Commit bd75e100 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'for-net-2026-05-06' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 

Luiz Augusto von Dentz says:

====================
bluetooth pull request for net:

 - hci_conn: fix potential UAF in create_big_sync
 - hci_event: fix memset typo
 - hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
 - L2CAP: fix MPS check in l2cap_ecred_reconf_req
 - L2CAP: defer conn param update to avoid conn->lock/hdev->lock inversion
 - L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
 - L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
 - L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
 - RFCOMM: pull credit byte with skb_pull_data()
 - SCO: fix sleeping under spinlock in sco_conn_ready
 - SCO: hold sk properly in sco_conn_ready
 - ISO: Fix data-race on dst in iso_sock_connect()
 - ISO: Fix data-race on iso_pi(sk) in socket and HCI event paths
 - bnep: fix incorrect length parsing in bnep_rx_frame() extension handling
 - hci_uart: Fix NULL deref in recv callbacks when priv is uninitialized
 - virtio_bt: clamp rx length before skb_put
 - virtio_bt: validate rx pkt_type header length
 - HIDP: serialise l2cap_unregister_user via hidp_session_sem
 - btintel_pcie: treat boot stage bit 12 as warning
 - btmtk: validate WMT event SKB length before struct access

* tag 'for-net-2026-05-06' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
  Bluetooth: HIDP: serialise l2cap_unregister_user via hidp_session_sem
  Bluetooth: hci_event: fix memset typo
  Bluetooth: RFCOMM: pull credit byte with skb_pull_data()
  Bluetooth: virtio_bt: validate rx pkt_type header length
  Bluetooth: virtio_bt: clamp rx length before skb_put
  Bluetooth: btmtk: validate WMT event SKB length before struct access
  Bluetooth: ISO: Fix data-race on iso_pi(sk) in socket and HCI event paths
  Bluetooth: ISO: Fix data-race on dst in iso_sock_connect()
  Bluetooth: hci_uart: Fix NULL deref in recv callbacks when priv is uninitialized
  Bluetooth: btintel_pcie: treat boot stage bit 12 as warning
  Bluetooth: SCO: hold sk properly in sco_conn_ready
  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
  Bluetooth: l2cap: defer conn param update to avoid conn->lock/hdev->lock inversion
  Bluetooth: l2cap: fix MPS check in l2cap_ecred_reconf_req
  Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling
  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
  Bluetooth: hci_conn: fix potential UAF in create_big_sync
  Bluetooth: SCO: fix sleeping under spinlock in sco_conn_ready
====================

Link: https://patch.msgid.link/20260506204553.58686-1-luiz.dentz@gmail.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents b89e0100 c5d41559

drivers/bluetooth/btintel_pcie.c

+10 −3
Original line number Diff line number Diff line
@@ -289,6 +289,9 @@ static inline void btintel_pcie_dump_debug_registers(struct hci_dev *hdev) 
	skb_put_data(skb, buf, strlen(buf));

	data->boot_stage_cache = reg;



	if (reg & BTINTEL_PCIE_CSR_BOOT_STAGE_DEVICE_WARNING)

		bt_dev_warn(hdev, "Controller device warning (boot_stage: 0x%8.8x)", reg);



	reg = btintel_pcie_rd_reg32(data, BTINTEL_PCIE_CSR_IPC_STATUS_REG);

	snprintf(buf, sizeof(buf), "ipc status: 0x%8.8x", reg);

	skb_put_data(skb, buf, strlen(buf));
@@ -880,8 +883,11 @@ static inline bool btintel_pcie_in_lockdown(struct btintel_pcie_data *data) 


static inline bool btintel_pcie_in_error(struct btintel_pcie_data *data)

{

	return (data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_DEVICE_ERR) ||

		(data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_ABORT_HANDLER);

	if (data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_DEVICE_WARNING)

		bt_dev_warn(data->hdev, "Controller device warning (boot_stage: 0x%8.8x)",

			    data->boot_stage_cache);



	return	data->boot_stage_cache & BTINTEL_PCIE_CSR_BOOT_STAGE_ABORT_HANDLER;

}



static void btintel_pcie_msix_gp1_handler(struct btintel_pcie_data *data)
@@ -914,7 +920,8 @@ static void btintel_pcie_msix_gp0_handler(struct btintel_pcie_data *data) 
		data->img_resp_cache = reg;



	if (btintel_pcie_in_error(data)) {

		bt_dev_err(data->hdev, "Controller in error state");

		bt_dev_err(data->hdev, "Controller in error state (boot_stage: 0x%8.8x)",

			   data->boot_stage_cache);

		btintel_pcie_dump_debug_registers(data->hdev);

		return;

	}

drivers/bluetooth/btintel_pcie.h

+1 −1
Original line number Diff line number Diff line
@@ -48,7 +48,7 @@ 
#define BTINTEL_PCIE_CSR_BOOT_STAGE_OPFW		(BIT(2))

#define BTINTEL_PCIE_CSR_BOOT_STAGE_ROM_LOCKDOWN	(BIT(10))

#define BTINTEL_PCIE_CSR_BOOT_STAGE_IML_LOCKDOWN	(BIT(11))

#define BTINTEL_PCIE_CSR_BOOT_STAGE_DEVICE_ERR		(BIT(12))

#define BTINTEL_PCIE_CSR_BOOT_STAGE_DEVICE_WARNING	(BIT(12))

#define BTINTEL_PCIE_CSR_BOOT_STAGE_ABORT_HANDLER	(BIT(13))

#define BTINTEL_PCIE_CSR_BOOT_STAGE_DEVICE_HALTED	(BIT(14))

#define BTINTEL_PCIE_CSR_BOOT_STAGE_MAC_ACCESS_ON	(BIT(16))

drivers/bluetooth/btmtk.c

+13 −2
Original line number Diff line number Diff line
@@ -695,8 +695,13 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev, 
	if (data->evt_skb == NULL)

		goto err_free_wc;



	/* Parse and handle the return WMT event */

	wmt_evt = (struct btmtk_hci_wmt_evt *)data->evt_skb->data;

	wmt_evt = skb_pull_data(data->evt_skb, sizeof(*wmt_evt));

	if (!wmt_evt) {

		bt_dev_err(hdev, "WMT event too short (%u bytes)",

			   data->evt_skb->len);

		err = -EINVAL;

		goto err_free_skb;

	}

	if (wmt_evt->whdr.op != hdr->op) {

		bt_dev_err(hdev, "Wrong op received %d expected %d",

			   wmt_evt->whdr.op, hdr->op);
@@ -712,6 +717,12 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev, 
			status = BTMTK_WMT_PATCH_DONE;

		break;

	case BTMTK_WMT_FUNC_CTRL:

		if (!skb_pull_data(data->evt_skb,

				   sizeof(wmt_evt_funcc->status))) {

			err = -EINVAL;

			goto err_free_skb;

		}



		wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;

		if (be16_to_cpu(wmt_evt_funcc->status) == 0x404)

			status = BTMTK_WMT_ON_DONE;

drivers/bluetooth/hci_ath.c

+3 −0
Original line number Diff line number Diff line
@@ -191,6 +191,9 @@ static int ath_recv(struct hci_uart *hu, const void *data, int count) 
{

	struct ath_struct *ath = hu->priv;



	if (!ath)

		return -ENODEV;



	ath->rx_skb = h4_recv_buf(hu, ath->rx_skb, data, count,

				  ath_recv_pkts, ARRAY_SIZE(ath_recv_pkts));

	if (IS_ERR(ath->rx_skb)) {

drivers/bluetooth/hci_bcsp.c

+3 −0
Original line number Diff line number Diff line
@@ -585,6 +585,9 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count) 
	if (!test_bit(HCI_UART_REGISTERED, &hu->flags))

		return -EUNATCH;



	if (!bcsp)

		return -ENODEV;



	BT_DBG("hu %p count %d rx_state %d rx_count %ld",

	       hu, count, bcsp->rx_state, bcsp->rx_count);