Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.168 2024-05-17T09:56:11+00:00 2024-05-17T09:56:11+00:00 Sungwoo Kim iam@sung-woo.kim 2024-04-30T16:20:51+00:00 urn:sha1:e3880b531b68f98d3941d83f2f6dd11cf4fd6b76 [ Upstream commit 10f9f426ac6e752c8d87bf4346930ba347aaabac ] Tying the msft->data lifetime to hdev by freeing it in hci_release_dev() to fix the following case: [use] msft_do_close() msft = hdev->msft_data; if (!msft) ...(1) <- passed. return; mutex_lock(&msft->filter_lock); ...(4) <- used after freed. [free] msft_unregister() msft = hdev->msft_data; hdev->msft_data = NULL; ...(2) kfree(msft); ...(3) <- msft is freed. ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30 kernel/locking/mutex.c:752 Read of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309 Fixes: bf6a4e30ffbd ("Bluetooth: disable advertisement filters during suspend") Signed-off-by: Sungwoo Kim <iam@sung-woo.kim> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-08-09T00:04:37+00:00 Soenke Huster soenke.huster@eknoes.de 2022-07-22T11:53:07+00:00 urn:sha1:ce78e557ff8819f2d10e8d6bae79404bfbbd6809 __hci_cmd_sync returns NULL if the controller responds with a status event. This is unexpected for the commands sent here, but on occurrence leads to null pointer dereferences and thus must be handled. Signed-off-by: Soenke Huster <soenke.huster@eknoes.de> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-07-22T00:14:55+00:00 Manish Mandlik mmandlik@google.com 2022-07-20T23:21:14+00:00 urn:sha1:7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c Make use of hci_cmd_sync_queue for removing an advertisement monitor. Signed-off-by: Manish Mandlik <mmandlik@google.com> Reviewed-by: Miao-chen Chou <mcchou@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-07-22T00:14:32+00:00 Manish Mandlik mmandlik@google.com 2022-07-20T23:21:13+00:00 urn:sha1:b747a83690c8f53bc7a3f75899415c699b2c51aa Make use of hci_cmd_sync_queue for adding an advertisement monitor. Signed-off-by: Manish Mandlik <mmandlik@google.com> Reviewed-by: Miao-chen Chou <mcchou@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-03-18T16:12:08+00:00 Manish Mandlik mmandlik@google.com 2022-03-12T10:08:58+00:00 urn:sha1:37b63c68194d09d358c8abd73692adf9a6ceaad3 Clear already tracked devices on system resume. Once the monitors are reregistered after resume, matched devices in range will be found again. Signed-off-by: Manish Mandlik <mmandlik@google.com> Reviewed-by: Miao-chen Chou <mcchou@chromium.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2022-01-23T14:30:18+00:00 Soenke Huster soenke.huster@eknoes.de 2022-01-23T05:57:09+00:00 urn:sha1:5201d23cc8e57531e0b17e41c0ae10405ba6abd3 msft_find_handle_data returns NULL if it can't find the handle. Therefore, handle_data must be checked, otherwise a null pointer is dereferenced. Signed-off-by: Soenke Huster <soenke.huster@eknoes.de> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2022-01-20T21:10:28+00:00 Manish Mandlik mmandlik@google.com 2022-01-11T16:14:26+00:00 urn:sha1:8d7f167752c3e4c45a39e76ffa6f7209413d3fa6 This patch introduces two new MGMT events for notifying the bluetoothd whenever the controller starts/stops monitoring a device. Test performed: - Verified by logs that the MSFT Monitor Device is received from the controller and the bluetoothd is notified whenever the controller starts/stops monitoring a device. Signed-off-by: Manish Mandlik <mmandlik@google.com> Reviewed-by: Miao-chen Chou <mcchou@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-01-20T21:10:21+00:00 Manish Mandlik mmandlik@google.com 2022-01-11T16:14:25+00:00 urn:sha1:3368aa357f3ba133ae65fc26c04d24a1447a3903 Whenever the controller starts/stops monitoring a bt device, it sends MSFT Monitor Device event. Add handler to read this vendor event. Test performed: - Verified by logs that the MSFT Monitor Device event is received from the controller whenever it starts/stops monitoring a device. Signed-off-by: Manish Mandlik <mmandlik@google.com> Reviewed-by: Miao-chen Chou <mcchou@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2021-12-07T16:05:50+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2021-12-01T18:55:03+00:00 urn:sha1:3e54c5890c87a30b1019a3de9dab968ff2b21e06 This change the use of switch statement to a function table which is easier to extend and can include min/max length of each HCI event. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2021-10-29T14:52:00+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2021-10-27T23:59:00+00:00 urn:sha1:182ee45da083db4e3e621541ccf255bfa9652214 This makes hci_suspend_notifier use the hci_*_sync which can be executed synchronously which is allowed in the suspend_notifier and simplifies a lot of the handling since the status of each command can be checked inline so no other work need to be scheduled thus can be performed without using of a state machine. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>