zang74/create_btusb_patch.sh

## create_btusb_patch.sh
#!/usr/bin/env sh
set -e

function info {
  GREEN="\033[1;32m"
  RESET="\033[0m"
  echo -e "$GREEN==> $@$RESET"
}

version="${1:-$(uname -r | cut -d'-' -f1)}"
extra="${2:-$(uname -r | cut -d'-' -f2-)}"

fullversion="$version-$extra"

modules=(
  'drivers/bluetooth:btusb'
  'net/bluetooth:bluetooth'
)

info Making patch for kernel $fullversion

name="linux-$version"
archive="$name.tar.xz"

info Downloading kernel $name
wget -c https://cdn.kernel.org/pub/linux/kernel/v5.x/$archive -O $archive

info Extracting $archive
tar -xJf $archive

info Setting up kernel config
make -C $name mrproper
cp /usr/lib/modules/$fullversion/build/.config $name/
cp /usr/lib/modules/$fullversion/build/Module.symvers $name/
make -C $name oldconfig

info Applying CSR dongle fix
patch -p1 -d $name < fix_csr_dongle.patch

info Preparing kernel modules
make -C $name EXTRAVERSION=-$extra modules_prepare
for module in "${modules[@]}" ; do
  module_path=${module%%:*}
  module_name=${module#*:}
  info Making $module_name kernel module
  make -C $name M=$module_path
  info Compressing $module_path/$module_name.ko kernel module
  xz $name/$module_path/$module_name.ko
done

info Installing
sudo mkdir -p /usr/lib/modules/$fullversion/updates

for module in "${modules[@]}" ; do
  module_path=${module%%:*}
  module_name=${module#*:}
  info Installing $module_name kernel module
  sudo cp -f $name/$module_path/$module_name.ko.xz /usr/lib/modules/$fullversion/updates/$module_name.ko.xz
done

info Copying csr-bluetoothdongle.conf to /etc/modprobe.d/ with contents:
cat csr-bluetoothdongle.conf
sudo cp -f csr-bluetoothdongle.conf /etc/modprobe.d/99-csr-bluetoothdongle.conf
info Running 'mkinitcpio'
sudo mkinitcpio -p linux

info Removing temp files
rm -f $archive
rm -rf $name

info Now you can reboot to load patched kernel modules

## csr-bluetoothdongle.conf
options btusb reset=1 enable_autosuspend=0

## fix_csr_dongle.patch
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 5f022e9cf..5b8cf9ba9 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -1720,6 +1720,7 @@ static int btusb_setup_csr(struct hci_dev *hdev)
 {
 	struct hci_rp_read_local_version *rp;
 	struct sk_buff *skb;
+	bool is_fake = false;

 	BT_DBG("%s", hdev->name);

@@ -1739,18 +1740,69 @@ static int btusb_setup_csr(struct hci_dev *hdev)

 	rp = (struct hci_rp_read_local_version *)skb->data;

-	/* Detect controllers which aren't real CSR ones. */
+	/* Detect a wide host of Chinese controllers that aren't CSR.
+	 *
+	 * Known fake bcdDevices: 0x0100, 0x0134, 0x1915, 0x2520, 0x7558, 0x8891
+	 *
+	 * The main thing they have in common is that these are really popular low-cost
+	 * options that support newer Bluetooth versions but rely on heavy VID/PID
+	 * squatting of this poor old Bluetooth 1.1 device. Even sold as such.
+	 *
+	 * We detect actual CSR devices by checking that the HCI manufacturer code
+	 * is Cambridge Silicon Radio (10) and ensuring that LMP sub-version and
+	 * HCI rev values always match. As they both store the firmware number.
+	 */
 	if (le16_to_cpu(rp->manufacturer) != 10 ||
-	    le16_to_cpu(rp->lmp_subver) == 0x0c5c) {
+	    le16_to_cpu(rp->hci_rev) != le16_to_cpu(rp->lmp_subver))
+		is_fake = true;
+
+	/* Known legit CSR firmware build numbers and their supported BT versions:
+	 * - 1.1 (0x1) -> 0x0073, 0x020d, 0x033c, 0x034e
+	 * - 1.2 (0x2) ->                 0x04d9, 0x0529
+	 * - 2.0 (0x3) ->         0x07a6, 0x07ad, 0x0c5c
+	 * - 2.1 (0x4) ->         0x149c, 0x1735, 0x1899 (0x1899 is a BlueCore4-External)
+	 * - 4.0 (0x6) ->         0x1d86, 0x2031, 0x22bb
+	 *
+	 * e.g. Real CSR dongles with LMP subversion 0x73 are old enough that
+	 *      support BT 1.1 only; so it's a dead giveaway when some
+	 *      third-party BT 4.0 dongle reuses it.
+	 */
+	else if (le16_to_cpu(rp->lmp_subver) <= 0x034e &&
+		 le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_1_1)
+		is_fake = true;
+
+	else if (le16_to_cpu(rp->lmp_subver) <= 0x0529 &&
+		 le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_1_2)
+		is_fake = true;
+
+	else if (le16_to_cpu(rp->lmp_subver) <= 0x0c5c &&
+		 le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_2_0)
+		is_fake = true;
+
+	else if (le16_to_cpu(rp->lmp_subver) <= 0x1899 &&
+		 le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_2_1)
+		is_fake = true;
+
+	else if (le16_to_cpu(rp->lmp_subver) <= 0x22bb &&
+		 le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_4_0)
+		is_fake = true;
+
+	if (is_fake) {
+		bt_dev_warn(hdev, "CSR: Unbranded CSR clone detected; adding workarounds...");
+
+		/* Generally these clones have big discrepancies between
+		 * advertised features and what's actually supported.
+		 * Probably will need to be expanded in the future;
+		 * without these the controller will lock up.
+		 */
+		set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
+		set_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks);
+
 		/* Clear the reset quirk since this is not an actual
 		 * early Bluetooth 1.1 device from CSR.
 		 */
 		clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
-
-		/* These fake CSR controllers have all a broken
-		 * stored link key handling and so just disable it.
-		 */
-		set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
+		clear_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
 	}

 	kfree_skb(skb);
@@ -4001,11 +4053,13 @@ static int btusb_probe(struct usb_interface *intf,
 		if (bcdDevice < 0x117)
 			set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);

+		/* This must be set first in case we disable it for fakes */
+		set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
+
 		/* Fake CSR devices with broken commands */
-		if (bcdDevice <= 0x100 || bcdDevice == 0x134)
+		if (le16_to_cpu(udev->descriptor.idVendor)  == 0x0a12 &&
+		    le16_to_cpu(udev->descriptor.idProduct) == 0x0001)
 			hdev->setup = btusb_setup_csr;
-
-		set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
 	}

 	if (id->driver_info & BTUSB_SNIFFER) {
diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
index 181900553..155019220 100644
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -41,6 +41,8 @@
 #define BLUETOOTH_VER_1_1	1
 #define BLUETOOTH_VER_1_2	2
 #define BLUETOOTH_VER_2_0	3
+#define BLUETOOTH_VER_2_1	4
+#define BLUETOOTH_VER_4_0	6

 /* Reserv for core and drivers use */
 #define BT_SKB_RESERVE	8
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 16ab6ce87..1c321b6d1 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -227,6 +227,17 @@ enum {
 	 * supported.
 	 */
 	HCI_QUIRK_VALID_LE_STATES,
+
+	/* When this quirk is set, then erroneous data reporting
+	 * is ignored. This is mainly due to the fact that the HCI
+	 * Read Default Erroneous Data Reporting command is advertised,
+	 * but not supported; these controllers often reply with unknown
+	 * command and tend to lock up randomly. Needing a hard reset.
+	 *
+	 * This quirk can be set before hci_register_dev is called or
+	 * during the hdev->setup vendor callback.
+	 */
+	HCI_QUIRK_BROKEN_ERR_DATA_REPORTING,
 };

 /* HCI device flags */
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index dbe2d79f2..48d7c7e23 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -606,7 +606,8 @@ static int hci_init3_req(struct hci_request *req, unsigned long opt)
 	if (hdev->commands[8] & 0x01)
 		hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);

-	if (hdev->commands[18] & 0x04)
+	if (hdev->commands[18] & 0x04 &&
+	    !test_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks))
 		hci_req_add(req, HCI_OP_READ_DEF_ERR_DATA_REPORTING, 0, NULL);

 	/* Some older Broadcom based Bluetooth 1.2 controllers do not
@@ -851,7 +852,8 @@ static int hci_init4_req(struct hci_request *req, unsigned long opt)
 	/* Set erroneous data reporting if supported to the wideband speech
 	 * setting value
 	 */
-	if (hdev->commands[18] & 0x08) {
+	if (hdev->commands[18] & 0x08 &&
+	    !test_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks)) {
 		bool enabled = hci_dev_test_flag(hdev,
 						 HCI_WIDEBAND_SPEECH_ENABLED);
	#!/usr/bin/env sh
	set -e

	function info {
	GREEN="\033[1;32m"
	RESET="\033[0m"
	echo -e "$GREEN==> $@$RESET"
	}

	version="${1:-$(uname -r \| cut -d'-' -f1)}"
	extra="${2:-$(uname -r \| cut -d'-' -f2-)}"

	fullversion="$version-$extra"

	modules=(
	'drivers/bluetooth:btusb'
	'net/bluetooth:bluetooth'
	)

	info Making patch for kernel $fullversion

	name="linux-$version"
	archive="$name.tar.xz"

	info Downloading kernel $name
	wget -c https://cdn.kernel.org/pub/linux/kernel/v5.x/$archive -O $archive

	info Extracting $archive
	tar -xJf $archive

	info Setting up kernel config
	make -C $name mrproper
	cp /usr/lib/modules/$fullversion/build/.config $name/
	cp /usr/lib/modules/$fullversion/build/Module.symvers $name/
	make -C $name oldconfig

	info Applying CSR dongle fix
	patch -p1 -d $name < fix_csr_dongle.patch

	info Preparing kernel modules
	make -C $name EXTRAVERSION=-$extra modules_prepare
	for module in "${modules[@]}" ; do
	module_path=${module%%:*}
	module_name=${module#*:}
	info Making $module_name kernel module
	make -C $name M=$module_path
	info Compressing $module_path/$module_name.ko kernel module
	xz $name/$module_path/$module_name.ko
	done

	info Installing
	sudo mkdir -p /usr/lib/modules/$fullversion/updates

	for module in "${modules[@]}" ; do
	module_path=${module%%:*}
	module_name=${module#*:}
	info Installing $module_name kernel module
	sudo cp -f $name/$module_path/$module_name.ko.xz /usr/lib/modules/$fullversion/updates/$module_name.ko.xz
	done

	info Copying csr-bluetoothdongle.conf to /etc/modprobe.d/ with contents:
	cat csr-bluetoothdongle.conf
	sudo cp -f csr-bluetoothdongle.conf /etc/modprobe.d/99-csr-bluetoothdongle.conf
	info Running 'mkinitcpio'
	sudo mkinitcpio -p linux

	info Removing temp files
	rm -f $archive
	rm -rf $name

	info Now you can reboot to load patched kernel modules
	diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
	index 5f022e9cf..5b8cf9ba9 100644
	--- a/drivers/bluetooth/btusb.c
	+++ b/drivers/bluetooth/btusb.c
	@@ -1720,6 +1720,7 @@ static int btusb_setup_csr(struct hci_dev *hdev)
	{
	struct hci_rp_read_local_version *rp;
	struct sk_buff *skb;
	+ bool is_fake = false;

	BT_DBG("%s", hdev->name);

	@@ -1739,18 +1740,69 @@ static int btusb_setup_csr(struct hci_dev *hdev)

	rp = (struct hci_rp_read_local_version *)skb->data;

	- /* Detect controllers which aren't real CSR ones. */
	+ /* Detect a wide host of Chinese controllers that aren't CSR.
	+ *
	+ * Known fake bcdDevices: 0x0100, 0x0134, 0x1915, 0x2520, 0x7558, 0x8891
	+ *
	+ * The main thing they have in common is that these are really popular low-cost
	+ * options that support newer Bluetooth versions but rely on heavy VID/PID
	+ * squatting of this poor old Bluetooth 1.1 device. Even sold as such.
	+ *
	+ * We detect actual CSR devices by checking that the HCI manufacturer code
	+ * is Cambridge Silicon Radio (10) and ensuring that LMP sub-version and
	+ * HCI rev values always match. As they both store the firmware number.
	+ */
	if (le16_to_cpu(rp->manufacturer) != 10 \|\|
	- le16_to_cpu(rp->lmp_subver) == 0x0c5c) {
	+ le16_to_cpu(rp->hci_rev) != le16_to_cpu(rp->lmp_subver))
	+ is_fake = true;
	+
	+ /* Known legit CSR firmware build numbers and their supported BT versions:
	+ * - 1.1 (0x1) -> 0x0073, 0x020d, 0x033c, 0x034e
	+ * - 1.2 (0x2) -> 0x04d9, 0x0529
	+ * - 2.0 (0x3) -> 0x07a6, 0x07ad, 0x0c5c
	+ * - 2.1 (0x4) -> 0x149c, 0x1735, 0x1899 (0x1899 is a BlueCore4-External)
	+ * - 4.0 (0x6) -> 0x1d86, 0x2031, 0x22bb
	+ *
	+ * e.g. Real CSR dongles with LMP subversion 0x73 are old enough that
	+ * support BT 1.1 only; so it's a dead giveaway when some
	+ * third-party BT 4.0 dongle reuses it.
	+ */
	+ else if (le16_to_cpu(rp->lmp_subver) <= 0x034e &&
	+ le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_1_1)
	+ is_fake = true;
	+
	+ else if (le16_to_cpu(rp->lmp_subver) <= 0x0529 &&
	+ le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_1_2)
	+ is_fake = true;
	+
	+ else if (le16_to_cpu(rp->lmp_subver) <= 0x0c5c &&
	+ le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_2_0)
	+ is_fake = true;
	+
	+ else if (le16_to_cpu(rp->lmp_subver) <= 0x1899 &&
	+ le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_2_1)
	+ is_fake = true;
	+
	+ else if (le16_to_cpu(rp->lmp_subver) <= 0x22bb &&
	+ le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_4_0)
	+ is_fake = true;
	+
	+ if (is_fake) {
	+ bt_dev_warn(hdev, "CSR: Unbranded CSR clone detected; adding workarounds...");
	+
	+ /* Generally these clones have big discrepancies between
	+ * advertised features and what's actually supported.
	+ * Probably will need to be expanded in the future;
	+ * without these the controller will lock up.
	+ */
	+ set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
	+ set_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks);
	+
	/* Clear the reset quirk since this is not an actual
	* early Bluetooth 1.1 device from CSR.
	*/
	clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
	-
	- /* These fake CSR controllers have all a broken
	- * stored link key handling and so just disable it.
	- */
	- set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
	+ clear_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
	}

	kfree_skb(skb);
	@@ -4001,11 +4053,13 @@ static int btusb_probe(struct usb_interface *intf,
	if (bcdDevice < 0x117)
	set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);

	+ /* This must be set first in case we disable it for fakes */
	+ set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
	+
	/* Fake CSR devices with broken commands */
	- if (bcdDevice <= 0x100 \|\| bcdDevice == 0x134)
	+ if (le16_to_cpu(udev->descriptor.idVendor) == 0x0a12 &&
	+ le16_to_cpu(udev->descriptor.idProduct) == 0x0001)
	hdev->setup = btusb_setup_csr;
	-
	- set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
	}

	if (id->driver_info & BTUSB_SNIFFER) {
	diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
	index 181900553..155019220 100644
	--- a/include/net/bluetooth/bluetooth.h
	+++ b/include/net/bluetooth/bluetooth.h
	@@ -41,6 +41,8 @@
	#define BLUETOOTH_VER_1_1 1
	#define BLUETOOTH_VER_1_2 2
	#define BLUETOOTH_VER_2_0 3
	+#define BLUETOOTH_VER_2_1 4
	+#define BLUETOOTH_VER_4_0 6

	/* Reserv for core and drivers use */
	#define BT_SKB_RESERVE 8
	diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
	index 16ab6ce87..1c321b6d1 100644
	--- a/include/net/bluetooth/hci.h
	+++ b/include/net/bluetooth/hci.h
	@@ -227,6 +227,17 @@ enum {
	* supported.
	*/
	HCI_QUIRK_VALID_LE_STATES,
	+
	+ /* When this quirk is set, then erroneous data reporting
	+ * is ignored. This is mainly due to the fact that the HCI
	+ * Read Default Erroneous Data Reporting command is advertised,
	+ * but not supported; these controllers often reply with unknown
	+ * command and tend to lock up randomly. Needing a hard reset.
	+ *
	+ * This quirk can be set before hci_register_dev is called or
	+ * during the hdev->setup vendor callback.
	+ */
	+ HCI_QUIRK_BROKEN_ERR_DATA_REPORTING,
	};

	/* HCI device flags */
	diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
	index dbe2d79f2..48d7c7e23 100644
	--- a/net/bluetooth/hci_core.c
	+++ b/net/bluetooth/hci_core.c
	@@ -606,7 +606,8 @@ static int hci_init3_req(struct hci_request *req, unsigned long opt)
	if (hdev->commands[8] & 0x01)
	hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);

	- if (hdev->commands[18] & 0x04)
	+ if (hdev->commands[18] & 0x04 &&
	+ !test_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks))
	hci_req_add(req, HCI_OP_READ_DEF_ERR_DATA_REPORTING, 0, NULL);

	/* Some older Broadcom based Bluetooth 1.2 controllers do not
	@@ -851,7 +852,8 @@ static int hci_init4_req(struct hci_request *req, unsigned long opt)
	/* Set erroneous data reporting if supported to the wideband speech
	* setting value
	*/
	- if (hdev->commands[18] & 0x08) {
	+ if (hdev->commands[18] & 0x08 &&
	+ !test_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks)) {
	bool enabled = hci_dev_test_flag(hdev,
	HCI_WIDEBAND_SPEECH_ENABLED);