Skip to content

Commit 8d5c1b8

Browse files
author
Paolo Abeni
committed
Merge tag 'for-net-2024-11-26' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth
Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - SCO: remove the redundant sco_conn_put - MGMT: Fix slab-use-after-free Read in set_powered_sync - MGMT: Fix possible deadlocks * tag 'for-net-2024-11-26' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: SCO: remove the redundant sco_conn_put Bluetooth: MGMT: Fix possible deadlocks Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync ==================== Link: https://patch.msgid.link/20241126165149.899213-1-luiz.dentz@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2 parents d1524d0 + ed95885 commit 8d5c1b8

File tree

2 files changed

+28
-12
lines changed

2 files changed

+28
-12
lines changed

net/bluetooth/mgmt.c

Lines changed: 27 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1318,7 +1318,8 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
13181318
struct mgmt_mode *cp;
13191319

13201320
/* Make sure cmd still outstanding. */
1321-
if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
1321+
if (err == -ECANCELED ||
1322+
cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
13221323
return;
13231324

13241325
cp = cmd->param;
@@ -1351,7 +1352,13 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
13511352
static int set_powered_sync(struct hci_dev *hdev, void *data)
13521353
{
13531354
struct mgmt_pending_cmd *cmd = data;
1354-
struct mgmt_mode *cp = cmd->param;
1355+
struct mgmt_mode *cp;
1356+
1357+
/* Make sure cmd still outstanding. */
1358+
if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
1359+
return -ECANCELED;
1360+
1361+
cp = cmd->param;
13551362

13561363
BT_DBG("%s", hdev->name);
13571364

@@ -1511,7 +1518,8 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
15111518
bt_dev_dbg(hdev, "err %d", err);
15121519

15131520
/* Make sure cmd still outstanding. */
1514-
if (cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
1521+
if (err == -ECANCELED ||
1522+
cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
15151523
return;
15161524

15171525
hci_dev_lock(hdev);
@@ -1685,7 +1693,8 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
16851693
bt_dev_dbg(hdev, "err %d", err);
16861694

16871695
/* Make sure cmd still outstanding. */
1688-
if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
1696+
if (err == -ECANCELED ||
1697+
cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
16891698
return;
16901699

16911700
hci_dev_lock(hdev);
@@ -1917,7 +1926,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
19171926
bool changed;
19181927

19191928
/* Make sure cmd still outstanding. */
1920-
if (cmd != pending_find(MGMT_OP_SET_SSP, hdev))
1929+
if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev))
19211930
return;
19221931

19231932
if (err) {
@@ -3841,7 +3850,8 @@ static void set_name_complete(struct hci_dev *hdev, void *data, int err)
38413850

38423851
bt_dev_dbg(hdev, "err %d", err);
38433852

3844-
if (cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
3853+
if (err == -ECANCELED ||
3854+
cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
38453855
return;
38463856

38473857
if (status) {
@@ -4016,7 +4026,8 @@ static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
40164026
struct sk_buff *skb = cmd->skb;
40174027
u8 status = mgmt_status(err);
40184028

4019-
if (cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
4029+
if (err == -ECANCELED ||
4030+
cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
40204031
return;
40214032

40224033
if (!status) {
@@ -5907,13 +5918,16 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
59075918
{
59085919
struct mgmt_pending_cmd *cmd = data;
59095920

5921+
bt_dev_dbg(hdev, "err %d", err);
5922+
5923+
if (err == -ECANCELED)
5924+
return;
5925+
59105926
if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
59115927
cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
59125928
cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
59135929
return;
59145930

5915-
bt_dev_dbg(hdev, "err %d", err);
5916-
59175931
mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
59185932
cmd->param, 1);
59195933
mgmt_pending_remove(cmd);
@@ -6146,7 +6160,8 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
61466160
{
61476161
struct mgmt_pending_cmd *cmd = data;
61486162

6149-
if (cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
6163+
if (err == -ECANCELED ||
6164+
cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
61506165
return;
61516166

61526167
bt_dev_dbg(hdev, "err %d", err);
@@ -8137,7 +8152,8 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
81378152
u8 status = mgmt_status(err);
81388153
u16 eir_len;
81398154

8140-
if (cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
8155+
if (err == -ECANCELED ||
8156+
cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
81418157
return;
81428158

81438159
if (!status) {

net/bluetooth/sco.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,7 @@ static void sco_sock_timeout(struct work_struct *work)
143143
sco_conn_lock(conn);
144144
if (!conn->hcon) {
145145
sco_conn_unlock(conn);
146+
sco_conn_put(conn);
146147
return;
147148
}
148149
sk = sco_sock_hold(conn);
@@ -192,7 +193,6 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
192193
conn->hcon = hcon;
193194
sco_conn_unlock(conn);
194195
}
195-
sco_conn_put(conn);
196196
return conn;
197197
}
198198

0 commit comments

Comments
 (0)