Commit 1fd26729 authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge tag 'for-net-2025-06-23' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 

Luiz Augusto von Dentz says:

====================
bluetooth pull request for net:

 - L2CAP: Fix L2CAP MTU negotiation
 - hci_core: Fix use-after-free in vhci_flush()
 - btintel_pcie: Fix potential race condition in firmware download
 - hci_qca: fix unable to load the BT driver

* tag 'for-net-2025-06-23' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
  Bluetooth: hci_core: Fix use-after-free in vhci_flush()
  driver: bluetooth: hci_qca:fix unable to load the BT driver
  Bluetooth: L2CAP: Fix L2CAP MTU negotiation
  Bluetooth: btintel_pcie: Fix potential race condition in firmware download
====================

Link: https://patch.msgid.link/20250623165405.227619-1-luiz.dentz@gmail.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents c3f42938 1d612310

drivers/bluetooth/btintel_pcie.c

+31 −2
Original line number Diff line number Diff line
@@ -2033,6 +2033,28 @@ static void btintel_pcie_release_hdev(struct btintel_pcie_data *data) 
	data->hdev = NULL;

}



static void btintel_pcie_disable_interrupts(struct btintel_pcie_data *data)

{

	spin_lock(&data->irq_lock);

	btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_MSIX_FH_INT_MASK, data->fh_init_mask);

	btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_MSIX_HW_INT_MASK, data->hw_init_mask);

	spin_unlock(&data->irq_lock);

}



static void btintel_pcie_enable_interrupts(struct btintel_pcie_data *data)

{

	spin_lock(&data->irq_lock);

	btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_MSIX_FH_INT_MASK, ~data->fh_init_mask);

	btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_MSIX_HW_INT_MASK, ~data->hw_init_mask);

	spin_unlock(&data->irq_lock);

}



static void btintel_pcie_synchronize_irqs(struct btintel_pcie_data *data)

{

	for (int i = 0; i < data->alloc_vecs; i++)

		synchronize_irq(data->msix_entries[i].vector);

}



static int btintel_pcie_setup_internal(struct hci_dev *hdev)

{

	struct btintel_pcie_data *data = hci_get_drvdata(hdev);
@@ -2152,6 +2174,8 @@ static int btintel_pcie_setup(struct hci_dev *hdev) 
		bt_dev_err(hdev, "Firmware download retry count: %d",

			   fw_dl_retry);

		btintel_pcie_dump_debug_registers(hdev);

		btintel_pcie_disable_interrupts(data);

		btintel_pcie_synchronize_irqs(data);

		err = btintel_pcie_reset_bt(data);

		if (err) {

			bt_dev_err(hdev, "Failed to do shr reset: %d", err);
@@ -2159,6 +2183,7 @@ static int btintel_pcie_setup(struct hci_dev *hdev) 
		}

		usleep_range(10000, 12000);

		btintel_pcie_reset_ia(data);

		btintel_pcie_enable_interrupts(data);

		btintel_pcie_config_msix(data);

		err = btintel_pcie_enable_bt(data);

		if (err) {
@@ -2291,6 +2316,12 @@ static void btintel_pcie_remove(struct pci_dev *pdev) 


	data = pci_get_drvdata(pdev);



	btintel_pcie_disable_interrupts(data);



	btintel_pcie_synchronize_irqs(data);



	flush_work(&data->rx_work);



	btintel_pcie_reset_bt(data);

	for (int i = 0; i < data->alloc_vecs; i++) {

		struct msix_entry *msix_entry;
@@ -2303,8 +2334,6 @@ static void btintel_pcie_remove(struct pci_dev *pdev) 


	btintel_pcie_release_hdev(data);



	flush_work(&data->rx_work);



	destroy_workqueue(data->workqueue);



	btintel_pcie_free(data);

drivers/bluetooth/hci_qca.c

+10 −3
Original line number Diff line number Diff line
@@ -2392,9 +2392,16 @@ static int qca_serdev_probe(struct serdev_device *serdev) 
			 */

			qcadev->bt_power->pwrseq = devm_pwrseq_get(&serdev->dev,

								   "bluetooth");

			if (IS_ERR(qcadev->bt_power->pwrseq))

				return PTR_ERR(qcadev->bt_power->pwrseq);



			/*

			 * Some modules have BT_EN enabled via a hardware pull-up,

			 * meaning it is not defined in the DTS and is not controlled

			 * through the power sequence. In such cases, fall through

			 * to follow the legacy flow.

			 */

			if (IS_ERR(qcadev->bt_power->pwrseq))

				qcadev->bt_power->pwrseq = NULL;

			else

				break;

		}

		fallthrough;

include/net/bluetooth/hci_core.h

+2 −0
Original line number Diff line number Diff line
@@ -29,6 +29,7 @@ 
#include <linux/idr.h>

#include <linux/leds.h>

#include <linux/rculist.h>

#include <linux/srcu.h>



#include <net/bluetooth/hci.h>

#include <net/bluetooth/hci_drv.h>
@@ -347,6 +348,7 @@ struct adv_monitor { 


struct hci_dev {

	struct list_head list;

	struct srcu_struct srcu;

	struct mutex	lock;



	struct ida	unset_handle_ida;

net/bluetooth/hci_core.c

+30 −4
Original line number Diff line number Diff line
@@ -64,7 +64,7 @@ static DEFINE_IDA(hci_index_ida); 


/* Get HCI device by index.

 * Device is held on return. */

struct hci_dev *hci_dev_get(int index)

static struct hci_dev *__hci_dev_get(int index, int *srcu_index)

{

	struct hci_dev *hdev = NULL, *d;
@@ -77,6 +77,8 @@ struct hci_dev *hci_dev_get(int index) 
	list_for_each_entry(d, &hci_dev_list, list) {

		if (d->id == index) {

			hdev = hci_dev_hold(d);

			if (srcu_index)

				*srcu_index = srcu_read_lock(&d->srcu);

			break;

		}

	}
@@ -84,6 +86,22 @@ struct hci_dev *hci_dev_get(int index) 
	return hdev;

}



struct hci_dev *hci_dev_get(int index)

{

	return __hci_dev_get(index, NULL);

}



static struct hci_dev *hci_dev_get_srcu(int index, int *srcu_index)

{

	return __hci_dev_get(index, srcu_index);

}



static void hci_dev_put_srcu(struct hci_dev *hdev, int srcu_index)

{

	srcu_read_unlock(&hdev->srcu, srcu_index);

	hci_dev_put(hdev);

}



/* ---- Inquiry support ---- */



bool hci_discovery_active(struct hci_dev *hdev)
@@ -568,9 +586,9 @@ static int hci_dev_do_reset(struct hci_dev *hdev) 
int hci_dev_reset(__u16 dev)

{

	struct hci_dev *hdev;

	int err;

	int err, srcu_index;



	hdev = hci_dev_get(dev);

	hdev = hci_dev_get_srcu(dev, &srcu_index);

	if (!hdev)

		return -ENODEV;
@@ -592,7 +610,7 @@ int hci_dev_reset(__u16 dev) 
	err = hci_dev_do_reset(hdev);



done:

	hci_dev_put(hdev);

	hci_dev_put_srcu(hdev, srcu_index);

	return err;

}
@@ -2433,6 +2451,11 @@ struct hci_dev *hci_alloc_dev_priv(int sizeof_priv) 
	if (!hdev)

		return NULL;



	if (init_srcu_struct(&hdev->srcu)) {

		kfree(hdev);

		return NULL;

	}



	hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);

	hdev->esco_type = (ESCO_HV1);

	hdev->link_mode = (HCI_LM_ACCEPT);
@@ -2678,6 +2701,9 @@ void hci_unregister_dev(struct hci_dev *hdev) 
	list_del(&hdev->list);

	write_unlock(&hci_dev_list_lock);



	synchronize_srcu(&hdev->srcu);

	cleanup_srcu_struct(&hdev->srcu);



	disable_work_sync(&hdev->rx_work);

	disable_work_sync(&hdev->cmd_work);

	disable_work_sync(&hdev->tx_work);

net/bluetooth/l2cap_core.c

+8 −1
Original line number Diff line number Diff line
@@ -3415,7 +3415,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data 
	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };

	struct l2cap_conf_efs efs;

	u8 remote_efs = 0;

	u16 mtu = L2CAP_DEFAULT_MTU;

	u16 mtu = 0;

	u16 result = L2CAP_CONF_SUCCESS;

	u16 size;
@@ -3520,6 +3520,13 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data 
		/* Configure output options and let the other side know

		 * which ones we don't like. */



		/* If MTU is not provided in configure request, use the most recently

		 * explicitly or implicitly accepted value for the other direction,

		 * or the default value.

		 */

		if (mtu == 0)

			mtu = chan->imtu ? chan->imtu : L2CAP_DEFAULT_MTU;



		if (mtu < L2CAP_DEFAULT_MIN_MTU)

			result = L2CAP_CONF_UNACCEPT;

		else {