kernel/linux.git/drivers/bluetooth/btsdio.c, branch v6.1.168

Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition

2023-09-06T20:27:01+00:00

commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 upstream. In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame. If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove. Fixes: CVE-2023-1989 Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices") Cc: stable@vger.kernel.org Signed-off-by: Zheng Wang Signed-off-by: Luiz Augusto von Dentz [ Denis: Added CVE-2023-1989 and fixes tags. ] Signed-off-by: Denis Efremov (Oracle) Signed-off-by: Greg Kroah-Hartman

Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"

2023-05-11T14:03:26+00:00

[ Upstream commit db2bf510bd5d57f064d9e1db395ed86a08320c54 ] This reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f. This patch introduces a possible null-ptr-def problem. Revert it. And the fixed bug by this patch have resolved by commit 73f7b171b7c0 ("Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition"). Fixes: 1e9ac114c442 ("Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work") Signed-off-by: Liu Jian Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin

Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work

2023-03-30T10:49:12+00:00

[ Upstream commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f ] In btsdio_probe, &data->work was bound with btsdio_work.In btsdio_send_frame, it was started by schedule_work. If we call btsdio_remove with an unfinished job, there may be a race condition and cause UAF bug on hdev. Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices") Signed-off-by: Zheng Wang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin

Bluetooth: btsdio: Do not bind to non-removable BCM4345 and BCM43455

2021-10-20T13:04:13+00:00

BCM4345 and BCM43455 devices soldered onto the PCB (non-removable), use an UART connection for Bluetooth, such as in the Pinebook Pro, and the advertised btsdio support as an SDIO function is ignored. Reviewed-by: Dragan Simic Signed-off-by: Kyle Copperfield Signed-off-by: Marcel Holtmann

Bluetooth: btsdio: Check for valid packet type

2020-01-15T21:28:51+00:00

Check for valid packet type before calling hci_recv_frame which is inline with what other drivers are doing. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann

Bluetooth: btsdio: Do not bind to non-removable BCM4356

2019-07-06T10:27:55+00:00

BCM4356 devices soldered onto the PCB (non-removable) use an UART connection for bluetooth, such as the Rock960, but it also advertise btsdio support as a sdio function. Signed-off-by: Peter Robinson CC: Manivannan Sadhasivam Signed-off-by: Marcel Holtmann

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156

2019-05-30T18:26:35+00:00

Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license or at your option any later version this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not write to the free software foundation inc 59 temple place suite 330 boston ma 02111 1307 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-or-later has been chosen to replace the boilerplate/reference in 1334 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Richard Fontana Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190527070033.113240726@linutronix.de Signed-off-by: Greg Kroah-Hartman

Bluetooth: btsdio: Use module_sdio_driver helper

2019-04-23T16:09:07+00:00

Macro module_sdio_driver is used for drivers whose init and exit paths only register and unregister to SDIO API. So remove boilerplate code to make code simpler by using module_sdio_driver. Signed-off-by: Sean Wang Acked-by: Ulf Hansson Signed-off-by: Marcel Holtmann

Bluetooth: btsdio: Do not bind to non-removable BCM43430

2018-10-14T08:23:47+00:00

BCM43430 devices soldered onto the PCB (non-removable) use an UART connection for bluetooth. But also advertise btsdio support on their 3th sdio function. Signed-off-by: Cho, Yu-Chen Signed-off-by: Marcel Holtmann

Bluetooth: btsdio: Do not bind to non-removable BCM43341

2017-12-12T23:28:41+00:00

BCM43341 devices soldered onto the PCB (non-removable) always (AFAICT) use an UART connection for bluetooth. But they also advertise btsdio support on their 3th sdio function, this causes 2 problems: 1) A non functioning BT HCI getting registered 2) Since the btsdio driver does not have suspend/resume callbacks, mmc_sdio_pre_suspend will return -ENOSYS, causing mmc_pm_notify() to react as if the SDIO-card is removed and since the slot is marked as non-removable it will never get detected as inserted again. Which results in wifi no longer working after a suspend/resume. This commit fixes both by making btsdio ignore BCM43341 devices when connected to a slot which is marked non-removable. Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede Signed-off-by: Marcel Holtmann