mirror of
https://github.com/torvalds/linux.git
synced 2026-05-30 18:13:41 +02:00
bluetooth pull request for net:
- L2CAP: Fix L2CAP MTU negotiation - hci_core: Fix use-after-free in vhci_flush() - btintel_pcie: Fix potential race condition in firmware download - hci_qca: fix unable to load the BT driver -----BEGIN PGP SIGNATURE----- iQJNBAABCgA3FiEE7E6oRXp8w05ovYr/9JCA4xAyCykFAmhZhnIZHGx1aXoudm9u LmRlbnR6QGludGVsLmNvbQAKCRD0kIDjEDILKZX6EACeRMlkRoRe7oUKqfpXw+R+ RLdYvvco2LVSIwaMq664kHQWAbNcSj2okXcbJqPTXjHR1CZhaFGp6Rufgi1kz363 r19Ym4eGL2ZN9JlQwSDJqbWMrXxCo5tB4ymNof3yW+2ZPRurqDJDwCjcnhikfG14 v8ZOQRxDJOJdPSyqtW75qgFNv9Szekg272ZeLjAK/6XSqMpiPzyLsN4TJdij2Wf6 Ie02w368TQkmJMHly37QE24hDkyZ/UuR0lmTyB0bTCAiDwnTya8oWEUPRwa5I1+S 1FubHOBUGlx907bEJXZkBow98sCsChg/PNGqO0dsoJD/GJo4U6lUX1Lb/6qWNL+d T6PcDLMKRrDcY9ZgPAqSq7sYvzPGjaw+JWTN01okr5mVoVEsh8XDLhEQYPKJ8NzU TJy6FHXtZyGuqw21VD9+VbGrOFJMNYUVhUxQZidAaxQbqE7Vgl59Hj08Z6zGad26 hE8srBlGH7PcJN+DSXX9coYP11bSWVgXKLgmXgtPF3jVYQOch+Vxhcz3kIGSIZe1 W5qFfJhurHjdFEop6IRAXOJUeZWL8/YEcQJbFcS3Z2pfGAitY438Y18tvHibcvbc 7c/DMt7586qh1VbQSz0Gf8IeUuXMlAXlVaIYTKTtlURuo1w8+f+cz/PowtSKIjum J1N/Jf+1DzCVPO2tazdd1w== =vb9E -----END PGP SIGNATURE----- Merge tag 'for-net-2025-06-23' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - L2CAP: Fix L2CAP MTU negotiation - hci_core: Fix use-after-free in vhci_flush() - btintel_pcie: Fix potential race condition in firmware download - hci_qca: fix unable to load the BT driver * tag 'for-net-2025-06-23' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: hci_core: Fix use-after-free in vhci_flush() driver: bluetooth: hci_qca:fix unable to load the BT driver Bluetooth: L2CAP: Fix L2CAP MTU negotiation Bluetooth: btintel_pcie: Fix potential race condition in firmware download ==================== Link: https://patch.msgid.link/20250623165405.227619-1-luiz.dentz@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
Paolo Abeni
commit
1fd26729e0
|
|
@ -2033,6 +2033,28 @@ static void btintel_pcie_release_hdev(struct btintel_pcie_data *data)
|
|||
data->hdev = NULL;
|
||||
}
|
||||
|
||||
static void btintel_pcie_disable_interrupts(struct btintel_pcie_data *data)
|
||||
{
|
||||
spin_lock(&data->irq_lock);
|
||||
btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_MSIX_FH_INT_MASK, data->fh_init_mask);
|
||||
btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_MSIX_HW_INT_MASK, data->hw_init_mask);
|
||||
spin_unlock(&data->irq_lock);
|
||||
}
|
||||
|
||||
static void btintel_pcie_enable_interrupts(struct btintel_pcie_data *data)
|
||||
{
|
||||
spin_lock(&data->irq_lock);
|
||||
btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_MSIX_FH_INT_MASK, ~data->fh_init_mask);
|
||||
btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_MSIX_HW_INT_MASK, ~data->hw_init_mask);
|
||||
spin_unlock(&data->irq_lock);
|
||||
}
|
||||
|
||||
static void btintel_pcie_synchronize_irqs(struct btintel_pcie_data *data)
|
||||
{
|
||||
for (int i = 0; i < data->alloc_vecs; i++)
|
||||
synchronize_irq(data->msix_entries[i].vector);
|
||||
}
|
||||
|
||||
static int btintel_pcie_setup_internal(struct hci_dev *hdev)
|
||||
{
|
||||
struct btintel_pcie_data *data = hci_get_drvdata(hdev);
|
||||
|
|
@ -2152,6 +2174,8 @@ static int btintel_pcie_setup(struct hci_dev *hdev)
|
|||
bt_dev_err(hdev, "Firmware download retry count: %d",
|
||||
fw_dl_retry);
|
||||
btintel_pcie_dump_debug_registers(hdev);
|
||||
btintel_pcie_disable_interrupts(data);
|
||||
btintel_pcie_synchronize_irqs(data);
|
||||
err = btintel_pcie_reset_bt(data);
|
||||
if (err) {
|
||||
bt_dev_err(hdev, "Failed to do shr reset: %d", err);
|
||||
|
|
@ -2159,6 +2183,7 @@ static int btintel_pcie_setup(struct hci_dev *hdev)
|
|||
}
|
||||
usleep_range(10000, 12000);
|
||||
btintel_pcie_reset_ia(data);
|
||||
btintel_pcie_enable_interrupts(data);
|
||||
btintel_pcie_config_msix(data);
|
||||
err = btintel_pcie_enable_bt(data);
|
||||
if (err) {
|
||||
|
|
@ -2291,6 +2316,12 @@ static void btintel_pcie_remove(struct pci_dev *pdev)
|
|||
|
||||
data = pci_get_drvdata(pdev);
|
||||
|
||||
btintel_pcie_disable_interrupts(data);
|
||||
|
||||
btintel_pcie_synchronize_irqs(data);
|
||||
|
||||
flush_work(&data->rx_work);
|
||||
|
||||
btintel_pcie_reset_bt(data);
|
||||
for (int i = 0; i < data->alloc_vecs; i++) {
|
||||
struct msix_entry *msix_entry;
|
||||
|
|
@ -2303,8 +2334,6 @@ static void btintel_pcie_remove(struct pci_dev *pdev)
|
|||
|
||||
btintel_pcie_release_hdev(data);
|
||||
|
||||
flush_work(&data->rx_work);
|
||||
|
||||
destroy_workqueue(data->workqueue);
|
||||
|
||||
btintel_pcie_free(data);
|
||||
|
|
|
|||
|
|
@ -2392,10 +2392,17 @@ static int qca_serdev_probe(struct serdev_device *serdev)
|
|||
*/
|
||||
qcadev->bt_power->pwrseq = devm_pwrseq_get(&serdev->dev,
|
||||
"bluetooth");
|
||||
if (IS_ERR(qcadev->bt_power->pwrseq))
|
||||
return PTR_ERR(qcadev->bt_power->pwrseq);
|
||||
|
||||
break;
|
||||
/*
|
||||
* Some modules have BT_EN enabled via a hardware pull-up,
|
||||
* meaning it is not defined in the DTS and is not controlled
|
||||
* through the power sequence. In such cases, fall through
|
||||
* to follow the legacy flow.
|
||||
*/
|
||||
if (IS_ERR(qcadev->bt_power->pwrseq))
|
||||
qcadev->bt_power->pwrseq = NULL;
|
||||
else
|
||||
break;
|
||||
}
|
||||
fallthrough;
|
||||
case QCA_WCN3950:
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@
|
|||
#include <linux/idr.h>
|
||||
#include <linux/leds.h>
|
||||
#include <linux/rculist.h>
|
||||
#include <linux/srcu.h>
|
||||
|
||||
#include <net/bluetooth/hci.h>
|
||||
#include <net/bluetooth/hci_drv.h>
|
||||
|
|
@ -347,6 +348,7 @@ struct adv_monitor {
|
|||
|
||||
struct hci_dev {
|
||||
struct list_head list;
|
||||
struct srcu_struct srcu;
|
||||
struct mutex lock;
|
||||
|
||||
struct ida unset_handle_ida;
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@ static DEFINE_IDA(hci_index_ida);
|
|||
|
||||
/* Get HCI device by index.
|
||||
* Device is held on return. */
|
||||
struct hci_dev *hci_dev_get(int index)
|
||||
static struct hci_dev *__hci_dev_get(int index, int *srcu_index)
|
||||
{
|
||||
struct hci_dev *hdev = NULL, *d;
|
||||
|
||||
|
|
@ -77,6 +77,8 @@ struct hci_dev *hci_dev_get(int index)
|
|||
list_for_each_entry(d, &hci_dev_list, list) {
|
||||
if (d->id == index) {
|
||||
hdev = hci_dev_hold(d);
|
||||
if (srcu_index)
|
||||
*srcu_index = srcu_read_lock(&d->srcu);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
|
@ -84,6 +86,22 @@ struct hci_dev *hci_dev_get(int index)
|
|||
return hdev;
|
||||
}
|
||||
|
||||
struct hci_dev *hci_dev_get(int index)
|
||||
{
|
||||
return __hci_dev_get(index, NULL);
|
||||
}
|
||||
|
||||
static struct hci_dev *hci_dev_get_srcu(int index, int *srcu_index)
|
||||
{
|
||||
return __hci_dev_get(index, srcu_index);
|
||||
}
|
||||
|
||||
static void hci_dev_put_srcu(struct hci_dev *hdev, int srcu_index)
|
||||
{
|
||||
srcu_read_unlock(&hdev->srcu, srcu_index);
|
||||
hci_dev_put(hdev);
|
||||
}
|
||||
|
||||
/* ---- Inquiry support ---- */
|
||||
|
||||
bool hci_discovery_active(struct hci_dev *hdev)
|
||||
|
|
@ -568,9 +586,9 @@ static int hci_dev_do_reset(struct hci_dev *hdev)
|
|||
int hci_dev_reset(__u16 dev)
|
||||
{
|
||||
struct hci_dev *hdev;
|
||||
int err;
|
||||
int err, srcu_index;
|
||||
|
||||
hdev = hci_dev_get(dev);
|
||||
hdev = hci_dev_get_srcu(dev, &srcu_index);
|
||||
if (!hdev)
|
||||
return -ENODEV;
|
||||
|
||||
|
|
@ -592,7 +610,7 @@ int hci_dev_reset(__u16 dev)
|
|||
err = hci_dev_do_reset(hdev);
|
||||
|
||||
done:
|
||||
hci_dev_put(hdev);
|
||||
hci_dev_put_srcu(hdev, srcu_index);
|
||||
return err;
|
||||
}
|
||||
|
||||
|
|
@ -2433,6 +2451,11 @@ struct hci_dev *hci_alloc_dev_priv(int sizeof_priv)
|
|||
if (!hdev)
|
||||
return NULL;
|
||||
|
||||
if (init_srcu_struct(&hdev->srcu)) {
|
||||
kfree(hdev);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
|
||||
hdev->esco_type = (ESCO_HV1);
|
||||
hdev->link_mode = (HCI_LM_ACCEPT);
|
||||
|
|
@ -2678,6 +2701,9 @@ void hci_unregister_dev(struct hci_dev *hdev)
|
|||
list_del(&hdev->list);
|
||||
write_unlock(&hci_dev_list_lock);
|
||||
|
||||
synchronize_srcu(&hdev->srcu);
|
||||
cleanup_srcu_struct(&hdev->srcu);
|
||||
|
||||
disable_work_sync(&hdev->rx_work);
|
||||
disable_work_sync(&hdev->cmd_work);
|
||||
disable_work_sync(&hdev->tx_work);
|
||||
|
|
|
|||
|
|
@ -3415,7 +3415,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
|
|||
struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
|
||||
struct l2cap_conf_efs efs;
|
||||
u8 remote_efs = 0;
|
||||
u16 mtu = L2CAP_DEFAULT_MTU;
|
||||
u16 mtu = 0;
|
||||
u16 result = L2CAP_CONF_SUCCESS;
|
||||
u16 size;
|
||||
|
||||
|
|
@ -3520,6 +3520,13 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
|
|||
/* Configure output options and let the other side know
|
||||
* which ones we don't like. */
|
||||
|
||||
/* If MTU is not provided in configure request, use the most recently
|
||||
* explicitly or implicitly accepted value for the other direction,
|
||||
* or the default value.
|
||||
*/
|
||||
if (mtu == 0)
|
||||
mtu = chan->imtu ? chan->imtu : L2CAP_DEFAULT_MTU;
|
||||
|
||||
if (mtu < L2CAP_DEFAULT_MIN_MTU)
|
||||
result = L2CAP_CONF_UNACCEPT;
|
||||
else {
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user