kernel/linux.git/include/net/bluetooth, branch v6.11.8Linux kernel stable tree (mirror)https://git.radix-linux.su/kernel/linux.git/atom?h=v6.11.82024-11-01T01:02:37+00:00Bluetooth: SCO: Fix UAF on sco_sock_timeout2024-11-01T01:02:37+00:00Luiz Augusto von Dentzluiz.von.dentz@intel.com2024-10-22T16:31:08+00:00urn:sha1:80b05fbfa998480fb3d5299d93eab946f51e9c36
[ Upstream commit 1bf4470a3939c678fb822073e9ea77a0560bc6bb ]
conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock
so this checks if the conn->sk is still valid by checking if it part of
sco_sk_list.
Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Tested-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Bluetooth: hci_core: Fix sending MGMT_EV_CONNECT_FAILED2024-10-04T14:37:29+00:00Luiz Augusto von Dentzluiz.von.dentz@intel.com2024-08-30T21:29:27+00:00urn:sha1:f68f72d04b60d3af36b63b888fe084966bca07b9
[ Upstream commit d47da6bd4cfa982fe903f33423b9e2ec541e9496 ]
If HCI_CONN_MGMT_CONNECTED has been set then the event shall be
HCI_CONN_MGMT_DISCONNECTED.
Fixes: b644ba336997 ("Bluetooth: Update device_connected and device_found events to latest API")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Revert "Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE"2024-08-30T21:56:53+00:00Luiz Augusto von Dentzluiz.von.dentz@intel.com2024-08-27T18:37:22+00:00urn:sha1:532f8bcd1c2c4e8112f62e1922fd1703bc0ffce0
This reverts commit 59b047bc98084f8af2c41483e4d68a5adf2fa7f7 which
breaks compatibility with commands like:
bluetoothd[46328]: @ MGMT Command: Load.. (0x0013) plen 74 {0x0001} [hci0]
Keys: 2
BR/EDR Address: C0:DC:DA:A5:E5:47 (Samsung Electronics Co.,Ltd)
Key type: Authenticated key from P-256 (0x03)
Central: 0x00
Encryption size: 16
Diversifier[2]: 0000
Randomizer[8]: 0000000000000000
Key[16]: 6ed96089bd9765be2f2c971b0b95f624
LE Address: D7:2A:DE:1E:73:A2 (Static)
Key type: Unauthenticated key from P-256 (0x02)
Central: 0x00
Encryption size: 16
Diversifier[2]: 0000
Randomizer[8]: 0000000000000000
Key[16]: 87dd2546ededda380ffcdc0a8faa4597
@ MGMT Event: Command Status (0x0002) plen 3 {0x0001} [hci0]
Load Long Term Keys (0x0013)
Status: Invalid Parameters (0x0d)
Cc: stable@vger.kernel.org
Link: https://github.com/bluez/bluez/issues/875
Fixes: 59b047bc9808 ("Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_sync: Introduce hci_cmd_sync_run/hci_cmd_sync_run_once2024-08-30T21:56:34+00:00Luiz Augusto von Dentzluiz.von.dentz@intel.com2024-08-26T19:47:30+00:00urn:sha1:c898f6d7b093bd71e66569cd6797c87d4056f44b
This introduces hci_cmd_sync_run/hci_cmd_sync_run_once which acts like
hci_cmd_sync_queue/hci_cmd_sync_queue_once but runs immediately when
already on hdev->cmd_sync_work context.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: HCI: Invert LE State quirk to be opt-out rather then opt-in2024-08-15T17:07:55+00:00Luiz Augusto von Dentzluiz.von.dentz@intel.com2024-08-12T14:43:48+00:00urn:sha1:aae6b81260fd9a7224f7eb4fc440d625852245bb
This inverts the LE State quirk so by default we assume the controllers
would report valid states rather than invalid which is how quirks
normally behave, also this would result in HCI command failing it the LE
States are really broken thus exposing the controllers that are really
broken in this respect.
Link: https://github.com/bluez/bluez/issues/584
Fixes: 220915857e29 ("Bluetooth: Adding driver and quirk defs for multi-role LE")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: Remove hci_request.{c,h}2024-07-15T14:11:35+00:00Luiz Augusto von Dentzluiz.von.dentz@intel.com2024-07-01T21:10:41+00:00urn:sha1:936daee9cf08c5e58c9a0fe687f52adb2d80e87d
This removes hci_request.{c,h} since it shall no longer be used.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_sync: Remove remaining dependencies of hci_request2024-07-15T14:11:33+00:00Luiz Augusto von Dentzluiz.von.dentz@intel.com2024-07-01T20:52:57+00:00urn:sha1:f2d89775358606c7ab6b6b6c4a02fe1e8cd270b1
This removes the dependencies of hci_req_init and hci_request_cancel_all
from hci_sync.c.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_core: Don't use hci_prepare_cmd2024-07-15T14:11:29+00:00Luiz Augusto von Dentzluiz.von.dentz@intel.com2024-07-01T20:13:56+00:00urn:sha1:176cbeceb5c5a740216a6be3e751e76aaddf94b9
This replaces the instance of hci_prepare_cmd with hci_cmd_sync_alloc
since the former is part of hci_request.c which is considered
deprecated.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_core: Remove usage of hci_req_sync2024-07-15T14:11:27+00:00Luiz Augusto von Dentzluiz.von.dentz@intel.com2024-07-01T20:00:08+00:00urn:sha1:92048ab2e2e6cc90ad1cc9f55deb5cec4d731793
hci_request functions are considered deprecated so this replaces the
usage of hci_req_sync with hci_inquiry_sync.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_core: cleanup struct hci_dev2024-07-15T14:11:19+00:00Dmitry Antipovdmantipov@yandex.ru2024-06-21T13:01:55+00:00urn:sha1:3ba74b2f288bbc17c0c2a58ab219e1df19f80153
Remove unused and set but otherwise unused 'discovery_old_state'
and 'sco_last_tx' members of 'struct hci_dev'. The first one is
a leftover after commit 182ee45da083 ("Bluetooth: hci_sync: Rework
hci_suspend_notifier"); the second one is originated from ancient
2.4.19 and I was unable to find any actual use since that.
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>