Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.21 2026-04-02T11:23:08+00:00 2026-04-02T11:23:08+00:00 Cen Zhang zzzccc427@gmail.com 2026-03-18T12:54:03+00:00 urn:sha1:66696648af477dc87859e5e4b607112f5f29d010 [ Upstream commit 94d8e6fe5d0818e9300e514e095a200bd5ff93ae ] btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(). This lets it race against hci_dev_do_close() -> btintel_shutdown_combined(), which also runs __hci_cmd_sync() under the same lock. When both paths manipulate hdev->req_status/req_rsp concurrently, the close path may free the response skb first, and the still-running hw_error path hits a slab-use-after-free in kfree_skb(). Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it is serialized with every other synchronous HCI command issuer. Below is the data race report and the kasan report: BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254 hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030 write/free by task ioctl/22580: btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526 BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202 Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260 Fixes: 973bb97e5aee ("Bluetooth: btintel: Add generic function for handling hardware errors") Signed-off-by: Cen Zhang <zzzccc427@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-09-27T15:36:59+00:00 Kiran K kiran.k@intel.com 2025-07-24T12:28:24+00:00 urn:sha1:926e8bfaaa11471b3df25befc284da62b11a1e92 Add support for the BlazarIW Bluetooth core used in the Wildcat Lake platform. HCI traces: < HCI Command: Intel Read Version (0x3f|0x0005) plen 1 Requested Type: All Supported Types(0xff) > HCI Event: Command Complete (0x0e) plen 122 Intel Read Version (0x3f|0x0005) ncmd 1 Status: Success (0x00) ..... CNVi BT(18): 0x00223700 - BlazarIW(0x22) ..... ..... Signed-off-by: Vijay Satija <vijay.satija@intel.com> Signed-off-by: Kiran K <kiran.k@intel.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-07-23T14:31:03+00:00 Kiran K kiran.k@intel.com 2025-07-11T10:07:25+00:00 urn:sha1:15843c7fdba65568704245fd3ea2aa3aa2d50825 Use macro for Intel Reset command (0xfc01) instead of hard coded value. Signed-off-by: Kiran K <kiran.k@intel.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-07-23T14:29:19+00:00 Bastien Nocera hadess@hadess.net 2025-07-03T17:16:55+00:00 urn:sha1:9918b837fac203c7139499ba162d779572b476ab Found by codespell. Signed-off-by: Bastien Nocera <hadess@hadess.net> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-07-16T19:37:53+00:00 Christian Eggers ceggers@arri.de 2025-07-14T20:27:45+00:00 urn:sha1:6851a0c228fc040dce8e4c393004209e7372e0a3 The 'quirks' member already ran out of bits on some platforms some time ago. Replace the integer member by a bitmap in order to have enough bits in future. Replace raw bit operations by accessor macros. Fixes: ff26b2dd6568 ("Bluetooth: Add quirk for broken READ_VOICE_SETTING") Fixes: 127881334eaa ("Bluetooth: Add quirk for broken READ_PAGE_SCAN_TYPE") Suggested-by: Pauli Virtanen <pav@iki.fi> Tested-by: Ivan Pravdin <ipravdin.official@gmail.com> Signed-off-by: Kiran K <kiran.k@intel.com> Signed-off-by: Christian Eggers <ceggers@arri.de> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-07-16T19:33:13+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2025-07-09T19:02:56+00:00 urn:sha1:6ec3185fbc3528f2284c347fb9bd8be6fa672ed4 Due to what seem to be a bug with variant version returned by some firmwares the code may set hdev->classify_pkt_type with btintel_classify_pkt_type when in fact the controller doesn't even support ISO channels feature but may use the handle range expected from a controllers that does causing the packets to be reclassified as ISO causing several bugs. To fix the above btintel_classify_pkt_type will attempt to check if the controller really supports ISO channels and in case it doesn't don't reclassify even if the handle range is considered to be ISO, this is considered safer than trying to fix the specific controller/firmware version as that could change over time and causing similar problems in the future. Link: https://bugzilla.kernel.org/show_bug.cgi?id=219553 Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2100565 Link: https://github.com/StarLabsLtd/firmware/issues/180 Fixes: f25b7fd36cc3 ("Bluetooth: Add vendor-specific packet classification for ISO data") Cc: stable@vger.kernel.org Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Tested-by: Sean Rhodes <sean@starlabs.systems> 2025-05-22T17:06:28+00:00 Kees Cook kees@kernel.org 2025-05-20T16:31:35+00:00 urn:sha1:3aa1dc3c9060e335e82e9c182bf3d1db29220b1b Since the size of struct btintel_dsbr is already known, we can just start there instead of querying the EFI variable size. If the final result doesn't match what we expect also fail. This fixes a stack buffer overflow when the EFI variable is larger than struct btintel_dsbr. Reported-by: zepta <z3ptaa@gmail.com> Closes: https://lore.kernel.org/all/CAPBS6KoaWV9=dtjTESZiU6KK__OZX0KpDk-=JEH8jCHFLUYv3Q@mail.gmail.com Fixes: eb9e749c0182 ("Bluetooth: btintel: Allow configuring drive strength of BRI") Signed-off-by: Kees Cook <kees@kernel.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-05-21T14:27:05+00:00 Kiran K kiran.k@intel.com 2025-04-02T02:11:48+00:00 urn:sha1:689b5a8071c4fb9af89216d4d1ffa027db16e531 All Intel diagnostic events are part of HCI traces and there is no need to generate coredump for the same. Signed-off-by: Kiran K <kiran.k@intel.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-03-25T16:51:42+00:00 Vijay Satija vijay.satija@intel.com 2025-03-07T11:00:11+00:00 urn:sha1:e036afb1fe440273bb130e58b665490d0d09fd36 BRDS - Bluetooth Regulatory Domain Specific absorption rate Bluetooth has regulatory limitations which prohibit or allow usage of certain bands or channels as well as limiting Tx power. The Tx power values can be configured in ACPI table. This patch reads from ACPI entry configures the controller accordingly. Signed-off-by: Kiran K <kiran.k@intel.com> Signed-off-by: Vijay Satija <vijay.satija@intel.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-03-25T16:31:41+00:00 Kiran K kiran.k@intel.com 2025-01-29T02:58:17+00:00 urn:sha1:bb3569ac360426c826878630802d96a87fb70a09 Add DSBR support for Scorpious Peak cores. Refer commit eb9e749c0182 ("Bluetooth: btintel: Allow configuring drive strength of BRI") for details about DSBR. Signed-off-by: Kiran K <kiran.k@intel.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>