mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-06 05:06:29 +00:00
Bluetooth: hci_conn: Fix modifying handle while aborting
This introduces hci_conn_set_handle which takes care of verifying the conditions where the hci_conn handle can be modified, including when hci_conn_abort has been called and also checks that the handles is valid as well. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This commit is contained in:
parent
b7f923b1ef
commit
16e3b64291
@ -1425,6 +1425,7 @@ int hci_conn_switch_role(struct hci_conn *conn, __u8 role);
|
||||
void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active);
|
||||
|
||||
void hci_conn_failed(struct hci_conn *conn, u8 status);
|
||||
u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle);
|
||||
|
||||
/*
|
||||
* hci_conn_get() and hci_conn_put() are used to control the life-time of an
|
||||
|
@ -1231,6 +1231,33 @@ void hci_conn_failed(struct hci_conn *conn, u8 status)
|
||||
hci_conn_del(conn);
|
||||
}
|
||||
|
||||
/* This function requires the caller holds hdev->lock */
|
||||
u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
|
||||
{
|
||||
struct hci_dev *hdev = conn->hdev;
|
||||
|
||||
bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
|
||||
|
||||
if (conn->handle == handle)
|
||||
return 0;
|
||||
|
||||
if (handle > HCI_CONN_HANDLE_MAX) {
|
||||
bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
|
||||
handle, HCI_CONN_HANDLE_MAX);
|
||||
return HCI_ERROR_INVALID_PARAMETERS;
|
||||
}
|
||||
|
||||
/* If abort_reason has been sent it means the connection is being
|
||||
* aborted and the handle shall not be changed.
|
||||
*/
|
||||
if (conn->abort_reason)
|
||||
return conn->abort_reason;
|
||||
|
||||
conn->handle = handle;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
|
||||
{
|
||||
struct hci_conn *conn;
|
||||
|
@ -3179,13 +3179,9 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
|
||||
}
|
||||
|
||||
if (!status) {
|
||||
conn->handle = __le16_to_cpu(ev->handle);
|
||||
if (conn->handle > HCI_CONN_HANDLE_MAX) {
|
||||
bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
|
||||
conn->handle, HCI_CONN_HANDLE_MAX);
|
||||
status = HCI_ERROR_INVALID_PARAMETERS;
|
||||
status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
|
||||
if (status)
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (conn->type == ACL_LINK) {
|
||||
conn->state = BT_CONFIG;
|
||||
@ -3849,11 +3845,9 @@ static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
|
||||
if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
|
||||
continue;
|
||||
|
||||
conn->handle = __le16_to_cpu(rp->handle[i]);
|
||||
if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
|
||||
continue;
|
||||
|
||||
bt_dev_dbg(hdev, "%p handle 0x%4.4x parent %p", conn,
|
||||
conn->handle, conn->parent);
|
||||
|
||||
if (conn->state == BT_CONNECT)
|
||||
pending = true;
|
||||
}
|
||||
@ -5039,11 +5033,8 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
|
||||
|
||||
switch (status) {
|
||||
case 0x00:
|
||||
conn->handle = __le16_to_cpu(ev->handle);
|
||||
if (conn->handle > HCI_CONN_HANDLE_MAX) {
|
||||
bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
|
||||
conn->handle, HCI_CONN_HANDLE_MAX);
|
||||
status = HCI_ERROR_INVALID_PARAMETERS;
|
||||
status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
|
||||
if (status) {
|
||||
conn->state = BT_CLOSED;
|
||||
break;
|
||||
}
|
||||
@ -6978,7 +6969,7 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
|
||||
{
|
||||
struct hci_evt_le_create_big_complete *ev = data;
|
||||
struct hci_conn *conn;
|
||||
__u8 bis_idx = 0;
|
||||
__u8 i = 0;
|
||||
|
||||
BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
|
||||
|
||||
@ -6996,7 +6987,9 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
|
||||
conn->iso_qos.bcast.big != ev->handle)
|
||||
continue;
|
||||
|
||||
conn->handle = __le16_to_cpu(ev->bis_handle[bis_idx++]);
|
||||
if (hci_conn_set_handle(conn,
|
||||
__le16_to_cpu(ev->bis_handle[i++])))
|
||||
continue;
|
||||
|
||||
if (!ev->status) {
|
||||
conn->state = BT_CONNECTED;
|
||||
@ -7015,7 +7008,7 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
|
||||
rcu_read_lock();
|
||||
}
|
||||
|
||||
if (!ev->status && !bis_idx)
|
||||
if (!ev->status && !i)
|
||||
/* If no BISes have been connected for the BIG,
|
||||
* terminate. This is in case all bound connections
|
||||
* have been closed before the BIG creation
|
||||
|
Loading…
Reference in New Issue
Block a user