Commit f6b2f578 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'for-net-2024-06-10' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 

Luiz Augusto von Dentz says:

====================
bluetooth pull request for net:

 - hci_sync: fix not using correct handle
 - L2CAP: fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ
 - L2CAP: fix connection setup in l2cap_connect

* tag 'for-net-2024-06-10' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
  Bluetooth: fix connection setup in l2cap_connect
  Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ
  Bluetooth: hci_sync: Fix not using correct handle
====================

Link: https://lore.kernel.org/r/20240610135803.920662-1-luiz.dentz@gmail.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 144ba858 c695439d

include/net/bluetooth/hci_core.h

+32 −4
Original line number Diff line number Diff line
@@ -2113,18 +2113,46 @@ static inline int hci_check_conn_params(u16 min, u16 max, u16 latency, 
{

	u16 max_latency;



	if (min > max || min < 6 || max > 3200)

	if (min > max) {

		BT_WARN("min %d > max %d", min, max);

		return -EINVAL;

	}



	if (min < 6) {

		BT_WARN("min %d < 6", min);

		return -EINVAL;

	}



	if (max > 3200) {

		BT_WARN("max %d > 3200", max);

		return -EINVAL;

	}



	if (to_multiplier < 10) {

		BT_WARN("to_multiplier %d < 10", to_multiplier);

		return -EINVAL;

	}



	if (to_multiplier < 10 || to_multiplier > 3200)

	if (to_multiplier > 3200) {

		BT_WARN("to_multiplier %d > 3200", to_multiplier);

		return -EINVAL;

	}



	if (max >= to_multiplier * 8)

	if (max >= to_multiplier * 8) {

		BT_WARN("max %d >= to_multiplier %d * 8", max, to_multiplier);

		return -EINVAL;

	}



	max_latency = (to_multiplier * 4 / max) - 1;

	if (latency > 499 || latency > max_latency)

	if (latency > 499) {

		BT_WARN("latency %d > 499", latency);

		return -EINVAL;

	}



	if (latency > max_latency) {

		BT_WARN("latency %d > max_latency %d", latency, max_latency);

		return -EINVAL;

	}



	return 0;

}

net/bluetooth/hci_sync.c

+1 −1
Original line number Diff line number Diff line
@@ -1194,7 +1194,7 @@ int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) 


	cp.own_addr_type = own_addr_type;

	cp.channel_map = hdev->le_adv_channel_map;

	cp.handle = instance;

	cp.handle = adv ? adv->handle : instance;



	if (flags & MGMT_ADV_FLAG_SEC_2M) {

		cp.primary_phy = HCI_ADV_PHY_1M;

net/bluetooth/l2cap_core.c

+3 −9
Original line number Diff line number Diff line
@@ -4011,8 +4011,8 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, 
				status = L2CAP_CS_AUTHOR_PEND;

				chan->ops->defer(chan);

			} else {

				l2cap_state_change(chan, BT_CONNECT2);

				result = L2CAP_CR_PEND;

				l2cap_state_change(chan, BT_CONFIG);

				result = L2CAP_CR_SUCCESS;

				status = L2CAP_CS_NO_INFO;

			}

		} else {
@@ -4647,13 +4647,7 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn, 


	memset(&rsp, 0, sizeof(rsp));



	if (max > hcon->le_conn_max_interval) {

		BT_DBG("requested connection interval exceeds current bounds.");

		err = -EINVAL;

	} else {

	err = hci_check_conn_params(min, max, latency, to_multiplier);

	}



	if (err)

		rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);

	else