Commit f61060fb authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'for-net-2024-10-04' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 

Luiz Augusto von Dentz says:

====================
bluetooth pull request for net:

 - RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
 - hci_conn: Fix UAF in hci_enhanced_setup_sync
 - btusb: Don't fail external suspend requests

* tag 'for-net-2024-10-04' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
  Bluetooth: btusb: Don't fail external suspend requests
  Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync
  Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
====================

Link: https://patch.msgid.link/20241004210124.4010321-1-luiz.dentz@gmail.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 83211ae1 61071229

drivers/bluetooth/btusb.c

+18 −2
Original line number Diff line number Diff line
@@ -4038,16 +4038,29 @@ static void btusb_disconnect(struct usb_interface *intf) 
static int btusb_suspend(struct usb_interface *intf, pm_message_t message)

{

	struct btusb_data *data = usb_get_intfdata(intf);

	int err;



	BT_DBG("intf %p", intf);



	/* Don't suspend if there are connections */

	if (hci_conn_count(data->hdev))

	/* Don't auto-suspend if there are connections; external suspend calls

	 * shall never fail.

	 */

	if (PMSG_IS_AUTO(message) && hci_conn_count(data->hdev))

		return -EBUSY;



	if (data->suspend_count++)

		return 0;



	/* Notify Host stack to suspend; this has to be done before stopping

	 * the traffic since the hci_suspend_dev itself may generate some

	 * traffic.

	 */

	err = hci_suspend_dev(data->hdev);

	if (err) {

		data->suspend_count--;

		return err;

	}



	spin_lock_irq(&data->txlock);

	if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) {

		set_bit(BTUSB_SUSPENDING, &data->flags);
@@ -4055,6 +4068,7 @@ static int btusb_suspend(struct usb_interface *intf, pm_message_t message) 
	} else {

		spin_unlock_irq(&data->txlock);

		data->suspend_count--;

		hci_resume_dev(data->hdev);

		return -EBUSY;

	}
@@ -4175,6 +4189,8 @@ static int btusb_resume(struct usb_interface *intf) 
	spin_unlock_irq(&data->txlock);

	schedule_work(&data->work);



	hci_resume_dev(data->hdev);



	return 0;



failed:

net/bluetooth/hci_conn.c

+3 −0
Original line number Diff line number Diff line
@@ -289,6 +289,9 @@ static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data) 


	kfree(conn_handle);



	if (!hci_conn_valid(hdev, conn))

		return -ECANCELED;



	bt_dev_dbg(hdev, "hcon %p", conn);



	configure_datapath_sync(hdev, &conn->codec);

net/bluetooth/rfcomm/sock.c

+0 −2
Original line number Diff line number Diff line
@@ -865,9 +865,7 @@ static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned lon 


	if (err == -ENOIOCTLCMD) {

#ifdef CONFIG_BT_RFCOMM_TTY

		lock_sock(sk);

		err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);

		release_sock(sk);

#else

		err = -EOPNOTSUPP;

#endif