Commit 2412591c authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'for-net-2026-05-28' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 

Luiz Augusto von Dentz says:

====================
bluetooth pull request for net:

 - hci_core: Rework hci_dev_do_reset() to use hci_sync functions
 - hci_conn: Fix memory leak in hci_le_big_terminate()
 - hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
 - hci_sync: Reset device counters in hci_dev_close_sync()
 - hci_sync: fix UAF in hci_le_create_cis_sync
 - L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
 - L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
 - L2CAP: use chan timer to close channels in cleanup_listen()
 - L2CAP: clear chan->ident on ECRED reconfiguration success
 - ISO: fix UAF in iso_recv_frame
 - ISO: serialize iso_sock_clear_timer with socket lock
 - HIDP: fix missing length checks in hidp_input_report()
 - 6lowpan: check skb_clone() return value in send_mcast_pkt()
 - btusb: Allow firmware re-download when version matches
 - hci_qca: Use 100 ms SSR delay for rampatch and NVM loading

* tag 'for-net-2026-05-28' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
  Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()
  Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
  Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions
  Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
  Bluetooth: ISO: fix UAF in iso_recv_frame
  Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
  Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
  Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading
  Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
  Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
  Bluetooth: btusb: Allow firmware re-download when version matches
  Bluetooth: HIDP: fix missing length checks in hidp_input_report()
  Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
  Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
  Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()
====================

Link: https://patch.msgid.link/20260528131839.462344-1-luiz.dentz@gmail.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents f14fe639 cdf88b35

drivers/bluetooth/btusb.c

+7 −1
Original line number Diff line number Diff line
@@ -3540,7 +3540,13 @@ static int btusb_setup_qca_load_rampatch(struct hci_dev *hdev, 
		    "firmware rome 0x%x build 0x%x",

		    rver_rom, rver_patch, ver_rom, ver_patch);



	if (rver_rom != ver_rom || rver_patch <= ver_patch) {

	/* Allow rampatch when the patch version equals the firmware version.

	 * A firmware download may be aborted by a transient USB error (e.g.

	 * disconnect) after the controller updates version info but before

	 * completion.

	 * Allowing equal versions enables re-flashing during recovery.

	 */

	if (rver_rom != ver_rom || rver_patch < ver_patch) {

		bt_dev_err(hdev, "rampatch file version did not match with firmware");

		err = -EINVAL;

		goto done;

drivers/bluetooth/hci_qca.c

+2 −2
Original line number Diff line number Diff line
@@ -1680,8 +1680,8 @@ static void qca_hw_error(struct hci_dev *hdev, u8 code) 
		mod_timer(&qca->tx_idle_timer, jiffies +

				  msecs_to_jiffies(qca->tx_idle_delay));



		/* Controller reset completion time is 50ms */

		msleep(50);

		/* Wait for the controller to load the rampatch and NVM. */

		msleep(100);



		clear_bit(QCA_SSR_TRIGGERED, &qca->flags);

		clear_bit(QCA_IBS_DISABLED, &qca->flags);

net/bluetooth/6lowpan.c

+2 −0
Original line number Diff line number Diff line
@@ -486,6 +486,8 @@ static int send_mcast_pkt(struct sk_buff *skb, struct net_device *netdev) 
			int ret;



			local_skb = skb_clone(skb, GFP_ATOMIC);

			if (!local_skb)

				continue;



			BT_DBG("xmit %s to %pMR type %u IP %pI6c chan %p",

			       netdev->name,

net/bluetooth/hci_conn.c

+3 −1
Original line number Diff line number Diff line
@@ -870,8 +870,10 @@ static int hci_le_big_terminate(struct hci_dev *hdev, struct hci_conn *conn) 
			d->big_sync_term = true;

	}



	if (!d->pa_sync_term && !d->big_sync_term)

	if (!d->pa_sync_term && !d->big_sync_term) {

		kfree(d);

		return 0;

	}



	ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,

				 terminate_big_destroy);

net/bluetooth/hci_core.c

+3 −40
Original line number Diff line number Diff line
@@ -539,46 +539,9 @@ static int hci_dev_do_reset(struct hci_dev *hdev) 


	hci_req_sync_lock(hdev);



	/* Drop queues */

	skb_queue_purge(&hdev->rx_q);

	skb_queue_purge(&hdev->cmd_q);



	/* Cancel these to avoid queueing non-chained pending work */

	hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);

	/* Wait for

	 *

	 *    if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))

	 *        queue_delayed_work(&hdev->{cmd,ncmd}_timer)

	 *

	 * inside RCU section to see the flag or complete scheduling.

	 */

	synchronize_rcu();

	/* Explicitly cancel works in case scheduled after setting the flag. */

	cancel_delayed_work(&hdev->cmd_timer);

	cancel_delayed_work(&hdev->ncmd_timer);



	/* Avoid potential lockdep warnings from the *_flush() calls by

	 * ensuring the workqueue is empty up front.

	 */

	drain_workqueue(hdev->workqueue);



	hci_dev_lock(hdev);

	hci_inquiry_cache_flush(hdev);

	hci_conn_hash_flush(hdev);

	hci_dev_unlock(hdev);



	if (hdev->flush)

		hdev->flush(hdev);



	hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);



	atomic_set(&hdev->cmd_cnt, 1);

	hdev->acl_cnt = 0;

	hdev->sco_cnt = 0;

	hdev->le_cnt = 0;

	hdev->iso_cnt = 0;



	ret = hci_reset_sync(hdev);

	ret = hci_dev_close_sync(hdev);

	if (!ret)

		ret = hci_dev_open_sync(hdev);



	hci_req_sync_unlock(hdev);

	return ret;