kernel/linux.git/drivers/bluetooth/btintel.c, branch v6.1.175

Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock

2026-06-01T15:38:54+00:00

[ Upstream commit 94d8e6fe5d0818e9300e514e095a200bd5ff93ae ] btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(). This lets it race against hci_dev_do_close() -> btintel_shutdown_combined(), which also runs __hci_cmd_sync() under the same lock. When both paths manipulate hdev->req_status/req_rsp concurrently, the close path may free the response skb first, and the still-running hw_error path hits a slab-use-after-free in kfree_skb(). Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it is serialized with every other synchronous HCI command issuer. Below is the data race report and the kasan report: BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254 hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030 write/free by task ioctl/22580: btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526 BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202 Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260 Fixes: 973bb97e5aee ("Bluetooth: btintel: Add generic function for handling hardware errors") Signed-off-by: Cen Zhang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Fang Wang <32840572@qq.com> Signed-off-by: Sasha Levin

Bluetooth: btintel: Fixe build regression

2024-04-13T11:05:27+00:00

commit 6e62ebfb49eb65bdcbfc5797db55e0ce7f79c3dd upstream. This fixes the following build regression: drivers-bluetooth-btintel.c-btintel_read_version()-warn: passing-zero-to-PTR_ERR Fixes: b79e04091010 ("Bluetooth: btintel: Fix null ptr deref in btintel_read_version") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Greg Kroah-Hartman

Bluetooth: btintel: Fix null ptr deref in btintel_read_version

2024-04-13T11:05:03+00:00

[ Upstream commit b79e040910101b020931ba0c9a6b77e81ab7f645 ] If hci_cmd_sync_complete() is triggered and skb is NULL, then hdev->req_skb is NULL, which will cause this issue. Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin

Bluetooth: btintel: Add LE States quirk support

2023-05-24T16:32:39+00:00

[ Upstream commit 77f542b10c535c9a93bf8afdd2665524935807c2 ] Basically all Intel controllers support both Central/Peripheral LE states. This patch enables the LE States quirk by default on all Solar and Magnertor Intel controllers. Signed-off-by: Chethan T N Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin

Bluetooth: btintel: Fix missing free skb in btintel_setup_combined()

2022-12-31T12:32:28+00:00

[ Upstream commit cee50ce899de415baf4da3ed38b7d4f13c3170d1 ] skb allocated by __hci_cmd_sync would not be used whether in checking for supported iBT hardware variants or after, we should free it in all error branches, this patch makes the case read version failed or default error case free skb before return. Fixes: c86c7285bb08 ("Bluetooth: btintel: Fix the legacy bootloader returns tlv based version") Fixes: 019a1caa7fd2 ("Bluetooth: btintel: Refactoring setup routine for bootloader devices") Signed-off-by: Wang ShaoBo Reviewed-by: Tedd Ho-Jeong An Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin

Bluetooth: btintel: Mark Intel controller to support LE_STATES quirk

2022-09-09T19:20:25+00:00

HarrrisonPeak, CyclonePeak, SnowFieldPeak and SandyPeak controllers are marked to support HCI_QUIRK_LE_STATES. Signed-off-by: Kiran K Signed-off-by: Chethan T N Signed-off-by: Luiz Augusto von Dentz

Bluetooth: btintel: Add support for Magnetor

2022-09-09T19:20:25+00:00

Hardware variant for Magnetor core (CNVi) is added. Signed-off-by: Kiran K Signed-off-by: Luiz Augusto von Dentz

Bluetooth: btintel: Constify static struct regmap_bus

2022-05-13T11:05:48+00:00

The only usage of regmap_ibt is to (after the regmap_init() macro is expanded), pass its address to __regmap_init(), which takes a pointer to const struct regmap_bus as input. Make it const to allow the compiler to put it in read-only memory. Signed-off-by: Rikard Falkeborn Signed-off-by: Marcel Holtmann

Bluetooth: btintel: Fix WBS setting for Intel legacy ROM products

2022-01-21T20:37:48+00:00

This patch adds the flag to identify the Intel legacy ROM products that don't support WBS like WP and StP. Fixes: 3df4dfbec0f29 ("Bluetooth: btintel: Move hci quirks to setup routine") Signed-off-by: Tedd Ho-Jeong An Signed-off-by: Marcel Holtmann

Bluetooth: btintel: Fix broken LED quirk for legacy ROM devices

2022-01-07T07:29:21+00:00

This patch fixes the broken LED quirk for Intel legacy ROM devices. To fix the LED issue that doesn't turn off immediately, the host sends the SW RFKILL command while shutting down the interface and it puts the devices in SW RFKILL state. Once the device is in SW RFKILL state, it can only accept HCI_Reset to exit from the SW RFKILL state. This patch checks the quirk for broken LED and sends the HCI_Reset before sending the HCI_Intel_Read_Version command. The affected legacy ROM devices are - 8087:07dc - 8087:0a2a - 8087:0aa7 Fixes: ffcba827c0a1d ("Bluetooth: btintel: Fix the LED is not turning off immediately") Signed-off-by: Tedd Ho-Jeong An Signed-off-by: Marcel Holtmann