bluetooth pull request for net:

- RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
  - hci_conn: Fix UAF in hci_enhanced_setup_sync
  - btusb: Don't fail external suspend requests
 -----BEGIN PGP SIGNATURE-----
 
 iQJNBAABCAA3FiEE7E6oRXp8w05ovYr/9JCA4xAyCykFAmcAVtUZHGx1aXoudm9u
 LmRlbnR6QGludGVsLmNvbQAKCRD0kIDjEDILKfgwD/4qQ6WOCaRXeGl3qv1Whbzn
 LaEGLU9KKHeuuIsVQDzIS7lWITKwzyGTz/A/V7BjsbskfKTiUZOaFq46y1KHbnHu
 uXxdd5pIyqL7TwqVgKvMRpfnzbSJojnuyM5uqBBNMkXz9HYlEV6fuxb3IwBxNTNG
 bq7vTtAM2CG6OnsMtJQDNjsOpXpNA6MBeYR/kTtVQTRt5zLqSTbxneHRhHlB0tsS
 7BIjJ8lPmepbZKx5IxNWY+tnLz1YUNjXNN6DcIZY0tfP1R052dm/CN5jxn+H+hm1
 zyuV9T6BPqlftCXHjbakUjMwlOTHbubJkinseFT8tNhI8p0oauQh/KrE+VDvfZDT
 hEe5Hxoxh+2WN7/yzKZZwEleuxuMaPVtQQ7PUheSQBMusdYk/VcOML1N6gvWhboC
 2EtQmZhE/4pkGQ/5qHM0yMMmpE0zufkP+GQdIbsM1gapHGgFFEqFUKXtn7jSf4EF
 n9q+vviOhjVNPV0jb+iO8x419QQG4mHeL5DFqBc23w8juPwu/P8Aw7TTNPH4PKO9
 1786a7Bw3SK0T9EjnmDylU0jaKTKsrN/o+HlJhbHrryymOidHb/Rgi56tHm71NbC
 F6T+7RhXUuNOMlLII/SdYqHmpq9xZ4Zl2Ajtpad7QpixThdhKcfP+/DCPVFEjXTo
 OYXccG05hNfGSg5qBHuSNQ==
 =uwxN
 -----END PGP SIGNATURE-----

Merge tag 'for-net-2024-10-04' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

Luiz Augusto von Dentz says:

====================
bluetooth pull request for net:

 - RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
 - hci_conn: Fix UAF in hci_enhanced_setup_sync
 - btusb: Don't fail external suspend requests

* tag 'for-net-2024-10-04' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
  Bluetooth: btusb: Don't fail external suspend requests
  Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync
  Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
====================

Link: https://patch.msgid.link/20241004210124.4010321-1-luiz.dentz@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski 2024-10-07 17:05:19 -07:00
commit f61060fb29
3 changed files with 21 additions and 4 deletions

View File

@ -4038,16 +4038,29 @@ static void btusb_disconnect(struct usb_interface *intf)
static int btusb_suspend(struct usb_interface *intf, pm_message_t message) static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
{ {
struct btusb_data *data = usb_get_intfdata(intf); struct btusb_data *data = usb_get_intfdata(intf);
int err;
BT_DBG("intf %p", intf); BT_DBG("intf %p", intf);
/* Don't suspend if there are connections */ /* Don't auto-suspend if there are connections; external suspend calls
if (hci_conn_count(data->hdev)) * shall never fail.
*/
if (PMSG_IS_AUTO(message) && hci_conn_count(data->hdev))
return -EBUSY; return -EBUSY;
if (data->suspend_count++) if (data->suspend_count++)
return 0; return 0;
/* Notify Host stack to suspend; this has to be done before stopping
* the traffic since the hci_suspend_dev itself may generate some
* traffic.
*/
err = hci_suspend_dev(data->hdev);
if (err) {
data->suspend_count--;
return err;
}
spin_lock_irq(&data->txlock); spin_lock_irq(&data->txlock);
if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) { if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) {
set_bit(BTUSB_SUSPENDING, &data->flags); set_bit(BTUSB_SUSPENDING, &data->flags);
@ -4055,6 +4068,7 @@ static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
} else { } else {
spin_unlock_irq(&data->txlock); spin_unlock_irq(&data->txlock);
data->suspend_count--; data->suspend_count--;
hci_resume_dev(data->hdev);
return -EBUSY; return -EBUSY;
} }
@ -4175,6 +4189,8 @@ static int btusb_resume(struct usb_interface *intf)
spin_unlock_irq(&data->txlock); spin_unlock_irq(&data->txlock);
schedule_work(&data->work); schedule_work(&data->work);
hci_resume_dev(data->hdev);
return 0; return 0;
failed: failed:

View File

@ -289,6 +289,9 @@ static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
kfree(conn_handle); kfree(conn_handle);
if (!hci_conn_valid(hdev, conn))
return -ECANCELED;
bt_dev_dbg(hdev, "hcon %p", conn); bt_dev_dbg(hdev, "hcon %p", conn);
configure_datapath_sync(hdev, &conn->codec); configure_datapath_sync(hdev, &conn->codec);

View File

@ -865,9 +865,7 @@ static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned lon
if (err == -ENOIOCTLCMD) { if (err == -ENOIOCTLCMD) {
#ifdef CONFIG_BT_RFCOMM_TTY #ifdef CONFIG_BT_RFCOMM_TTY
lock_sock(sk);
err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg); err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
release_sock(sk);
#else #else
err = -EOPNOTSUPP; err = -EOPNOTSUPP;
#endif #endif