Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.11 2026-03-12T11:09:34+00:00 2026-03-12T11:09:34+00:00 Heitor Alves de Siqueira halves@igalia.com 2026-02-11T18:03:35+00:00 urn:sha1:3de7c10a950b36affc692d8bd2ac713852580e56 commit 21e4271e65094172aadd5beb8caea95dd0fbf6d7 upstream. When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued into sk_error_queue and will stay there until consumed. If userspace never gets to read the timestamps, or if the controller is removed unexpectedly, these SKBs will leak. Fix by adding skb_queue_purge() calls for sk_error_queue in affected bluetooth destructors. RFCOMM does not currently use sk_error_queue. Fixes: 134f4b39df7b ("Bluetooth: add support for skb TX SND/COMPLETION timestamping") Reported-by: syzbot+7ff4013eabad1407b70a@syzkaller.appspotmail.com Closes: https://syzbot.org/bug?extid=7ff4013eabad1407b70a Cc: stable@vger.kernel.org Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-12-01T21:00:07+00:00 Yang Li yang.li@amlogic.com 2025-10-27T06:10:02+00:00 urn:sha1:56f765ce73b4303ec5d85439ca7ce1bc0736d18b When both BIS and CIS links exist, their sockets are in the BT_LISTEN state. dump sock: sk 000000001977ef51 state 6 src 10:a5:62:31:05:cf dst 00:00:00:00:00:00 sk 0000000031d28700 state 7 src 10:a5:62:31:05:cf dst00:00:00:00:00:00 sk 00000000613af00e state 4 # listen sock of bis src 10:a5:62:31:05:cf dst 54:00:00:d4:99:30 sk 000000001710468c state 9 src 10:a5:62:31:05:cf dst 54:00:00:d4:99:30 sk 000000005d97dfde state 4 #listen sock of cis src 10:a5:62:31:05:cf dst 00:00:00:00:00:00 To locate the CIS socket correctly, check both the BT_LISTEN state and whether dst addr is BDADDR_ANY. Link: https://github.com/bluez/bluez/issues/1224 Signed-off-by: Yang Li <yang.li@amlogic.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-12-01T21:00:06+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2025-10-06T20:53:35+00:00 urn:sha1:577cf4c0a1e8471a0d6c0f36bb3716285e27ad5e The source address for a BIS sender/Broadcast Source shall be updated with the advertisement address since in case privacy is enabled it may use an RPA rather than an identity address. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-12-01T21:00:06+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2025-09-29T21:43:53+00:00 urn:sha1:f817db10dc80d5d1eece60d93eba11062afe5154 Broadcasters maybe using RPAs which can change over time and not matching the address used as destination in the socket, so this attempts to resolve the addresses then match with the socket address, in case that uses an indentity address, or then match the IRKs if both broadcaster and socket are using RPAs. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-12-01T21:00:04+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2025-09-05T15:34:44+00:00 urn:sha1:d3413703d5f8b7d1e6f514f9440ed5da1bc30796 This makes it possible to bind to a different destination address after being connected (BT_CONNECTED, BT_CONNECT2) which then triggers PAST Sender proceedure to transfer the PA Sync to the destination address. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-12-01T20:58:54+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2025-09-02T15:11:40+00:00 urn:sha1:33b2835f0b7e2a458473b0e3a23b54b92108b6b0 This adds PAST related commands (HCI_OP_LE_PAST, HCI_OP_LE_PAST_SET_INFO and HCI_OP_LE_PAST_PARAMS) and events (HCI_EV_LE_PAST_RECEIVED) along with handling of PAST sender and receiver features bits including new MGMG settings ( HCI_EV_LE_PAST_RECEIVED and MGMT_SETTING_PAST_RECEIVER) which userspace can use to determine if PAST is supported by the controller. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-11-27T20:19:08+00:00 Jakub Kicinski kuba@kernel.org 2025-11-27T20:16:40+00:00 urn:sha1:db4029859d6fd03f0622d394f4cdb1be86d7ec62 Conflicts: net/xdp/xsk.c 0ebc27a4c67d ("xsk: avoid data corruption on cq descriptor number") 8da7bea7db69 ("xsk: add indirect call for xsk_destruct_skb") 30ed05adca4a ("xsk: use a smaller new lock for shared pool case") https://lore.kernel.org/20251127105450.4a1665ec@canb.auug.org.au https://lore.kernel.org/eb4eee14-7e24-4d1b-b312-e9ea738fefee@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2025-11-20T22:01:09+00:00 Pauli Virtanen pav@iki.fi 2025-11-15T16:43:55+00:00 urn:sha1:79a2d4678ba90bdba577dc3af88cc900d6dcd5ee The hdev lock/lookup/unlock/use pattern in the packet RX path doesn't ensure hci_conn* is not concurrently modified/deleted. This locking appears to be leftover from before conn_hash started using RCU commit bf4c63252490b ("Bluetooth: convert conn hash to RCU") and not clear if it had purpose since then. Currently, there are code paths that delete hci_conn* from elsewhere than the ordered hdev->workqueue where the RX work runs in. E.g. commit 5af1f84ed13a ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync") introduced some of these, and there probably were a few others before it. It's better to do the locking so that even if these run concurrently no UAF is possible. Move the lookup of hci_conn and associated socket-specific conn to protocol recv handlers, and do them within a single critical section to cover hci_conn* usage and lookup. syzkaller has reported a crash that appears to be this issue: [Task hdev->workqueue] [Task 2] hci_disconnect_all_sync l2cap_recv_acldata(hcon) hci_conn_get(hcon) hci_abort_conn_sync(hcon) hci_dev_lock hci_dev_lock hci_conn_del(hcon) v-------------------------------- hci_dev_unlock hci_conn_put(hcon) conn = hcon->l2cap_data (UAF) Fixes: 5af1f84ed13a ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync") Reported-by: syzbot+d32d77220b92eddd89ad@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d32d77220b92eddd89ad Signed-off-by: Pauli Virtanen <pav@iki.fi> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-11-05T03:10:32+00:00 Kees Cook kees@kernel.org 2025-11-04T00:26:11+00:00 urn:sha1:85cb0757d7e1f9370a8b52a8b8144c37941cba0a Update all struct proto_ops connect() callback function prototypes from "struct sockaddr *" to "struct sockaddr_unsized *" to avoid lying to the compiler about object sizes. Calls into struct proto handlers gain casts that will be removed in the struct proto conversion patch. No binary changes expected. Signed-off-by: Kees Cook <kees@kernel.org> Link: https://patch.msgid.link/20251104002617.2752303-3-kees@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2025-11-05T03:10:32+00:00 Kees Cook kees@kernel.org 2025-11-04T00:26:10+00:00 urn:sha1:0e50474fa514822e9d990874e554bf8043a201d7 Update all struct proto_ops bind() callback function prototypes from "struct sockaddr *" to "struct sockaddr_unsized *" to avoid lying to the compiler about object sizes. Calls into struct proto handlers gain casts that will be removed in the struct proto conversion patch. No binary changes expected. Signed-off-by: Kees Cook <kees@kernel.org> Link: https://patch.msgid.link/20251104002617.2752303-2-kees@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>