mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-01 10:45:49 +00:00
bluetooth pull request for net:
- SCO: remove the redundant sco_conn_put - MGMT: Fix slab-use-after-free Read in set_powered_sync - MGMT: Fix possible deadlocks -----BEGIN PGP SIGNATURE----- iQJNBAABCAA3FiEE7E6oRXp8w05ovYr/9JCA4xAyCykFAmdF/DsZHGx1aXoudm9u LmRlbnR6QGludGVsLmNvbQAKCRD0kIDjEDILKV7+D/9sNNnl5y8ZFh/QCbH5pFBb PZfCJlawOaRnJn8PgmQd8UJW/QexJ2J6YrmdXo3Hf4+kDFp7eS2zr2szlWtzv7HD JJ1ApQVu5XwJt2I5GHvayj7HusFNcQ/Ub5Px3F8gW0vjNhqgj7Nq8D7XQjr4D9O6 9SOlidpdda4ZU+dm8BZhA0WWT+169wlTXplJ82W8OPPYITw+jdLuZxH4+m/Klc3F d+lqVbfn5oqvWj4mjszFz6ngyHi3iysOOqQEHnSTaEx33C1kxbuz8eTJxk6LXASq lIUesg2h8CP3gaYmn5qATaZRCAW59nMG/1HEAH4fDjrrhQotN9XHBSrZqpsAZEwl 16u2b6iODoEqAwCL82HJl9jA4nVCwRGxYBP0zvd0Fag19l0JdRBIyl5Jm9m2XzUP o50eYx7AnpJgEpIYB+g0Jdvj0ourWbtAU5aENcjnMXSH4XnO+o93dpFKdgC8EOgn vWkOhsCy0H3/OY4ANDq4rslbxQXJvP8G0h98265Jof8qaUrHqcAwO1NXx1yqqwwk xbKd0cO1UUQb0A8n14sbwysvKH/KzZ7n0qJjPIkGaUQWD1t8DGI1jAH2cA4zH7JJ PvJyZsbHGU5vvv7W3ntCMQPNUglFGdWhcqCjiSNUOquojWCzHBG6CfIO8B5aDUiI fsfSjFnAcIPZXuxjuyRc2A== =m8Sx -----END PGP SIGNATURE----- Merge tag 'for-net-2024-11-26' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - SCO: remove the redundant sco_conn_put - MGMT: Fix slab-use-after-free Read in set_powered_sync - MGMT: Fix possible deadlocks * tag 'for-net-2024-11-26' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: SCO: remove the redundant sco_conn_put Bluetooth: MGMT: Fix possible deadlocks Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync ==================== Link: https://patch.msgid.link/20241126165149.899213-1-luiz.dentz@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
commit
8d5c1b8c3e
@ -1318,7 +1318,8 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
|
||||
struct mgmt_mode *cp;
|
||||
|
||||
/* Make sure cmd still outstanding. */
|
||||
if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
|
||||
if (err == -ECANCELED ||
|
||||
cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
|
||||
return;
|
||||
|
||||
cp = cmd->param;
|
||||
@ -1351,7 +1352,13 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
|
||||
static int set_powered_sync(struct hci_dev *hdev, void *data)
|
||||
{
|
||||
struct mgmt_pending_cmd *cmd = data;
|
||||
struct mgmt_mode *cp = cmd->param;
|
||||
struct mgmt_mode *cp;
|
||||
|
||||
/* Make sure cmd still outstanding. */
|
||||
if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
|
||||
return -ECANCELED;
|
||||
|
||||
cp = cmd->param;
|
||||
|
||||
BT_DBG("%s", hdev->name);
|
||||
|
||||
@ -1511,7 +1518,8 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
|
||||
bt_dev_dbg(hdev, "err %d", err);
|
||||
|
||||
/* Make sure cmd still outstanding. */
|
||||
if (cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
|
||||
if (err == -ECANCELED ||
|
||||
cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
|
||||
return;
|
||||
|
||||
hci_dev_lock(hdev);
|
||||
@ -1685,7 +1693,8 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
|
||||
bt_dev_dbg(hdev, "err %d", err);
|
||||
|
||||
/* Make sure cmd still outstanding. */
|
||||
if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
|
||||
if (err == -ECANCELED ||
|
||||
cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
|
||||
return;
|
||||
|
||||
hci_dev_lock(hdev);
|
||||
@ -1917,7 +1926,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
|
||||
bool changed;
|
||||
|
||||
/* Make sure cmd still outstanding. */
|
||||
if (cmd != pending_find(MGMT_OP_SET_SSP, hdev))
|
||||
if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev))
|
||||
return;
|
||||
|
||||
if (err) {
|
||||
@ -3841,7 +3850,8 @@ static void set_name_complete(struct hci_dev *hdev, void *data, int err)
|
||||
|
||||
bt_dev_dbg(hdev, "err %d", err);
|
||||
|
||||
if (cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
|
||||
if (err == -ECANCELED ||
|
||||
cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
|
||||
return;
|
||||
|
||||
if (status) {
|
||||
@ -4016,7 +4026,8 @@ static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
|
||||
struct sk_buff *skb = cmd->skb;
|
||||
u8 status = mgmt_status(err);
|
||||
|
||||
if (cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
|
||||
if (err == -ECANCELED ||
|
||||
cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
|
||||
return;
|
||||
|
||||
if (!status) {
|
||||
@ -5907,13 +5918,16 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
|
||||
{
|
||||
struct mgmt_pending_cmd *cmd = data;
|
||||
|
||||
bt_dev_dbg(hdev, "err %d", err);
|
||||
|
||||
if (err == -ECANCELED)
|
||||
return;
|
||||
|
||||
if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
|
||||
cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
|
||||
cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
|
||||
return;
|
||||
|
||||
bt_dev_dbg(hdev, "err %d", err);
|
||||
|
||||
mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
|
||||
cmd->param, 1);
|
||||
mgmt_pending_remove(cmd);
|
||||
@ -6146,7 +6160,8 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
|
||||
{
|
||||
struct mgmt_pending_cmd *cmd = data;
|
||||
|
||||
if (cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
|
||||
if (err == -ECANCELED ||
|
||||
cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
|
||||
return;
|
||||
|
||||
bt_dev_dbg(hdev, "err %d", err);
|
||||
@ -8137,7 +8152,8 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
|
||||
u8 status = mgmt_status(err);
|
||||
u16 eir_len;
|
||||
|
||||
if (cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
|
||||
if (err == -ECANCELED ||
|
||||
cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
|
||||
return;
|
||||
|
||||
if (!status) {
|
||||
|
@ -143,6 +143,7 @@ static void sco_sock_timeout(struct work_struct *work)
|
||||
sco_conn_lock(conn);
|
||||
if (!conn->hcon) {
|
||||
sco_conn_unlock(conn);
|
||||
sco_conn_put(conn);
|
||||
return;
|
||||
}
|
||||
sk = sco_sock_hold(conn);
|
||||
@ -192,7 +193,6 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
|
||||
conn->hcon = hcon;
|
||||
sco_conn_unlock(conn);
|
||||
}
|
||||
sco_conn_put(conn);
|
||||
return conn;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user