdev, "image payload total len: 0x%08x", len);
+ if (!len)
+ return -ENODATA;
+
return len;
}
@@ -678,6 +1042,9 @@ static int rtlbt_parse_firmware(struct hci_dev *hdev,
if (btrtl_dev->fw_len <= 8)
return -EINVAL;
+ if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE_V3, 8))
+ return rtlbt_parse_firmware_v3(hdev, btrtl_dev);
+
if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE, 8))
min_size = sizeof(struct rtl_epatch_header) +
sizeof(extension_sig) + 3;
@@ -813,10 +1180,11 @@ static int rtlbt_parse_firmware(struct hci_dev *hdev,
memcpy(buf + patch_length - 4, &epatch_info->fw_version, 4);
*_buf = buf;
+ btrtl_dev->fw_type = FW_TYPE_V1;
return len;
}
-static int rtl_download_firmware(struct hci_dev *hdev,
+static int rtl_download_firmware(struct hci_dev *hdev, u8 fw_type,
const unsigned char *data, int fw_len)
{
struct rtl_download_cmd *dl_cmd;
@@ -827,6 +1195,13 @@ static int rtl_download_firmware(struct hci_dev *hdev,
int j = 0;
struct sk_buff *skb;
struct hci_rp_read_local_version *rp;
+ u8 dl_rp_len = sizeof(struct rtl_download_response);
+
+ if (is_v3_fw(fw_type)) {
+ j = 1;
+ if (fw_type == FW_TYPE_V3_2)
+ dl_rp_len++;
+ }
dl_cmd = kmalloc_obj(*dl_cmd);
if (!dl_cmd)
@@ -840,15 +1215,15 @@ static int rtl_download_firmware(struct hci_dev *hdev,
j = 1;
if (i == (frag_num - 1)) {
- dl_cmd->index |= 0x80; /* data end */
+ if (!is_v3_fw(fw_type))
+ dl_cmd->index |= 0x80; /* data end */
frag_len = fw_len % RTL_FRAG_LEN;
}
rtl_dev_dbg(hdev, "download fw (%d/%d). index = %d", i,
frag_num, dl_cmd->index);
memcpy(dl_cmd->data, data, frag_len);
- /* Send download command */
- skb = __hci_cmd_sync(hdev, 0xfc20, frag_len + 1, dl_cmd,
+ skb = __hci_cmd_sync(hdev, RTL_VSC_OP_DOWNLOAD_CMD, frag_len + 1, dl_cmd,
HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
rtl_dev_err(hdev, "download fw command failed (%ld)",
@@ -857,7 +1232,7 @@ static int rtl_download_firmware(struct hci_dev *hdev,
goto out;
}
- if (skb->len != sizeof(struct rtl_download_response)) {
+ if (skb->len != dl_rp_len) {
rtl_dev_err(hdev, "download fw event length mismatch");
kfree_skb(skb);
ret = -EIO;
@@ -868,6 +1243,9 @@ static int rtl_download_firmware(struct hci_dev *hdev,
data += RTL_FRAG_LEN;
}
+ if (is_v3_fw(fw_type))
+ goto out;
+
skb = btrtl_read_local_version(hdev);
if (IS_ERR(skb)) {
ret = PTR_ERR(skb);
@@ -885,6 +1263,237 @@ static int rtl_download_firmware(struct hci_dev *hdev,
return ret;
}
+static int rtl_check_download_state(struct hci_dev *hdev,
+ struct btrtl_device_info *btrtl_dev)
+{
+ struct sk_buff *skb;
+ int ret = 0;
+ u8 *state;
+
+ skb = __hci_cmd_sync(hdev, RTL_VSC_OP_CHECK_DOWNLOAD_STATE, 0, NULL, HCI_CMD_TIMEOUT);
+ if (IS_ERR(skb)) {
+ rtl_dev_err(hdev, "write tb error %lu", PTR_ERR(skb));
+ return -EIO;
+ }
+
+ /* Other driver might be downloading the combined firmware. */
+ state = skb_pull_data(skb, sizeof(*state));
+ if (state && *state == 0x03) {
+ btrealtek_set_flag(hdev, REALTEK_DOWNLOADING);
+ ret = btrealtek_wait_on_flag_timeout(hdev, REALTEK_DOWNLOADING,
+ TASK_INTERRUPTIBLE,
+ msecs_to_jiffies(5000));
+ if (ret == -EINTR) {
+ bt_dev_err(hdev, "Firmware loading interrupted");
+ goto out;
+ }
+
+ if (ret) {
+ bt_dev_err(hdev, "Firmware loading timeout");
+ ret = -ETIMEDOUT;
+ } else {
+ ret = -EALREADY;
+ }
+
+ }
+
+out:
+ kfree_skb(skb);
+ return ret;
+}
+
+static int rtl_finalize_download(struct hci_dev *hdev,
+ struct btrtl_device_info *btrtl_dev)
+{
+ struct hci_rp_read_local_version *rp_ver;
+ u8 params[2] = { 0x03, 0xb2 };
+ struct sk_buff *skb;
+ int ret = 0;
+ u16 opcode;
+ u32 len;
+ u8 *p;
+
+ opcode = RTL_VSC_OP_WDG_RESET_CMD;
+ len = 2;
+ if (btrtl_dev->opcode == RTL_PATCH_V3_1) {
+ opcode = RTL_VSC_OP_DOWNLOAD_CMD;
+ params[0] = 0x80;
+ len = 1;
+ }
+ skb = __hci_cmd_sync(hdev, opcode, len, params, HCI_CMD_TIMEOUT);
+ if (IS_ERR(skb)) {
+ rtl_dev_err(hdev, "Watchdog reset err (%ld)", PTR_ERR(skb));
+ return -EIO;
+ }
+ p = skb_pull_data(skb, 1);
+ if (!p) {
+ ret = -ENODATA;
+ goto out;
+ }
+ rtl_dev_info(hdev, "Watchdog reset status %02x", *p);
+ kfree_skb(skb);
+
+ skb = btrtl_read_local_version(hdev);
+ if (IS_ERR(skb)) {
+ ret = PTR_ERR(skb);
+ rtl_dev_err(hdev, "read local version failed (%d)", ret);
+ return ret;
+ }
+
+ rp_ver = skb_pull_data(skb, sizeof(*rp_ver));
+ if (rp_ver)
+ rtl_dev_info(hdev, "fw version 0x%04x%04x",
+ __le16_to_cpu(rp_ver->hci_rev),
+ __le16_to_cpu(rp_ver->lmp_subver));
+out:
+ kfree_skb(skb);
+ return ret;
+}
+
+static int rtl_security_check(struct hci_dev *hdev,
+ struct btrtl_device_info *btrtl_dev)
+{
+ struct rtl_section_patch_image *tmp = NULL;
+ struct rtl_section_patch_image *image = NULL;
+ u32 val;
+ int ret;
+
+ list_for_each_entry_reverse(tmp, &btrtl_dev->patch_images, list) {
+ /* Check security hdr */
+ if (!tmp->fix[DL_FIX_SEC_HDR_ADDR].value ||
+ !tmp->fix[DL_FIX_SEC_HDR_ADDR].addr ||
+ tmp->fix[DL_FIX_SEC_HDR_ADDR].addr == 0xffffffff)
+ continue;
+ rtl_dev_info(hdev, "addr 0x%08x, value 0x%08x",
+ tmp->fix[DL_FIX_SEC_HDR_ADDR].addr,
+ tmp->fix[DL_FIX_SEC_HDR_ADDR].value);
+ image = tmp;
+ break;
+ }
+
+ if (!image)
+ return 0;
+
+ rtl_dev_info(hdev, "sec image (%04x:%02x)", image->image_id,
+ image->index);
+ val = image->fix[DL_FIX_PATCH_ADDR].value + image->image_len -
+ image->fix[DL_FIX_SEC_HDR_ADDR].value;
+ ret = btrtl_vendor_write_mem(hdev, image->fix[DL_FIX_PATCH_ADDR].addr,
+ val);
+ if (ret) {
+ rtl_dev_err(hdev, "write sec reg failed (%d)", ret);
+ return ret;
+ }
+ return 0;
+}
+
+static int rtl_download_firmware_v3(struct hci_dev *hdev,
+ struct btrtl_device_info *btrtl_dev)
+{
+ struct rtl_section_patch_image *image, *tmp;
+ struct rtl_rp_dl_v3 *rp;
+ struct sk_buff *skb;
+ u8 *fw_data;
+ int fw_len;
+ int ret = 0;
+ u8 i;
+
+ if (btrtl_dev->fw_type == FW_TYPE_V3_2) {
+ ret = rtl_check_download_state(hdev, btrtl_dev);
+ if (ret) {
+ if (ret == -EALREADY)
+ return 0;
+ return ret;
+ }
+ }
+
+ list_for_each_entry_safe(image, tmp, &btrtl_dev->patch_images, list) {
+ rtl_dev_dbg(hdev, "image (%04x:%02x)", image->image_id,
+ image->index);
+
+ for (i = DL_FIX_CI_ID; i < DL_FIX_ADDR_MAX; i++) {
+ if (!image->fix[i].addr ||
+ image->fix[i].addr == 0xffffffff) {
+ rtl_dev_dbg(hdev, "no need to write addr %08x",
+ image->fix[i].addr);
+ continue;
+ }
+ rtl_dev_dbg(hdev, "write addr and val, 0x%08x, 0x%08x",
+ image->fix[i].addr, image->fix[i].value);
+ if (btrtl_vendor_write_mem(hdev, image->fix[i].addr,
+ image->fix[i].value)) {
+ rtl_dev_err(hdev, "write reg failed");
+ ret = -EIO;
+ goto done;
+ }
+ }
+
+ fw_len = image->image_len + image->cfg_len;
+ fw_data = kvmalloc(fw_len, GFP_KERNEL);
+ if (!fw_data) {
+ rtl_dev_err(hdev, "Couldn't alloc buf for image data");
+ ret = -ENOMEM;
+ goto done;
+ }
+ memcpy(fw_data, image->image_data, image->image_len);
+ if (image->cfg_len > 0)
+ memcpy(fw_data + image->image_len, image->cfg_buf,
+ image->cfg_len);
+
+ rtl_dev_dbg(hdev, "patch image (%04x:%02x). len: %d",
+ image->image_id, image->index, fw_len);
+ rtl_dev_dbg(hdev, "fw_data %p, image buf %p, len %u", fw_data,
+ image->image_data, image->image_len);
+
+ ret = rtl_download_firmware(hdev, btrtl_dev->fw_type, fw_data,
+ fw_len);
+ kvfree(fw_data);
+ if (ret < 0) {
+ rtl_dev_err(hdev, "download firmware failed (%d)", ret);
+ goto done;
+ }
+
+ if (image->list.next != &btrtl_dev->patch_images &&
+ image->image_id == tmp->image_id)
+ continue;
+
+ if (btrtl_dev->fw_type == FW_TYPE_V3_1)
+ continue;
+
+ i = 0x80;
+ skb = __hci_cmd_sync(hdev, RTL_VSC_OP_DOWNLOAD_CMD, 1, &i, HCI_CMD_TIMEOUT);
+ if (IS_ERR(skb)) {
+ ret = -EIO;
+ rtl_dev_err(hdev, "Failed to issue last cmd fc20, %ld",
+ PTR_ERR(skb));
+ goto done;
+ }
+ ret = 2;
+ rp = skb_pull_data(skb, sizeof(*rp));
+ if (rp)
+ ret = rp->err;
+ kfree_skb(skb);
+ if (ret == 2) {
+ /* Verification failure */
+ ret = -EFAULT;
+ goto done;
+ }
+ }
+
+ if (btrtl_dev->fw_type == FW_TYPE_V3_1) {
+ ret = rtl_security_check(hdev, btrtl_dev);
+ if (ret) {
+ rtl_dev_err(hdev, "Security check failed (%d)", ret);
+ goto done;
+ }
+ }
+
+ ret = rtl_finalize_download(hdev, btrtl_dev);
+
+done:
+ return ret;
+}
+
static int rtl_load_file(struct hci_dev *hdev, const char *name, u8 **buff)
{
const struct firmware *fw;
@@ -918,7 +1527,7 @@ static int btrtl_setup_rtl8723a(struct hci_dev *hdev,
return -EINVAL;
}
- return rtl_download_firmware(hdev, btrtl_dev->fw_data,
+ return rtl_download_firmware(hdev, FW_TYPE_V0, btrtl_dev->fw_data,
btrtl_dev->fw_len);
}
@@ -933,7 +1542,7 @@ static int btrtl_setup_rtl8723b(struct hci_dev *hdev,
if (ret < 0)
goto out;
- if (btrtl_dev->cfg_len > 0) {
+ if (!is_v3_fw(btrtl_dev->fw_type) && btrtl_dev->cfg_len > 0) {
tbuff = kvzalloc(ret + btrtl_dev->cfg_len, GFP_KERNEL);
if (!tbuff) {
ret = -ENOMEM;
@@ -949,9 +1558,14 @@ static int btrtl_setup_rtl8723b(struct hci_dev *hdev,
fw_data = tbuff;
}
+ if (is_v3_fw(btrtl_dev->fw_type)) {
+ ret = rtl_download_firmware_v3(hdev, btrtl_dev);
+ goto out;
+ }
+
rtl_dev_info(hdev, "cfg_sz %d, total sz %d", btrtl_dev->cfg_len, ret);
- ret = rtl_download_firmware(hdev, fw_data, ret);
+ ret = rtl_download_firmware(hdev, btrtl_dev->fw_type, fw_data, ret);
out:
kvfree(fw_data);
@@ -1021,7 +1635,7 @@ static int rtl_read_chip_type(struct hci_dev *hdev, u8 *type)
const unsigned char cmd_buf[] = {0x00, 0x94, 0xa0, 0x00, 0xb0};
/* Read RTL chip type command */
- skb = __hci_cmd_sync(hdev, 0xfc61, 5, cmd_buf, HCI_INIT_TIMEOUT);
+ skb = __hci_cmd_sync(hdev, RTL_VSC_OP_READ_VENDER, 5, cmd_buf, HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
rtl_dev_err(hdev, "Read chip type failed (%ld)",
PTR_ERR(skb));
@@ -1047,6 +1661,7 @@ static int rtl_read_chip_type(struct hci_dev *hdev, u8 *type)
void btrtl_free(struct btrtl_device_info *btrtl_dev)
{
struct rtl_subsection *entry, *tmp;
+ struct rtl_section_patch_image *image, *next;
kvfree(btrtl_dev->fw_data);
kvfree(btrtl_dev->cfg_data);
@@ -1056,6 +1671,13 @@ void btrtl_free(struct btrtl_device_info *btrtl_dev)
kfree(entry);
}
+ list_for_each_entry_safe(image, next, &btrtl_dev->patch_images, list) {
+ list_del(&image->list);
+ kvfree(image->image_data);
+ kvfree(image->cfg_buf);
+ kfree(image);
+ }
+
kfree(btrtl_dev);
}
EXPORT_SYMBOL_GPL(btrtl_free);
@@ -1063,7 +1685,7 @@ EXPORT_SYMBOL_GPL(btrtl_free);
struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
const char *postfix)
{
- struct btrealtek_data *coredump_info = hci_get_priv(hdev);
+ struct btrealtek_data *btrtl_data = hci_get_priv(hdev);
struct btrtl_device_info *btrtl_dev;
struct sk_buff *skb;
struct hci_rp_read_local_version *resp;
@@ -1072,6 +1694,7 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
char cfg_name[40];
u16 hci_rev, lmp_subver;
u8 hci_ver, lmp_ver, chip_type = 0;
+ u8 chip_id = 0;
int ret;
int rc;
u8 key_id;
@@ -1084,8 +1707,15 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
}
INIT_LIST_HEAD(&btrtl_dev->patch_subsecs);
+ INIT_LIST_HEAD(&btrtl_dev->patch_images);
check_version:
+ ret = btrtl_read_chip_id(hdev, &chip_id);
+ if (!ret && chip_id >= CHIP_ID_V3_BASE) {
+ btrtl_dev->project_id = chip_id;
+ goto read_local_ver;
+ }
+
ret = btrtl_vendor_read_reg16(hdev, RTL_CHIP_SUBVER, reg_val);
if (ret < 0)
goto err_free;
@@ -1108,6 +1738,7 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
}
}
+read_local_ver:
skb = btrtl_read_local_version(hdev);
if (IS_ERR(skb)) {
ret = PTR_ERR(skb);
@@ -1185,7 +1816,11 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
goto err_free;
}
- rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val);
+ if (btrtl_dev->project_id >= CHIP_ID_V3_BASE)
+ rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ_V3, reg_val);
+ else
+ rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ_V2, reg_val);
+
if (rc < 0)
goto err_free;
@@ -1243,7 +1878,7 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
hci_set_msft_opcode(hdev, 0xFCF0);
if (btrtl_dev->ic_info)
- coredump_info->rtl_dump.controller = btrtl_dev->ic_info->hw_info;
+ btrtl_data->rtl_dump.controller = btrtl_dev->ic_info->hw_info;
return btrtl_dev;
@@ -1416,6 +2051,35 @@ int btrtl_shutdown_realtek(struct hci_dev *hdev)
}
EXPORT_SYMBOL_GPL(btrtl_shutdown_realtek);
+
+int btrtl_recv_event(struct hci_dev *hdev, struct sk_buff *skb)
+{
+ struct sk_buff *clone = skb_clone(skb, GFP_ATOMIC);
+ struct hci_event_hdr *hdr;
+ u8 *p;
+
+ if (!clone)
+ goto out;
+
+ hdr = skb_pull_data(clone, sizeof(*hdr));
+ if (!hdr || hdr->evt != HCI_VENDOR_PKT)
+ goto out;
+
+ p = skb_pull_data(clone, 1);
+ if (!p)
+ goto out;
+ switch (*p) {
+ case 0x77:
+ if (btrealtek_test_and_clear_flag(hdev, REALTEK_DOWNLOADING))
+ btrealtek_wake_up_flag(hdev, REALTEK_DOWNLOADING);
+ break;
+ }
+out:
+ consume_skb(clone);
+ return hci_recv_frame(hdev, skb);
+}
+EXPORT_SYMBOL_GPL(btrtl_recv_event);
+
static unsigned int btrtl_convert_baudrate(u32 device_baudrate)
{
switch (device_baudrate) {
diff --git a/drivers/bluetooth/btrtl.h b/drivers/bluetooth/btrtl.h
index a2d9d34f9fb0..dd4acdf29b2f 100644
--- a/drivers/bluetooth/btrtl.h
+++ b/drivers/bluetooth/btrtl.h
@@ -12,6 +12,19 @@
#define rtl_dev_info(dev, fmt, ...) bt_dev_info(dev, "RTL: " fmt, ##__VA_ARGS__)
#define rtl_dev_dbg(dev, fmt, ...) bt_dev_dbg(dev, "RTL: " fmt, ##__VA_ARGS__)
+#define FW_TYPE_V0 0
+#define FW_TYPE_V1 1
+#define FW_TYPE_V2 2
+#define FW_TYPE_V3_1 3
+#define FW_TYPE_V3_2 4
+#define is_v3_fw(type) (type == FW_TYPE_V3_1 || type == FW_TYPE_V3_2)
+
+#define DL_FIX_CI_ID 0
+#define DL_FIX_CI_ADDR 1
+#define DL_FIX_PATCH_ADDR 2
+#define DL_FIX_SEC_HDR_ADDR 3
+#define DL_FIX_ADDR_MAX 4
+
struct btrtl_device_info;
struct rtl_chip_type_evt {
@@ -103,8 +116,79 @@ struct rtl_vendor_cmd {
__u8 param[5];
} __packed;
+struct rtl_vendor_write_cmd {
+ u8 type;
+ __le32 addr;
+ __le32 val;
+} __packed;
+
+struct rtl_rp_read_chip_id {
+ __u8 status;
+ __u8 chip_id;
+} __packed;
+
+struct rtl_rp_dl_v3 {
+ __u8 status;
+ __u8 index;
+ __u8 err;
+} __packed;
+
+struct rtl_epatch_header_v3 {
+ __u8 signature[8];
+ __u8 timestamp[8];
+ __le32 ver_rsvd;
+ __le32 num_sections;
+} __packed;
+
+struct rtl_section_v3 {
+ __le32 opcode;
+ __le64 len;
+ u8 data[];
+} __packed;
+
+struct rtl_addr_fix {
+ u32 addr;
+ u32 value;
+};
+
+struct rtl_section_patch_image {
+ u16 image_id;
+ u8 index;
+ u8 config_rule;
+ u8 need_config;
+
+ struct rtl_addr_fix fix[DL_FIX_ADDR_MAX];
+
+ u32 image_len;
+ u8 *image_data;
+ u32 image_ver;
+
+ u8 *cfg_buf;
+ u16 cfg_len;
+
+ struct list_head list;
+};
+
+struct rtl_patch_image_hdr {
+ __le16 chip_id;
+ u8 ic_cut;
+ u8 key_id;
+ u8 enable_ota;
+ __le16 image_id;
+ u8 config_rule;
+ u8 need_config;
+ u8 rsv[950];
+
+ __le64 addr_fix[DL_FIX_ADDR_MAX * 2];
+ u8 index;
+
+ __le64 patch_image_len;
+ __u8 data[];
+} __packed;
+
enum {
REALTEK_ALT6_CONTINUOUS_TX_CHIP,
+ REALTEK_DOWNLOADING,
__REALTEK_NUM_FLAGS,
};
@@ -130,8 +214,20 @@ struct btrealtek_data {
#define btrealtek_get_flag(hdev) \
(((struct btrealtek_data *)hci_get_priv(hdev))->flags)
+#define btrealtek_wake_up_flag(hdev, nr) \
+ do { \
+ struct btrealtek_data *rtl = hci_get_priv((hdev)); \
+ wake_up_bit(rtl->flags, (nr)); \
+ } while (0)
+
#define btrealtek_test_flag(hdev, nr) test_bit((nr), btrealtek_get_flag(hdev))
+#define btrealtek_test_and_clear_flag(hdev, nr) \
+ test_and_clear_bit((nr), btrealtek_get_flag(hdev))
+
+#define btrealtek_wait_on_flag_timeout(hdev, nr, m, to) \
+ wait_on_bit_timeout(btrealtek_get_flag(hdev), (nr), m, to)
+
#if IS_ENABLED(CONFIG_BT_RTL)
struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
@@ -148,6 +244,7 @@ int btrtl_get_uart_settings(struct hci_dev *hdev,
unsigned int *controller_baudrate,
u32 *device_baudrate, bool *flow_control);
void btrtl_set_driver_name(struct hci_dev *hdev, const char *driver_name);
+int btrtl_recv_event(struct hci_dev *hdev, struct sk_buff *skb);
#else
@@ -157,6 +254,11 @@ static inline struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
return ERR_PTR(-EOPNOTSUPP);
}
+static inline int btrtl_recv_event(struct hci_dev *hdev, struct sk_buff *skb)
+{
+ return -EOPNOTSUPP;
+}
+
static inline void btrtl_free(struct btrtl_device_info *btrtl_dev)
{
}
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 7f14ce96319b..55a845efaeb5 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2798,6 +2798,9 @@ static int btusb_recv_event_realtek(struct hci_dev *hdev, struct sk_buff *skb)
return 0;
}
+ if (skb->data[0] == HCI_VENDOR_PKT)
+ return btrtl_recv_event(hdev, skb);
+
return hci_recv_frame(hdev, skb);
}
--
2.34.1
^ permalink raw reply related
* Re: [PATCH v4 0/2] Bluetooth: btmtksdio: teardown fixes
From: Sergey Senozhatsky @ 2026-06-24 5:19 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz, Sean Wang
Cc: Tomasz Figa, linux-bluetooth, linux-kernel, linux-arm-kernel,
linux-mediatek, Sergey Senozhatsky
In-Reply-To: <20260618031338.1011410-1-senozhatsky@chromium.org>
On (26/06/18 12:13), Sergey Senozhatsky wrote:
> This fixes several teardown issues:
>
> INFO: task kworker/u17:0:189 blocked for more than 122 seconds.
> __cancel_work_timer+0x3f4/0x460
> cancel_work_sync+0x1c/0x2c
> btmtksdio_flush+0x2c/0x40
> hci_dev_open_sync+0x10c4/0x2190
> [..]
>
> close/flush can deadlock when run concurrently with btmtksdio_txrx_work().
> In addition btmtksdio_txrx_work() re-enables interrupts regardless of
> close/flush being executed on another CPU.
>
> v3 -> v4:
> - fix commit message linter warnings/errors (tabs, subject line over 80
> chars).
>
> Sergey Senozhatsky (2):
> Bluetooth: btmtksdio: test for BUS IO errors in btmtksdio_txrx_work()
> Bluetooth: btmtksdio: call cancel_work_sync() out of host lock scope
Do the patches look good enough to pick up?
^ permalink raw reply
* Re: [PATCH v4 2/2] Bluetooth: btmtk: Add MT7928 support
From: Chris Lu (陸稚泓) @ 2026-06-24 2:32 UTC (permalink / raw)
To: pmenzel@molgen.mpg.de
Cc: Will-CY Lee (李政穎),
Steve Lee (李視誠), luiz.dentz@gmail.com,
marcel@holtmann.org, SS Wu (巫憲欣),
linux-kernel@vger.kernel.org, johan.hedberg@gmail.com, Sean Wang,
linux-bluetooth@vger.kernel.org,
linux-mediatek@lists.infradead.org
In-Reply-To: <6e44158f-7bc7-4568-ab03-2bc215c2c679@molgen.mpg.de>
Hi Paul,
On Tue, 2026-06-23 at 10:05 +0200, Paul Menzel wrote:
>
> External email : Please do not click links or open attachments until
> you have verified the sender or the content.
>
>
> Dear Chris,
>
>
> Thank you for your patch.
>
> Am 23.06.26 um 05:41 schrieb Chris Lu:
> > Add support for MT7928 (internal device ID is MT7935) which
> > requires
> > additional firmware (CBMCU firmware) loading before Bluetooth
> > firmware.
> >
> > CBMCU is a new component on MT7928 to handle common part shared
> > across
> > the combo chip (Wi-Fi/Bluetooth's subsystem), providing a better
> > user
> > experience through improved coordination between subsystems.
> >
> > Implement two-phase CBMCU firmware download: Phase 1 loads section
> > with
> > type 0x5 containing global descriptor, section maps and signature
> > data;
> > Phase 2 loads remaining firmware sections. Add retry mechanism for
> > concurrent download protection.
> >
> > After CBMCU firmware loads successfully, the driver continues to
> > load
> > corresponding BT firmware based on device ID through fallthrough to
> > case 0x7922/0x7925.
> >
> > The
> > firmware(CBMCU_CODE_MT7935_1_1.bin/BT_RAM_CODE_MT7935_1_1_hdr.bin)
> > required for MT7928 will be scheduled for upload to linux-firmware
> > at
> > a later stage.
> >
> > MT7928 bringup kernel log:
>
> bring-up
>
> > [ 475.742336] usb 1-3: New USB device found, idVendor=0e8d,
> > idProduct=7935, bcdDevice= 1.00
> > [ 475.742399] usb 1-3: New USB device strings: Mfr=5, Product=6,
> > SerialNumber=7
> > [ 475.742436] usb 1-3: Product: Wireless_Device
> > [ 475.742466] usb 1-3: Manufacturer: MediaTek Inc.
> > [ 475.742495] usb 1-3: SerialNumber: 000000000
> > [ 475.766697] Bluetooth: hci1: CBMCU Version: 0x00000000, Build
> > Time: 20260601T161751+0800
> > [ 476.144693] Bluetooth: hci1: CBMCU firmware download completed
> > [ 476.190083] Bluetooth: hci1: HW/SW Version: 0x00000000, Build
> > Time: 20260527000816
>
> Can we improve these logs to include the device name and to have one
> line (or two lines) less?
>
> Bluetooth: MT7928: CBMCU firmware <name> (version: 0x<short>,
> build
> time: 20260601T161751+0800) update complete
> Bluetooth: MT7928: device firmware updated to <name>
>
> The second line is unrelated to this change.
Regarding the version, since the firmware is still under internal
development, the information currently seems meaningless. It will be an
important information for MTK debugging in the future.
As for displaying the IC code, that's a great suggestion. I'll submit a
new version and reconsider how to present these logs.
>
> > [ 479.073470] Bluetooth: hci1: Device setup in 3238661 usecs
> > [ 479.073489] Bluetooth: hci1: HCI Enhanced Setup Synchronous
> > Connection command is advertised, but not supported.
> > [ 479.177477] Bluetooth: hci1: AOSP extensions version v2.00
> > [ 479.177506] Bluetooth: hci1: AOSP quality report is supported
> > [ 479.178814] Bluetooth: MGMT ver 1.23
> >
> > Signed-off-by: Chris Lu <chris.lu@mediatek.com>
> > ---
> > drivers/bluetooth/btmtk.c | 352
> > +++++++++++++++++++++++++++++++++++++-
> > drivers/bluetooth/btmtk.h | 3 +
> > 2 files changed, 354 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> > index 21c08ee1cdbf..dcbd431cc364 100644
> > --- a/drivers/bluetooth/btmtk.c
> > +++ b/drivers/bluetooth/btmtk.c
> > @@ -21,6 +21,12 @@
> > #define MTK_FW_ROM_PATCH_SEC_MAP_SIZE 64
> > #define MTK_SEC_MAP_COMMON_SIZE 12
> > #define MTK_SEC_MAP_NEED_SEND_SIZE 52
> > +#define MTK_SEC_MAP_LENGTH_SIZE 4
> > +#define MTK_SEC_CBMCU_DESC 0x5
> > +
> > +/* CBMCU WMT command flags */
> > +#define BTMTK_CBMCU_FLAG_QUERY_STATUS 0xF0
> > +#define BTMTK_CBMCU_FLAG_ENABLE_PATCH 0xF1
> >
> > /* It is for mt79xx iso data transmission setting */
> > #define MTK_ISO_THRESHOLD 264
> > @@ -120,6 +126,11 @@ void btmtk_fw_get_filename(char *buf, size_t
> > size, u32 dev_id, u32 fw_ver,
> > snprintf(buf, size,
> >
> > "mediatek/mt%04x/BT_RAM_CODE_MT%04x_1_%x_hdr.bin",
> > dev_id & 0xffff, dev_id & 0xffff, (fw_ver &
> > 0xff) + 1);
> > + /* MT7928 */
> > + else if (dev_id == 0x7935)
> > + snprintf(buf, size,
> > +
> > "mediatek/mt7928/BT_RAM_CODE_MT%04x_1_1_hdr.bin",
> > + dev_id & 0xffff);
> > else if (dev_id == 0x7961 && fw_flavor)
> > snprintf(buf, size,
> > "mediatek/BT_RAM_CODE_MT%04x_1a_%x_hdr.bin",
> > @@ -734,6 +745,7 @@ static int btmtk_usb_hci_wmt_sync(struct
> > hci_dev *hdev,
> > status = BTMTK_WMT_ON_UNDONE;
> > break;
> > case BTMTK_WMT_PATCH_DWNLD:
> > + case BTMTK_WMT_CBMCU_DWNLD:
> > if (wmt_evt->whdr.flag == 2)
> > status = BTMTK_WMT_PATCH_DONE;
> > else if (wmt_evt->whdr.flag == 1)
> > @@ -870,6 +882,333 @@ static u32 btmtk_usb_reset_done(struct
> > hci_dev *hdev)
> > return val & MTK_BT_RST_DONE;
> > }
> >
> > +static int btmtk_cbmcu_patch_status(struct hci_dev *hdev,
> > + wmt_cmd_sync_func_t wmt_cmd_sync,
> > + u8 *patch_status)
> > +{
> > + struct btmtk_hci_wmt_params wmt_params;
> > + int status, err, retry = 20;
> > +
> > + do {
> > + wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
> > + wmt_params.flag = BTMTK_CBMCU_FLAG_QUERY_STATUS;
> > + wmt_params.dlen = 0;
> > + wmt_params.data = NULL;
> > + wmt_params.status = &status;
> > +
> > + err = wmt_cmd_sync(hdev, &wmt_params);
> > + if (err < 0) {
> > + bt_dev_err(hdev, "Failed to query CBMCU patch
> > status (%d)", err);
> > + return err;
> > + }
> > +
> > + *patch_status = (u8)status;
> > +
> > + if (*patch_status == BTMTK_WMT_PATCH_PROGRESS) {
> > + msleep(100);
> > + retry--;
> > + } else {
> > + break;
> > + }
> > + } while (retry > 0);
> > +
> > + return 0;
> > +}
> > +
> > +static int btmtk_query_cbmcu_section(struct hci_dev *hdev,
> > + wmt_cmd_sync_func_t
> > wmt_cmd_sync,
> > + u8 cbmcu_type,
> > + const u8 *section_map,
> > + u32 cert_len)
> > +{
> > + struct btmtk_hci_wmt_params wmt_params;
> > + u8 cmd[64];
> > + int status, err;
> > +
> > + cmd[0] = 0;
> > + cmd[1] = cbmcu_type;
> > +
> > + if (cbmcu_type == 0)
> > + put_unaligned_le32(cert_len, &cmd[2]);
> > + else
> > + memcpy(&cmd[2], section_map,
> > MTK_SEC_MAP_NEED_SEND_SIZE);
> > +
> > + wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
> > + wmt_params.flag = 0;
> > + wmt_params.dlen = cbmcu_type ?
> > + MTK_SEC_MAP_NEED_SEND_SIZE + 2 :
> > + MTK_SEC_MAP_LENGTH_SIZE + 2;
> > + wmt_params.data = cmd;
> > + wmt_params.status = &status;
> > +
> > + err = wmt_cmd_sync(hdev, &wmt_params);
> > + if (err < 0) {
> > + bt_dev_err(hdev, "Failed to query CBMCU section
> > (%d)", err);
> > + return err;
> > + }
> > +
> > + /* Query should return UNDONE status for successful section
> > query */
> > + if (status != BTMTK_WMT_PATCH_UNDONE) {
> > + bt_dev_err(hdev, "CBMCU section query status error
> > (%d)", status);
> > + return -EIO;
> > + }
> > +
> > + return 0;
> > +}
> > +
> > +static int btmtk_download_cbmcu_section(struct hci_dev *hdev,
> > + wmt_cmd_sync_func_t
> > wmt_cmd_sync,
> > + const u8 *fw_data,
> > + u32 dl_size)
> > +{
> > + struct btmtk_hci_wmt_params wmt_params;
> > + u32 sent_len, total_size = dl_size;
> > + int err;
> > +
> > + wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
> > + wmt_params.status = NULL;
> > +
> > + while (dl_size > 0) {
> > + sent_len = min_t(u32, 250, dl_size);
> > +
> > + if (dl_size == total_size)
> > + wmt_params.flag = BTMTK_WMT_PKT_START;
> > + else if (dl_size == sent_len)
> > + wmt_params.flag = BTMTK_WMT_PKT_END;
> > + else
> > + wmt_params.flag = BTMTK_WMT_PKT_CONTINUE;
> > +
> > + wmt_params.dlen = sent_len;
> > + wmt_params.data = fw_data;
> > +
> > + err = wmt_cmd_sync(hdev, &wmt_params);
> > + if (err < 0) {
> > + bt_dev_err(hdev, "Failed to send CBMCU
> > section data (%d)", err);
> > + return err;
> > + }
> > +
> > + dl_size -= sent_len;
> > + fw_data += sent_len;
> > + }
> > +
> > + return 0;
> > +}
> > +
> > +static int btmtk_enable_cbmcu_patch(struct hci_dev *hdev,
> > + wmt_cmd_sync_func_t wmt_cmd_sync)
> > +{
> > + struct btmtk_hci_wmt_params wmt_params;
> > + int err;
> > +
> > + wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
> > + wmt_params.flag = BTMTK_CBMCU_FLAG_ENABLE_PATCH;
> > + wmt_params.dlen = 0;
> > + wmt_params.data = NULL;
> > + wmt_params.status = NULL;
> > +
> > + err = wmt_cmd_sync(hdev, &wmt_params);
> > + if (err < 0) {
> > + bt_dev_err(hdev, "Failed to enable CBMCU patch (%d)",
> > err);
> > + return err;
> > + }
> > +
> > + return 0;
> > +}
> > +
> > +static int btmtk_load_cbmcu_firmware(struct hci_dev *hdev,
> > + const char *fwname,
> > + wmt_cmd_sync_func_t
> > wmt_cmd_sync)
> > +{
> > + struct btmtk_patch_header *hdr;
> > + struct btmtk_global_desc *globaldesc;
> > + struct btmtk_section_map *sectionmap;
> > + const struct firmware *fw;
> > + const u8 *fw_ptr;
> > + u8 *cert_buf = NULL;
> > + u32 section_num, section_offset, dl_size, cert_len;
> > + int i, err;
> > +
> > + err = request_firmware(&fw, fwname, &hdev->dev);
> > + if (err < 0) {
> > + bt_dev_err(hdev, "Failed to load CBMCU firmware file
> > %s (%d)",
> > + fwname, err);
> > + return err;
> > + }
> > +
> > + if (fw->size < MTK_FW_ROM_PATCH_HEADER_SIZE +
> > MTK_FW_ROM_PATCH_GD_SIZE) {
> > + bt_dev_err(hdev, "CBMCU firmware too small: size=%zu,
> > min=%u",
> > + fw->size,
> > + MTK_FW_ROM_PATCH_HEADER_SIZE +
> > MTK_FW_ROM_PATCH_GD_SIZE);
> > + err = -EINVAL;
> > + goto err_release_fw;
> > + }
> > +
> > + fw_ptr = fw->data;
> > + hdr = (struct btmtk_patch_header *)fw_ptr;
> > + globaldesc = (struct btmtk_global_desc *)(fw_ptr +
> > MTK_FW_ROM_PATCH_HEADER_SIZE);
> > + section_num = le32_to_cpu(globaldesc->section_num);
> > +
> > + if (fw->size < MTK_FW_ROM_PATCH_HEADER_SIZE +
> > MTK_FW_ROM_PATCH_GD_SIZE +
> > + (size_t)MTK_FW_ROM_PATCH_SEC_MAP_SIZE *
> > section_num) {
> > + bt_dev_err(hdev, "CBMCU firmware truncated: size=%zu,
> > expected=%zu (section_num=%u)",
> > + fw->size,
> > + MTK_FW_ROM_PATCH_HEADER_SIZE +
> > MTK_FW_ROM_PATCH_GD_SIZE +
> > + (size_t)MTK_FW_ROM_PATCH_SEC_MAP_SIZE *
> > section_num,
> > + section_num);
> > + err = -EINVAL;
> > + goto err_release_fw;
> > + }
> > +
> > + bt_dev_info(hdev, "CBMCU Version: 0x%04x%04x, Build Time:
> > %s",
> > + le16_to_cpu(hdr->hwver), le16_to_cpu(hdr->swver),
> > hdr->datetime);
> > +
> > + /* Phase 1: Download section type MTK_SEC_CBMCU_DESC */
> > + for (i = 0; i < section_num; i++) {
> > + sectionmap = (struct btmtk_section_map *)
> > + (fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE +
> > + MTK_FW_ROM_PATCH_GD_SIZE +
> > + MTK_FW_ROM_PATCH_SEC_MAP_SIZE * i);
> > +
> > + /* Only process MTK_SEC_CBMCU_DESC section in Phase 1
> > */
> > + if ((le32_to_cpu(sectionmap->sectype) & 0xFFFF) !=
> > MTK_SEC_CBMCU_DESC)
> > + continue;
> > +
> > + section_offset = le32_to_cpu(sectionmap->secoffset);
> > + dl_size = le32_to_cpu(sectionmap->secsize);
> > +
> > + if (dl_size == 0)
> > + continue;
> > +
> > + if (section_offset > fw->size ||
> > + dl_size > fw->size - section_offset) {
> > + bt_dev_err(hdev, "CBMCU Phase 1 section out
> > of bounds");
> > + err = -EINVAL;
> > + goto err_release_fw;
> > + }
> > +
> > + cert_len = MTK_FW_ROM_PATCH_GD_SIZE +
> > + MTK_FW_ROM_PATCH_SEC_MAP_SIZE *
> > section_num +
> > + dl_size;
> > +
> > + /* Query cbmcu section */
> > + err = btmtk_query_cbmcu_section(hdev, wmt_cmd_sync,
> > 0, NULL,
> > + cert_len);
> > + if (err < 0)
> > + goto err_release_fw;
> > +
> > + cert_buf = kmalloc(cert_len, GFP_KERNEL);
> > + if (!cert_buf) {
> > + err = -ENOMEM;
> > + goto err_release_fw;
> > + }
> > +
> > + /* Copy Global Descriptor + All Section Maps */
> > + memcpy(cert_buf,
> > + fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE,
> > + MTK_FW_ROM_PATCH_GD_SIZE +
> > MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num);
> > +
> > + /* Copy Phase 1 section data */
> > + memcpy(cert_buf + MTK_FW_ROM_PATCH_GD_SIZE +
> > + MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num,
> > + fw_ptr + section_offset,
> > + dl_size);
> > +
> > + /* Download Phase 1 section */
> > + err = btmtk_download_cbmcu_section(hdev,
> > wmt_cmd_sync,
> > + cert_buf,
> > cert_len);
> > + kfree(cert_buf);
> > + cert_buf = NULL;
> > +
> > + if (err < 0) {
> > + bt_dev_err(hdev, "Failed to download CBMCU
> > Phase 1 section (%d)", err);
> > + goto err_release_fw;
> > + }
> > +
> > + break;
> > + }
> > +
> > + /* Phase 2: Download other sections (type !=
> > MTK_SEC_CBMCU_DESC) */
> > + for (i = 0; i < section_num; i++) {
> > + sectionmap = (struct btmtk_section_map *)
> > + (fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE +
> > + MTK_FW_ROM_PATCH_GD_SIZE +
> > + MTK_FW_ROM_PATCH_SEC_MAP_SIZE * i);
> > +
> > + /* Skip MTK_SEC_CBMCU_DESC section in Phase 2 */
> > + if ((le32_to_cpu(sectionmap->sectype) & 0xFFFF) ==
> > MTK_SEC_CBMCU_DESC)
> > + continue;
> > +
> > + section_offset = le32_to_cpu(sectionmap->secoffset);
> > + dl_size = le32_to_cpu(sectionmap-
> > >bin_info_spec.dlsize);
> > +
> > + if (dl_size == 0)
> > + continue;
> > +
> > + if (section_offset > fw->size ||
> > + dl_size > fw->size - section_offset) {
> > + bt_dev_err(hdev, "CBMCU Phase 2 section %d
> > out of bounds", i);
> > + err = -EINVAL;
> > + goto err_release_fw;
> > + }
> > +
> > + /* Query cbmcu section */
> > + err = btmtk_query_cbmcu_section(hdev, wmt_cmd_sync,
> > 1,
> > + (u8 *)§ionmap-
> > >bin_info_spec,
> > + 0);
> > + if (err < 0)
> > + goto err_release_fw;
> > +
> > + /* Download section data */
> > + err = btmtk_download_cbmcu_section(hdev,
> > wmt_cmd_sync,
> > + fw_ptr +
> > section_offset,
> > + dl_size);
> > + if (err < 0) {
> > + bt_dev_err(hdev, "Failed to download CBMCU
> > section %d (%d)", i, err);
> > + goto err_release_fw;
> > + }
> > + }
> > +
> > + bt_dev_info(hdev, "CBMCU firmware download completed");
> > +
> > +err_release_fw:
> > + release_firmware(fw);
> > + return err;
> > +}
> > +
> > +static int btmtk_setup_cbmcu_firmware(struct hci_dev *hdev,
> > + wmt_cmd_sync_func_t
> > wmt_cmd_sync,
> > + u32 dev_id)
> > +{
> > + char cbmcu_fwname[64];
> > + u8 patch_status;
> > + int err;
> > +
> > + err = btmtk_cbmcu_patch_status(hdev, wmt_cmd_sync,
> > &patch_status);
> > + if (err < 0)
> > + return err;
> > +
> > + bt_dev_dbg(hdev, "CBMCU patch status: 0x%02x", patch_status);
> > +
> > + if (patch_status != BTMTK_WMT_PATCH_UNDONE)
> > + return 0;
> > +
> > + snprintf(cbmcu_fwname, sizeof(cbmcu_fwname),
> > + "mediatek/mt7928/CBMCU_CODE_MT%04x_1_1.bin",
> > + dev_id & 0xffff);
> > +
> > + err = btmtk_load_cbmcu_firmware(hdev, cbmcu_fwname,
> > wmt_cmd_sync);
> > + if (err < 0) {
> > + bt_dev_err(hdev, "Failed to download CBMCU firmware
> > (%d)", err);
> > + return err;
> > + }
> > +
> > + err = btmtk_enable_cbmcu_patch(hdev, wmt_cmd_sync);
> > + if (err < 0)
> > + return err;
> > +
> > + return 0;
> > +}
> > +
> > int btmtk_usb_subsys_reset(struct hci_dev *hdev, u32 dev_id)
> > {
> > u32 val;
> > @@ -894,7 +1233,7 @@ int btmtk_usb_subsys_reset(struct hci_dev
> > *hdev, u32 dev_id)
> > if (err < 0)
> > return err;
> > msleep(100);
> > - } else if (dev_id == 0x7925 || dev_id == 0x6639) {
> > + } else if (dev_id == 0x7925 || dev_id == 0x6639 || dev_id ==
> > 0x7935) {
> > err = btmtk_usb_uhw_reg_read(hdev,
> > MTK_BT_RESET_REG_CONNV3, &val);
> > if (err < 0)
> > return err;
> > @@ -1379,6 +1718,15 @@ int btmtk_usb_setup(struct hci_dev *hdev)
> > case 0x7668:
> > fwname = FIRMWARE_MT7668;
> > break;
> > + case 0x7935:
> > + /* Requires CBMCU firmware before BT firmware */
> > + err = btmtk_setup_cbmcu_firmware(hdev,
> > btmtk_usb_hci_wmt_sync,
> > + dev_id);
> > + if (err < 0) {
> > + bt_dev_err(hdev, "Failed to set up CBMCU
> > firmware (%d)", err);
> > + return err;
> > + }
> > + fallthrough;
> > case 0x7922:
> > case 0x7925:
> > /*
> > @@ -1596,3 +1944,5 @@ MODULE_FIRMWARE(FIRMWARE_MT7922);
> > MODULE_FIRMWARE(FIRMWARE_MT7961);
> > MODULE_FIRMWARE(FIRMWARE_MT7925);
> > MODULE_FIRMWARE(FIRMWARE_MT7927);
> > +MODULE_FIRMWARE(FIRMWARE_MT7928);
> > +MODULE_FIRMWARE(FIRMWARE_MT7928_CBMCU);
> > diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h
> > index 51c18dde0a80..5fe4964b031b 100644
> > --- a/drivers/bluetooth/btmtk.h
> > +++ b/drivers/bluetooth/btmtk.h
> > @@ -9,6 +9,8 @@
> > #define FIRMWARE_MT7961
> > "mediatek/BT_RAM_CODE_MT7961_1_2_hdr.bin"
> > #define FIRMWARE_MT7925
> > "mediatek/mt7925/BT_RAM_CODE_MT7925_1_1_hdr.bin"
> > #define FIRMWARE_MT7927
> > "mediatek/mt7927/BT_RAM_CODE_MT6639_2_1_hdr.bin"
> > +#define FIRMWARE_MT7928
> > "mediatek/mt7928/BT_RAM_CODE_MT7935_1_1_hdr.bin"
> > +#define FIRMWARE_MT7928_CBMCU
> > "mediatek/mt7928/CBMCU_CODE_MT7935_1_1.bin"
> >
> > #define HCI_EV_WMT 0xe4
> > #define HCI_WMT_MAX_EVENT_SIZE 64
> > @@ -54,6 +56,7 @@ enum {
> > BTMTK_WMT_RST = 0x7,
> > BTMTK_WMT_REGISTER = 0x8,
> > BTMTK_WMT_SEMAPHORE = 0x17,
> > + BTMTK_WMT_CBMCU_DWNLD = 0x58,
> > };
> >
> > enum {
>
> gemini/gemini-3.1-pro-preview commented on three things [1].
>
>
> Kind regards,
>
> Paul
>
>
Chris Lu
> [1]:
> https://urldefense.com/v3/__https://sashiko.dev/*/message/20260623034121.691031-3-chris.lu*40mediatek.com__;IyU!!CTRNKA9wMg0ARbw!ii42FfNLcQuMCshcfe6bdBeLaQhxFj2FZIYjOj4uB6QunDTHpFPsHGHtHPrvdtmgaiEM53wIdFbFEJKzcECI1Q$
^ permalink raw reply
* Re: [PATCH] crypto: af_alg - Add af_alg_restrict sysctl, defaulting to 1
From: Demi Marie Obenour @ 2026-06-24 2:09 UTC (permalink / raw)
To: Eric Biggers, Andy Lutomirski
Cc: linux-crypto, Herbert Xu, linux-kernel, linux-doc,
linux-bluetooth, iwd, linux-hardening, Milan Broz
In-Reply-To: <20260623192715.GE1850517@google.com>
[-- Attachment #1.1.1: Type: text/plain, Size: 2658 bytes --]
On 6/23/26 15:27, Eric Biggers wrote:
> On Tue, Jun 23, 2026 at 12:12:24PM -0700, Andy Lutomirski wrote:
>> On Mon, Jun 22, 2026 at 4:49 PM Eric Biggers <ebiggers@kernel.org> wrote:
>>>
>>> AF_ALG is a frequent source of vulnerabilities and a maintenance
>>> nightmare. It exposes far more functionality to userspace than ever
>>> should have been exposed, especially to unprivileged processes. Recent
>>> exploits have targeted kernel internal implementation details like
>>> "authencesn" that have zero use case for userspace access.
>>>
>>> Fortunately, AF_ALG is rarely used in practice, as userspace crypto
>>> libraries exist. And when it is used, only some functionality is known
>>> to be used, and many users are known to hold capabilities already.
>>> iwd for example requires CAP_NET_ADMIN and has a known algorithm list
>>> (https://lore.kernel.org/linux-crypto/bcbbef00-5881-421b-8892-7be6c04b832d@gmail.com/).
>>>
>>> Thus, let's restrict the set of allowed algorithms by default, depending
>>> on the capabilities held.
>>>
>>> Add a sysctl /proc/sys/crypto/af_alg_restrict with meaning:
>>>
>>> 0: unrestricted
>>> 1: limited functionality
>>> 2: completely disabled
>>>
>>> Set the default value to 1, which enables an algorithm allowlist for
>>> unprivileged processes and a slightly longer allowlist for privileged
>>> processes.
>>
>> In our brave new world of containers, this is a bit awkward. The
>> admin is sort of asking two separate questions:
>>
>> 1. Is the actual running distro and its privileged components capable
>> of working without AF_ALG or with only the parts marked as being
>> unprivileged?
>>
>> 2. Is the system running contains that need the unprivileged parts?
>> (Which is maybe just sha1 for ip? I really don't know.)
>>
>> Should there maybe be two separate options so that all options are
>> available? Or maybe something between 2 and 3 that means "limited
>> functionality and privileged modes are completely disabled"?
>
> If we want to offer more settings we could. I could see this getting
> quite complex pretty quickly once everyone weighs in, though. There's
> quite a bit of value in keeping things simple, even if the offered
> settings won't be optimal for every case.
>
> - Eric
What about exposing both allowlists to userspace and making them
configurable?
I'm mostly concerned about systems running code (possibly
closed-source) that uses algorithms that nobody here knows about.
It would be better to allow a single algorithm than to turn off all
restrictions.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply
* Re: [PATCH] crypto: af_alg - Add af_alg_restrict sysctl, defaulting to 1
From: Rosen Penev @ 2026-06-23 22:06 UTC (permalink / raw)
To: Eric Biggers
Cc: linux-crypto, Herbert Xu, linux-kernel, linux-doc,
linux-bluetooth, iwd, linux-hardening, Milan Broz,
Demi Marie Obenour, Andy Lutomirski
In-Reply-To: <20260623214730.GA3281861@google.com>
On Tue, Jun 23, 2026 at 2:47 PM Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Tue, Jun 23, 2026 at 02:28:17PM -0700, Rosen Penev wrote:
> > > +static const struct af_alg_allowlist_entry hash_allowlist[] = {
> > > + { "cmac(aes)", true }, /* iwd, bluez */
> > > + { "hmac(md5)", true }, /* iwd */
> > > + { "hmac(sha1)", true }, /* iwd */
> > > + { "hmac(sha224)", true }, /* iwd */
> > > + { "hmac(sha256)", true }, /* iwd */
> > > + { "hmac(sha384)", true }, /* iwd */
> > > + { "hmac(sha512)", true }, /* iwd, sha512hmac */
> > > + { "md4", true }, /* iwd */
> > > + { "md5", true }, /* iwd */
> > > + { "sha1", false }, /* iwd, iproute2 < 7.0 */
> > > + { "sha224", true }, /* iwd */
> > > + { "sha256", true }, /* iwd */
> > > + { "sha384", true }, /* iwd */
> > > + { "sha512", true }, /* iwd */
> > > + {},
> > In OpenWrt, https://gitlab.com/linux-afs/kafs-client and strongswan
> > seem to be the other users of the user API. I haven't looked into what
> > they need.
>
> [Please trim your replies, thanks!]
Not sure what you mean.
>
> https://gitlab.com/linux-afs/kafs-client uses AF_ALG only for
> "hmac(md5)", which I already put on the privileged allowlist due to iwd
> also using it. So it would still work by default with the current
> patch, unless it needs to use it unprivileged.
>
> (FWIW, a use of a single obsolete algorithm like this is also a good
> candidate for just replacing with local code...)
>
> https://github.com/strongswan/strongswan already supports userspace
> crypto libraries.
Oh lovely. Looks like this needs fixing in OpenWrt.
>
> - Eric
^ permalink raw reply
* Re: [PATCH] crypto: af_alg - Add af_alg_restrict sysctl, defaulting to 1
From: Eric Biggers @ 2026-06-23 21:47 UTC (permalink / raw)
To: Rosen Penev
Cc: linux-crypto, Herbert Xu, linux-kernel, linux-doc,
linux-bluetooth, iwd, linux-hardening, Milan Broz,
Demi Marie Obenour, Andy Lutomirski
In-Reply-To: <CAKxU2N_EGTWkvtPOxQXBroxGVXDf1atPoFVyRRu0wHOtEXVWaA@mail.gmail.com>
On Tue, Jun 23, 2026 at 02:28:17PM -0700, Rosen Penev wrote:
> > +static const struct af_alg_allowlist_entry hash_allowlist[] = {
> > + { "cmac(aes)", true }, /* iwd, bluez */
> > + { "hmac(md5)", true }, /* iwd */
> > + { "hmac(sha1)", true }, /* iwd */
> > + { "hmac(sha224)", true }, /* iwd */
> > + { "hmac(sha256)", true }, /* iwd */
> > + { "hmac(sha384)", true }, /* iwd */
> > + { "hmac(sha512)", true }, /* iwd, sha512hmac */
> > + { "md4", true }, /* iwd */
> > + { "md5", true }, /* iwd */
> > + { "sha1", false }, /* iwd, iproute2 < 7.0 */
> > + { "sha224", true }, /* iwd */
> > + { "sha256", true }, /* iwd */
> > + { "sha384", true }, /* iwd */
> > + { "sha512", true }, /* iwd */
> > + {},
> In OpenWrt, https://gitlab.com/linux-afs/kafs-client and strongswan
> seem to be the other users of the user API. I haven't looked into what
> they need.
[Please trim your replies, thanks!]
https://gitlab.com/linux-afs/kafs-client uses AF_ALG only for
"hmac(md5)", which I already put on the privileged allowlist due to iwd
also using it. So it would still work by default with the current
patch, unless it needs to use it unprivileged.
(FWIW, a use of a single obsolete algorithm like this is also a good
candidate for just replacing with local code...)
https://github.com/strongswan/strongswan already supports userspace
crypto libraries.
- Eric
^ permalink raw reply
* Re: [PATCH] crypto: af_alg - Add af_alg_restrict sysctl, defaulting to 1
From: Rosen Penev @ 2026-06-23 21:28 UTC (permalink / raw)
To: Eric Biggers
Cc: linux-crypto, Herbert Xu, linux-kernel, linux-doc,
linux-bluetooth, iwd, linux-hardening, Milan Broz,
Demi Marie Obenour, Andy Lutomirski
In-Reply-To: <20260622234803.6982-1-ebiggers@kernel.org>
On Mon, Jun 22, 2026 at 4:49 PM Eric Biggers <ebiggers@kernel.org> wrote:
>
> AF_ALG is a frequent source of vulnerabilities and a maintenance
> nightmare. It exposes far more functionality to userspace than ever
> should have been exposed, especially to unprivileged processes. Recent
> exploits have targeted kernel internal implementation details like
> "authencesn" that have zero use case for userspace access.
>
> Fortunately, AF_ALG is rarely used in practice, as userspace crypto
> libraries exist. And when it is used, only some functionality is known
> to be used, and many users are known to hold capabilities already.
> iwd for example requires CAP_NET_ADMIN and has a known algorithm list
> (https://lore.kernel.org/linux-crypto/bcbbef00-5881-421b-8892-7be6c04b832d@gmail.com/).
>
> Thus, let's restrict the set of allowed algorithms by default, depending
> on the capabilities held.
>
> Add a sysctl /proc/sys/crypto/af_alg_restrict with meaning:
>
> 0: unrestricted
> 1: limited functionality
> 2: completely disabled
>
> Set the default value to 1, which enables an algorithm allowlist for
> unprivileged processes and a slightly longer allowlist for privileged
> processes.
>
> Note that the list may be tweaked in the future. However, the common
> use cases such as iwd and bluez are taken into account already. I've
> tested that iwd still works with the default value of 1.
>
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
> Documentation/admin-guide/sysctl/crypto.rst | 36 +++++++++++
> Documentation/crypto/userspace-if.rst | 13 +++-
> crypto/af_alg.c | 72 +++++++++++++++++++--
> crypto/algif_aead.c | 11 ++++
> crypto/algif_hash.c | 24 +++++++
> crypto/algif_rng.c | 9 +++
> crypto/algif_skcipher.c | 20 ++++++
> include/crypto/if_alg.h | 8 +++
> 8 files changed, 184 insertions(+), 9 deletions(-)
>
> diff --git a/Documentation/admin-guide/sysctl/crypto.rst b/Documentation/admin-guide/sysctl/crypto.rst
> index b707bd314a64..9a1bd53287f4 100644
> --- a/Documentation/admin-guide/sysctl/crypto.rst
> +++ b/Documentation/admin-guide/sysctl/crypto.rst
> @@ -5,10 +5,46 @@
> These files show up in ``/proc/sys/crypto/``, depending on the
> kernel configuration:
>
> .. contents:: :local:
>
> +.. _af_alg_restrict:
> +
> +af_alg_restrict
> +===============
> +
> +Controls the level of restriction of AF_ALG.
> +
> +AF_ALG is a deprecated and rarely-used userspace interface that is a
> +frequent source of vulnerabilities. It also unnecessarily exposes a
> +large number of kernel implementation details. For more information
> +about AF_ALG, see :ref:`Documentation/crypto/userspace-if.rst
> +<crypto_userspace_interface>`.
> +
> +Starting in Linux v7.3, AF_ALG supports only a limited set of
> +algorithms by default. This sysctl allows the system administrator to
> +remove this restriction when needed for compatibility reasons, or to
> +go further and disable AF_ALG entirely. The default value is 1.
> +
> +=== ==================================================================
> +0 AF_ALG is unrestricted.
> +
> +1 AF_ALG is supported with a limited list of algorithms. The list
> + is designed for compatibility with known users such as iwd and
> + bluez that haven't yet been fixed to use userspace crypto code.
> +
> + Specifically, there is an allowlist for unprivileged processes
> + and a somewhat longer allowlist for processes that hold
> + CAP_SYS_ADMIN or CAP_NET_ADMIN in the initial user namespace.
> +
> + Attempts to bind() an AF_ALG socket with a disallowed algorithm
> + fail with ENOENT.
> +
> +2 AF_ALG is completely disabled. Attempts to create an AF_ALG
> + socket fail with EAFNOSUPPORT.
> +=== ==================================================================
> +
> fips_enabled
> ============
>
> Read-only flag that indicates whether FIPS mode is enabled.
>
> diff --git a/Documentation/crypto/userspace-if.rst b/Documentation/crypto/userspace-if.rst
> index ab93300c8e04..d6194346e366 100644
> --- a/Documentation/crypto/userspace-if.rst
> +++ b/Documentation/crypto/userspace-if.rst
> @@ -1,5 +1,7 @@
> +.. _crypto_userspace_interface:
> +
> User Space Interface
> ====================
>
> Introduction
> ------------
> @@ -10,13 +12,18 @@ code.
>
> AF_ALG is insecure and is deprecated. Originally added to the kernel in 2010,
> most kernel developers now consider it to be a mistake. Support for hardware
> accelerators, which was the original purpose of AF_ALG, has been removed.
>
> -AF_ALG continues to be supported only for backwards compatibility. On systems
> -where no programs using AF_ALG remain, the support for it should be disabled by
> -disabling ``CONFIG_CRYPTO_USER_API_*``.
> +AF_ALG continues to be supported only for backwards compatibility.
> +
> +Starting in Linux v7.3, the set of algorithms supported by AF_ALG is limited by
> +default. See :ref:`/proc/sys/crypto/af_alg_restrict <af_alg_restrict>`.
> +
> +On systems where no programs using AF_ALG remain, the support for it should be
> +disabled entirely by setting ``/proc/sys/crypto/af_alg_restrict`` to 2 or by
> +disabling ``CONFIG_CRYPTO_USER_API_*`` in the kernel configuration.
>
> Deprecation
> -----------
>
> AF_ALG was originally intended to provide userspace programs access to crypto
> diff --git a/crypto/af_alg.c b/crypto/af_alg.c
> index cce000e8590e..34b801568fba 100644
> --- a/crypto/af_alg.c
> +++ b/crypto/af_alg.c
> @@ -6,10 +6,11 @@
> *
> * Copyright (c) 2010 Herbert Xu <herbert@gondor.apana.org.au>
> */
>
> #include <linux/atomic.h>
> +#include <linux/capability.h>
> #include <crypto/if_alg.h>
> #include <linux/crypto.h>
> #include <linux/init.h>
> #include <linux/kernel.h>
> #include <linux/key.h>
> @@ -20,14 +21,32 @@
> #include <linux/rwsem.h>
> #include <linux/sched.h>
> #include <linux/sched/signal.h>
> #include <linux/security.h>
> #include <linux/string.h>
> +#include <linux/sysctl.h>
> +#include <linux/user_namespace.h>
> #include <keys/user-type.h>
> #include <keys/trusted-type.h>
> #include <keys/encrypted-type.h>
>
> +static int af_alg_restrict = 1;
> +
> +static const struct ctl_table af_alg_table[] = {
> + {
> + .procname = "af_alg_restrict",
> + .data = &af_alg_restrict,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = SYSCTL_ZERO,
> + .extra2 = SYSCTL_TWO,
> + },
> +};
> +
> +static struct ctl_table_header *af_alg_header;
> +
> struct alg_type_list {
> const struct af_alg_type *type;
> struct list_head list;
> };
>
> @@ -108,10 +127,43 @@ int af_alg_unregister_type(const struct af_alg_type *type)
>
> return err;
> }
> EXPORT_SYMBOL_GPL(af_alg_unregister_type);
>
> +static bool af_alg_capable(void)
> +{
> + return ns_capable_noaudit(&init_user_ns, CAP_NET_ADMIN) ||
> + capable(CAP_SYS_ADMIN);
> +}
> +
> +int af_alg_check_restriction(const char *name,
> + const struct af_alg_allowlist_entry allowlist[])
> +{
> + int level = READ_ONCE(af_alg_restrict);
> +
> + if (level == 0)
> + return 0;
> + if (level == 1) {
> + for (const struct af_alg_allowlist_entry *ent = allowlist;
> + ent->name; ent++) {
> + if (strcmp(name, ent->name) == 0 &&
> + (!ent->privileged || af_alg_capable()))
> + return 0;
> + }
> + }
> + /*
> + * Use -ENOENT (the error code for "algorithm not found") instead of
> + * -EACCES or -EPERM, for the highest chance of correctly triggering
> + * fallback code paths in userspace programs.
> + *
> + * Don't log a warning, since it would be noisy. iwd tries to bind a
> + * bunch of algorithms that it never uses.
> + */
> + return -ENOENT;
> +}
> +EXPORT_SYMBOL_GPL(af_alg_check_restriction);
> +
> static void alg_do_release(const struct af_alg_type *type, void *private)
> {
> if (!type)
> return;
>
> @@ -504,10 +556,13 @@ static int alg_create(struct net *net, struct socket *sock, int protocol,
> int kern)
> {
> struct sock *sk;
> int err;
>
> + if (READ_ONCE(af_alg_restrict) == 2)
> + return -EAFNOSUPPORT;
> +
> if (sock->type != SOCK_SEQPACKET)
> return -ESOCKTNOSUPPORT;
> if (protocol != 0)
> return -EPROTONOSUPPORT;
>
> @@ -1220,31 +1275,36 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags,
> }
> EXPORT_SYMBOL_GPL(af_alg_get_rsgl);
>
> static int __init af_alg_init(void)
> {
> - int err = proto_register(&alg_proto, 0);
> + int err;
> +
> + af_alg_header = register_sysctl("crypto", af_alg_table);
>
> + err = proto_register(&alg_proto, 0);
> if (err)
> - goto out;
> + goto out_unregister_sysctl;
>
> err = sock_register(&alg_family);
> - if (err != 0)
> + if (err)
> goto out_unregister_proto;
>
> -out:
> - return err;
> + return 0;
>
> out_unregister_proto:
> proto_unregister(&alg_proto);
> - goto out;
> +out_unregister_sysctl:
> + unregister_sysctl_table(af_alg_header);
> + return err;
> }
>
> static void __exit af_alg_exit(void)
> {
> sock_unregister(PF_ALG);
> proto_unregister(&alg_proto);
> + unregister_sysctl_table(af_alg_header);
> }
>
> module_init(af_alg_init);
> module_exit(af_alg_exit);
> MODULE_DESCRIPTION("Crypto userspace interface");
> diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
> index 787aac8aeb24..b9217f9086aa 100644
> --- a/crypto/algif_aead.c
> +++ b/crypto/algif_aead.c
> @@ -32,10 +32,15 @@
> #include <linux/mm.h>
> #include <linux/module.h>
> #include <linux/net.h>
> #include <net/sock.h>
>
> +static const struct af_alg_allowlist_entry aead_allowlist[] = {
> + { "ccm(aes)", true }, /* bluez */
> + {},
> +};
> +
> static inline bool aead_sufficient_data(struct sock *sk)
> {
> struct alg_sock *ask = alg_sk(sk);
> struct sock *psk = ask->parent;
> struct alg_sock *pask = alg_sk(psk);
> @@ -342,10 +347,16 @@ static struct proto_ops algif_aead_ops_nokey = {
> .poll = af_alg_poll,
> };
>
> static void *aead_bind(const char *name)
> {
> + int err;
> +
> + err = af_alg_check_restriction(name, aead_allowlist);
> + if (err)
> + return ERR_PTR(err);
> +
> return crypto_alloc_aead(name, 0, AF_ALG_CRYPTOAPI_MASK);
> }
>
> static void aead_release(void *private)
> {
> diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
> index 5452ad6c1506..a8d958d51ece 100644
> --- a/crypto/algif_hash.c
> +++ b/crypto/algif_hash.c
> @@ -14,10 +14,28 @@
> #include <linux/mm.h>
> #include <linux/module.h>
> #include <linux/net.h>
> #include <net/sock.h>
>
> +static const struct af_alg_allowlist_entry hash_allowlist[] = {
> + { "cmac(aes)", true }, /* iwd, bluez */
> + { "hmac(md5)", true }, /* iwd */
> + { "hmac(sha1)", true }, /* iwd */
> + { "hmac(sha224)", true }, /* iwd */
> + { "hmac(sha256)", true }, /* iwd */
> + { "hmac(sha384)", true }, /* iwd */
> + { "hmac(sha512)", true }, /* iwd, sha512hmac */
> + { "md4", true }, /* iwd */
> + { "md5", true }, /* iwd */
> + { "sha1", false }, /* iwd, iproute2 < 7.0 */
> + { "sha224", true }, /* iwd */
> + { "sha256", true }, /* iwd */
> + { "sha384", true }, /* iwd */
> + { "sha512", true }, /* iwd */
> + {},
In OpenWrt, https://gitlab.com/linux-afs/kafs-client and strongswan
seem to be the other users of the user API. I haven't looked into what
they need.
> +};
> +
> struct hash_ctx {
> struct af_alg_sgl sgl;
>
> u8 *result;
>
> @@ -380,10 +398,16 @@ static struct proto_ops algif_hash_ops_nokey = {
> .accept = hash_accept_nokey,
> };
>
> static void *hash_bind(const char *name)
> {
> + int err;
> +
> + err = af_alg_check_restriction(name, hash_allowlist);
> + if (err)
> + return ERR_PTR(err);
> +
> return crypto_alloc_ahash(name, 0, AF_ALG_CRYPTOAPI_MASK);
> }
>
> static void hash_release(void *private)
> {
> diff --git a/crypto/algif_rng.c b/crypto/algif_rng.c
> index 4dfe7899f8fa..bd522915d56d 100644
> --- a/crypto/algif_rng.c
> +++ b/crypto/algif_rng.c
> @@ -48,10 +48,14 @@
>
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
> MODULE_DESCRIPTION("User-space interface for random number generators");
>
> +static const struct af_alg_allowlist_entry rng_allowlist[] = {
> + {},
> +};
> +
> struct rng_ctx {
> #define MAXSIZE 128
> unsigned int len;
> struct crypto_rng *drng;
> u8 *addtl;
> @@ -199,10 +203,15 @@ static struct proto_ops __maybe_unused algif_rng_test_ops = {
>
> static void *rng_bind(const char *name)
> {
> struct rng_parent_ctx *pctx;
> struct crypto_rng *rng;
> + int err;
> +
> + err = af_alg_check_restriction(name, rng_allowlist);
> + if (err)
> + return ERR_PTR(err);
>
> pctx = kzalloc_obj(*pctx);
> if (!pctx)
> return ERR_PTR(-ENOMEM);
>
> diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
> index df20bdfe1f1f..2b8069667974 100644
> --- a/crypto/algif_skcipher.c
> +++ b/crypto/algif_skcipher.c
> @@ -32,10 +32,24 @@
> #include <linux/mm.h>
> #include <linux/module.h>
> #include <linux/net.h>
> #include <net/sock.h>
>
> +static const struct af_alg_allowlist_entry skcipher_allowlist[] = {
> + { "adiantum(xchacha12,aes)", false }, /* cryptsetup */
> + { "adiantum(xchacha20,aes)", false }, /* cryptsetup */
> + { "cbc(aes)", true }, /* iwd */
> + { "cbc(des)", true }, /* iwd */
> + { "cbc(des3_ede)", true }, /* iwd */
> + { "ctr(aes)", true }, /* iwd */
> + { "ecb(aes)", true }, /* iwd, bluez */
> + { "ecb(des)", true }, /* iwd */
> + { "hctr2(aes)", false }, /* cryptsetup */
> + { "xts(aes)", false }, /* cryptsetup benchmark */
> + {},
> +};
> +
> static int skcipher_sendmsg(struct socket *sock, struct msghdr *msg,
> size_t size)
> {
> struct sock *sk = sock->sk;
> struct alg_sock *ask = alg_sk(sk);
> @@ -307,10 +321,16 @@ static struct proto_ops algif_skcipher_ops_nokey = {
> .poll = af_alg_poll,
> };
>
> static void *skcipher_bind(const char *name)
> {
> + int err;
> +
> + err = af_alg_check_restriction(name, skcipher_allowlist);
> + if (err)
> + return ERR_PTR(err);
> +
> return crypto_alloc_skcipher(name, 0, AF_ALG_CRYPTOAPI_MASK);
> }
>
> static void skcipher_release(void *private)
> {
> diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h
> index 7643ba954125..4e9ed8e73403 100644
> --- a/include/crypto/if_alg.h
> +++ b/include/crypto/if_alg.h
> @@ -159,13 +159,21 @@ struct af_alg_ctx {
> unsigned int len;
>
> unsigned int inflight;
> };
>
> +struct af_alg_allowlist_entry {
> + const char *name;
> + bool privileged;
> +};
> +
> int af_alg_register_type(const struct af_alg_type *type);
> int af_alg_unregister_type(const struct af_alg_type *type);
>
> +int af_alg_check_restriction(const char *name,
> + const struct af_alg_allowlist_entry allowlist[]);
> +
> int af_alg_release(struct socket *sock);
> void af_alg_release_parent(struct sock *sk);
> int af_alg_accept(struct sock *sk, struct socket *newsock,
> struct proto_accept_arg *arg);
>
>
> base-commit: 1dc18801be29bc54709aa355b8acd80e183b03cd
> --
> 2.54.0
>
>
^ permalink raw reply
* RE: [BlueZ,v1,1/3] bass: Fix possible crash on bass_update_bis_sync
From: bluez.test.bot @ 2026-06-23 21:26 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
In-Reply-To: <20260623191432.270241-1-luiz.dentz@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2102 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1115551
---Test result---
Test Summary:
CheckPatch PASS 2.77 seconds
GitLint PASS 1.47 seconds
BuildEll PASS 20.57 seconds
BluezMake PASS 658.38 seconds
MakeCheck PASS 14.89 seconds
MakeDistcheck PASS 249.54 seconds
CheckValgrind PASS 278.40 seconds
CheckSmatch WARNING 354.17 seconds
bluezmakeextell PASS 184.03 seconds
IncrementalBuild PASS 701.98 seconds
ScanBuild PASS 1032.34 seconds
Details
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structures
https://github.com/bluez/bluez/pull/2253
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-06-23 20:27 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1114843
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez] fe6513: bass: Fix possible crash on bass_update_bis_sync
From: Luiz Augusto von Dentz @ 2026-06-23 20:27 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1115551
Home: https://github.com/bluez/bluez
Commit: fe6513bee8e6a73f926392b754020e62ade4cea0
https://github.com/bluez/bluez/commit/fe6513bee8e6a73f926392b754020e62ade4cea0
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2026-06-23 (Tue, 23 Jun 2026)
Changed paths:
M profiles/audio/bass.c
Log Message:
-----------
bass: Fix possible crash on bass_update_bis_sync
bass_update_bis_sync does use bass_remove_bis which may end up
removing the current entry causing a crash on entry->next, to avoid
that prefetch the next entry.
Commit: d94c2e27556c19c45a93feb9b6d50f01ba4b2ec0
https://github.com/bluez/bluez/commit/d94c2e27556c19c45a93feb9b6d50f01ba4b2ec0
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2026-06-23 (Tue, 23 Jun 2026)
Changed paths:
M src/shared/bap.c
Log Message:
-----------
shared/bap: Check if stream is valid before attempting to release
bt_bap_stream_release shall check if the stream is still valid before
attempting to release it just as done with other operations.
Commit: a0072e317879e12e6fe474950721384e84248d30
https://github.com/bluez/bluez/commit/a0072e317879e12e6fe474950721384e84248d30
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2026-06-23 (Tue, 23 Jun 2026)
Changed paths:
M src/shared/bap.c
Log Message:
-----------
shared/bap: Don't transition to IDLE inside bap_bcast_set_state
Remove the recursive stream_set_state(IDLE) call from the RELEASING
case in bap_bcast_set_state. This call re-entered bap_bcast_set_state
while the state_cbs queue was still being iterated, causing a
use-after-free if a callback unregistered itself during notification.
Compare: https://github.com/bluez/bluez/compare/fe6513bee8e6%5E...a0072e317879
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez] 912f5e: a2dp: Fix handling of codec capability storage
From: Luiz Augusto von Dentz @ 2026-06-23 20:25 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/master
Home: https://github.com/bluez/bluez
Commit: 912f5efb0dd9bb08e408d33371a57182c5678aef
https://github.com/bluez/bluez/commit/912f5efb0dd9bb08e408d33371a57182c5678aef
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2026-06-22 (Mon, 22 Jun 2026)
Changed paths:
M profiles/audio/a2dp.c
Log Message:
-----------
a2dp: Fix handling of codec capability storage
Codec capability is one byte long (max 255) the storage format is
02hhx which means each byte ends up as 2 characters so the buffer
needs to be doubled in order to handle capabilities of that size.
Reported-by: p0her (_@p0her_) in TeamH4C working with TrendAI Zero Day Initiative
Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* Re: [PATCH] crypto: af_alg - Add af_alg_restrict sysctl, defaulting to 1
From: Eric Biggers @ 2026-06-23 19:49 UTC (permalink / raw)
To: Kees Cook
Cc: linux-crypto, Herbert Xu, linux-kernel, linux-doc,
linux-bluetooth, iwd, linux-hardening, Milan Broz,
Demi Marie Obenour, Andy Lutomirski
In-Reply-To: <202606231216.14A774833@keescook>
On Tue, Jun 23, 2026 at 12:24:28PM -0700, Kees Cook wrote:
> On Mon, Jun 22, 2026 at 04:48:03PM -0700, Eric Biggers wrote:
> > AF_ALG is a frequent source of vulnerabilities and a maintenance
> > nightmare. It exposes far more functionality to userspace than ever
> > should have been exposed, especially to unprivileged processes. Recent
> > exploits have targeted kernel internal implementation details like
> > "authencesn" that have zero use case for userspace access.
>
> I absolutely want to see this attack surface reduction.
>
> > Add a sysctl /proc/sys/crypto/af_alg_restrict with meaning:
> > [...]
> > Note that the list may be tweaked in the future. However, the common
> > use cases such as iwd and bluez are taken into account already. I've
> > tested that iwd still works with the default value of 1.
>
> I wince at this bit, though. This is a "security policy in the kernel"
> which we try to avoid, and it's could be done already in userspace with
> modprobe blacklist.
>
> But, as you say, AF_ALG is deprecated. I understand that to mean that
> the alg list is only ever going to *shrink* in the future.
>
> Using a sysctl means monolithic kernels are protected, but wouldn't
> those systems just compile AF_ALG out?
>
> So, I guess, I would want a more clear rationale for why we do it this
> way instead of via modprobe blacklist. I see a few reasons, but they
> don't really convince me that we should ignore the "no security policy
> in the kernel" rule to do it this way.
As we saw when distros tried to mitigate copy.fail, a lot of distros
have CONFIG_CRYPTO_USER_API_* set to 'y', so algif_aead.ko couldn't be
blacklisted. (Ironically because of FIPS 140, which is yet another
example of how FIPS 140 harms real-world security.)
But even when 'm', the module blacklist is just a binary choice for each
algorithm type: aead, skcipher, hash, and rng. Loading algif_aead.ko
allows not just "ccm(aes)" that bluez needs, but also bizarre things
like "authencesn(hmac(sha256),cbc(aes))" that are used only in exploits.
And sure, userspace could theoretically gather the complete list of
algorithm modules (e.g. authencesn.ko) and blacklist them individually.
But no one does that, and many are built-in anyway -- and this time not
just because of FIPS.
So we need an allowlist at the algorithm level, not just the algorithm
type level. Putting the allowlist in the kernel, taking into account
the real use cases like iwd and bluez, and having a simple tristate
sysctl similar to some of the existing ones, is the simplest and most
practical way to achieve this by default across Linux distros.
If we did something like delegate the algorithm allowlist to LSMs, I
think that in practice it's just going to be almost never used.
- Eric
^ permalink raw reply
* Re: [PATCH BlueZ v2] a2dp: Fix handling of codec capability storage
From: patchwork-bot+bluetooth @ 2026-06-23 19:30 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
In-Reply-To: <20260622155621.675255-1-luiz.dentz@gmail.com>
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 22 Jun 2026 11:56:21 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> Codec capability is one byte long (max 255) the storage format is
> 02hhx which means each byte ends up as 2 characters so the buffer
> needs to be doubled in order to handle capabilities of that size.
>
> Reported-by: p0her (_@p0her_) in TeamH4C working with TrendAI Zero Day Initiative
> Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
>
> [...]
Here is the summary with links:
- [BlueZ,v2] a2dp: Fix handling of codec capability storage
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=912f5efb0dd9
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH] crypto: af_alg - Add af_alg_restrict sysctl, defaulting to 1
From: Eric Biggers @ 2026-06-23 19:27 UTC (permalink / raw)
To: Andy Lutomirski
Cc: linux-crypto, Herbert Xu, linux-kernel, linux-doc,
linux-bluetooth, iwd, linux-hardening, Milan Broz,
Demi Marie Obenour
In-Reply-To: <CALCETrXPj0u=FZ=aFcZAHk3fFZa7rCuPEjx6cOMXmT3sdkC7SA@mail.gmail.com>
On Tue, Jun 23, 2026 at 12:12:24PM -0700, Andy Lutomirski wrote:
> On Mon, Jun 22, 2026 at 4:49 PM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > AF_ALG is a frequent source of vulnerabilities and a maintenance
> > nightmare. It exposes far more functionality to userspace than ever
> > should have been exposed, especially to unprivileged processes. Recent
> > exploits have targeted kernel internal implementation details like
> > "authencesn" that have zero use case for userspace access.
> >
> > Fortunately, AF_ALG is rarely used in practice, as userspace crypto
> > libraries exist. And when it is used, only some functionality is known
> > to be used, and many users are known to hold capabilities already.
> > iwd for example requires CAP_NET_ADMIN and has a known algorithm list
> > (https://lore.kernel.org/linux-crypto/bcbbef00-5881-421b-8892-7be6c04b832d@gmail.com/).
> >
> > Thus, let's restrict the set of allowed algorithms by default, depending
> > on the capabilities held.
> >
> > Add a sysctl /proc/sys/crypto/af_alg_restrict with meaning:
> >
> > 0: unrestricted
> > 1: limited functionality
> > 2: completely disabled
> >
> > Set the default value to 1, which enables an algorithm allowlist for
> > unprivileged processes and a slightly longer allowlist for privileged
> > processes.
>
> In our brave new world of containers, this is a bit awkward. The
> admin is sort of asking two separate questions:
>
> 1. Is the actual running distro and its privileged components capable
> of working without AF_ALG or with only the parts marked as being
> unprivileged?
>
> 2. Is the system running contains that need the unprivileged parts?
> (Which is maybe just sha1 for ip? I really don't know.)
>
> Should there maybe be two separate options so that all options are
> available? Or maybe something between 2 and 3 that means "limited
> functionality and privileged modes are completely disabled"?
If we want to offer more settings we could. I could see this getting
quite complex pretty quickly once everyone weighs in, though. There's
quite a bit of value in keeping things simple, even if the offered
settings won't be optimal for every case.
- Eric
^ permalink raw reply
* Re: [PATCH] crypto: af_alg - Add af_alg_restrict sysctl, defaulting to 1
From: Kees Cook @ 2026-06-23 19:24 UTC (permalink / raw)
To: Eric Biggers
Cc: linux-crypto, Herbert Xu, linux-kernel, linux-doc,
linux-bluetooth, iwd, linux-hardening, Milan Broz,
Demi Marie Obenour, Andy Lutomirski
In-Reply-To: <20260622234803.6982-1-ebiggers@kernel.org>
On Mon, Jun 22, 2026 at 04:48:03PM -0700, Eric Biggers wrote:
> AF_ALG is a frequent source of vulnerabilities and a maintenance
> nightmare. It exposes far more functionality to userspace than ever
> should have been exposed, especially to unprivileged processes. Recent
> exploits have targeted kernel internal implementation details like
> "authencesn" that have zero use case for userspace access.
I absolutely want to see this attack surface reduction.
> Add a sysctl /proc/sys/crypto/af_alg_restrict with meaning:
> [...]
> Note that the list may be tweaked in the future. However, the common
> use cases such as iwd and bluez are taken into account already. I've
> tested that iwd still works with the default value of 1.
I wince at this bit, though. This is a "security policy in the kernel"
which we try to avoid, and it's could be done already in userspace with
modprobe blacklist.
But, as you say, AF_ALG is deprecated. I understand that to mean that
the alg list is only ever going to *shrink* in the future.
Using a sysctl means monolithic kernels are protected, but wouldn't
those systems just compile AF_ALG out?
So, I guess, I would want a more clear rationale for why we do it this
way instead of via modprobe blacklist. I see a few reasons, but they
don't really convince me that we should ignore the "no security policy
in the kernel" rule to do it this way.
-Kees
--
Kees Cook
^ permalink raw reply
* Re: [PATCH] crypto: af_alg - Document the deprecation of AF_ALG
From: Eric Biggers @ 2026-06-23 19:19 UTC (permalink / raw)
To: Linus Torvalds
Cc: Bastien Nocera, linux-crypto, Herbert Xu, Marcel Holtmann,
Luiz Augusto von Dentz, linux-doc, linux-api, linux-kernel,
netdev, linux-bluetooth, ell
In-Reply-To: <CAHk-=wgNG=F3xO9PjL0RcKy3UWvq0Np9uZu+nFUQBAA8So9xdA@mail.gmail.com>
On Tue, Jun 23, 2026 at 11:56:10AM -0700, Linus Torvalds wrote:
> On Tue, 23 Jun 2026 at 09:51, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > We're aware of that and are taking it into account in the allowlist:
>
> Note that if we can just unconditionally make it depend on
> CAP_NET_ADMIN, that would be good - independently of any allowlist.
>
> Because if iwd and abluetoothd are the main two users, and both of
> those already require CAP_NET_ADMIN anyway...
There's also cryptsetup, including unprivileged benchmarking and also
(in theory) formatting support, and pre-7.0 versions of iproute2 which
used it for computing SHA-1 hashes of BPF programs.
If we broke unprivileged 'cryptsetup benchmark', some people would
definitely notice. However, since it's just a manually-run benchmark
anyway, users could just run it with sudo.
I don't know about the iproute2 case.
It depends how aggressive we want to be. My current proposal
(https://lore.kernel.org/linux-crypto/20260622234803.6982-1-ebiggers@kernel.org/)
has the entries in the allowlist marked as either privileged or
unprivileged. There are just a few unprivileged ones, for cryptsetup
and iproute2 as mentioned. But we could try doing away with the
unprivileged ones entirely and see who complains.
- Eric
^ permalink raw reply
* [PATCH BlueZ v1 3/3] shared/bap: Don't transition to IDLE inside bap_bcast_set_state
From: Luiz Augusto von Dentz @ 2026-06-23 19:14 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <20260623191432.270241-1-luiz.dentz@gmail.com>
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Remove the recursive stream_set_state(IDLE) call from the RELEASING
case in bap_bcast_set_state. This call re-entered bap_bcast_set_state
while the state_cbs queue was still being iterated, causing a
use-after-free if a callback unregistered itself during notification.
---
src/shared/bap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 9dd07bc5f2e2..6086924a9cb7 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2436,7 +2436,6 @@ static void bap_bcast_set_state(struct bt_bap_stream *stream, uint8_t state)
break;
case BT_ASCS_ASE_STATE_RELEASING:
bap_stream_io_detach(stream);
- stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
break;
case BT_ASCS_ASE_STATE_ENABLING:
if (bt_bap_stream_get_io(stream))
@@ -2579,6 +2578,7 @@ static unsigned int bap_bcast_release(struct bt_bap_stream *stream,
void *user_data)
{
stream_set_state(stream, BT_BAP_STREAM_STATE_RELEASING);
+ stream_set_state(stream, BT_BAP_STREAM_STATE_IDLE);
return 1;
}
--
2.54.0
^ permalink raw reply related
* [PATCH BlueZ v1 2/3] shared/bap: Check if stream is valid before attempting to release
From: Luiz Augusto von Dentz @ 2026-06-23 19:14 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <20260623191432.270241-1-luiz.dentz@gmail.com>
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
bt_bap_stream_release shall check if the stream is still valid before
attempting to release it just as done with other operations.
---
src/shared/bap.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 6f2f4fc11f7c..9dd07bc5f2e2 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -6727,6 +6727,9 @@ unsigned int bt_bap_stream_release(struct bt_bap_stream *stream,
unsigned int id;
struct bt_bap *bap;
+ if (!bap_stream_valid(stream))
+ return 0;
+
if (!stream || !stream->ops || !stream->ops->release)
return 0;
--
2.54.0
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox