Linux kernel documentation tree maintained by Jonathan Corbet http://mirrors.hust.edu.cn/git/lwn.git/atom?h=docs-6.1 2022-08-09T00:06:36+00:00 2022-08-09T00:06:36+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2022-08-05T21:02:21+00:00 urn:sha1:1d1ab5d39be7590bb2400418877bff43da9e75ec This fixes using wrong QoS settings when attempting to send frames while acting as peripheral since the QoS settings in use are stored in hconn->iso_qos not in sk->qos, this is actually properly handled on getsockopt(BT_ISO_QOS) but not on iso_send_frame. Fixes: ccf74f2390d60 ("Bluetooth: Add BTPROTO_ISO socket type") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-08-09T00:06:23+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2022-08-05T07:12:18+00:00 urn:sha1:3f2893d3c142986aa935821460cb3adb77044722 syzbot is reporting attempt to cancel uninitialized work at mgmt_index_removed() [1], for calling cancel_delayed_work_sync() without INIT_DELAYED_WORK() is not permitted. INIT_DELAYED_WORK() is called from mgmt_init_hdev() via chan->hdev_init() from hci_mgmt_cmd(), but cancel_delayed_work_sync() is unconditionally called from mgmt_index_removed(). Call cancel_delayed_work_sync() only if HCI_MGMT flag was set, for mgmt_init_hdev() sets HCI_MGMT flag when calling INIT_DELAYED_WORK(). Link: https://syzkaller.appspot.com/bug?extid=b8ddd338a8838e581b1c [1] Reported-by: syzbot <syzbot+b8ddd338a8838e581b1c@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Fixes: 0ef08313cefdd60d ("Bluetooth: Convert delayed discov_off to hci_sync") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-08-09T00:06:10+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2022-08-03T17:17:17+00:00 urn:sha1:9dfe1727b21927c6dd8d703e3a9618b505eb6224 BT_DEFER_SETUP shall be considered valid for all states except for BT_CONNECTED as it is also used when initiated a connection rather then only for BT_BOUND and BT_LISTEN. Fixes: ccf74f2390d60 ("Bluetooth: Add BTPROTO_ISO socket type") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-08-09T00:05:45+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2022-08-03T21:51:16+00:00 urn:sha1:0c7937587d8b0337466c993dc9c7645767f57bfd This fixes the following warning when building with make C=1: net/bluetooth/mgmt.c:3821:29: warning: restricted __le16 degrades to integer net/bluetooth/mgmt.c:4625:9: warning: cast to restricted __le32 Fixes: 600a87490ff98 ("Bluetooth: Implementation of MGMT_OP_SET_BLOCKED_KEYS.") Fixes: 4c54bf2b093bb ("Bluetooth: Add get/set device flags mgmt op") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-08-09T00:05:12+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2022-08-03T21:44:13+00:00 urn:sha1:889f0346d47a0285093a3b665d1455c084636d9f This fixes the following warning when build with make C=1: net/bluetooth/hci_event.c:337:15: warning: restricted __le16 degrades to integer Fixes: a93661203641e ("Bluetooth: Process result of HCI Delete Stored Link Key command") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-08-09T00:04:51+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2022-07-29T18:03:27+00:00 urn:sha1:b4443423278263d229dbeee12d09e657b78d64ab The following memory corruption can happen since iso_pinfo.base size did not account for its headers (4 bytes): net/bluetooth/eir.c 76 memcpy(&eir[eir_len], data, data_len); ^^^^^^^ ^^^^^^^^ 77 eir_len += data_len; 78 79 return eir_len; 80 } The "eir" buffer has 252 bytes and data_len is 252 but we do a memcpy() to &eir[4] so this can corrupt 4 bytes beyond the end of the buffer. Fixes: f764a6c2c1e4 ("Bluetooth: ISO: Add broadcast support") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> 2022-08-09T00:04:37+00:00 Soenke Huster soenke.huster@eknoes.de 2022-07-22T11:53:07+00:00 urn:sha1:ce78e557ff8819f2d10e8d6bae79404bfbbd6809 __hci_cmd_sync returns NULL if the controller responds with a status event. This is unexpected for the commands sent here, but on occurrence leads to null pointer dereferences and thus must be handled. Signed-off-by: Soenke Huster <soenke.huster@eknoes.de> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-08-09T00:04:24+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2022-07-28T23:50:48+00:00 urn:sha1:0eee4995f40573f65ed67cea4d20fcf389d353de The C standard rules for when struct holes are zeroed out are slightly weird. The existing assignments might initialize everything, but GCC is allowed to (and does sometimes) leave the struct holes uninitialized, so instead of using yet another variable and copy the QoS settings just use a pointer to the stored QoS settings. Fixes: ccf74f2390d60 ("Bluetooth: Add BTPROTO_ISO socket type") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-08-09T00:04:11+00:00 Luiz Augusto von Dentz luiz.von.dentz@intel.com 2022-07-28T20:56:36+00:00 urn:sha1:10b9adb556508a299dc283b7c746b811f6918987 BT_ISO_QOS has different semantics when it comes to QoS PHY as it uses 0x00 to disable a direction but that value is invalid over HCI and sockets using DEFER_SETUP to connect may attempt to use hci_bind_cis multiple times in order to detect if the parameters have changed, so to fix the code will now just mirror the PHY for the parameters of HCI_OP_LE_SET_CIG_PARAMS and will not update the PHY of the socket leaving it disabled. Fixes: 26afbd826ee32 ("Bluetooth: Add initial implementation of CIS connections") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-08-09T00:03:57+00:00 Dan Carpenter dan.carpenter@oracle.com 2022-07-27T12:08:56+00:00 urn:sha1:164dac9755ac297b0c07505ad3db9e7d69b80499 Call release_sock(sk); before returning on this error path. Fixes: ccf74f2390d60 ("Bluetooth: Add BTPROTO_ISO socket type") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>