* linux-next: manual merge of the bluetooth tree with the origin tree
@ 2023-04-17 14:36 broonie
0 siblings, 0 replies; 6+ messages in thread
From: broonie @ 2023-04-17 14:36 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg
Cc: Linux Kernel Mailing List, Linux Next Mailing List,
Luiz Augusto von Dentz
Hi all,
Today's linux-next merge of the bluetooth tree got a conflict in:
net/bluetooth/hci_conn.c
between commit:
5dc7d23e167e2 ("Bluetooth: hci_conn: Fix possible UAF")
from the origin tree and commit:
0623067085473 ("Bluetooth: hci_conn: Fix possible UAF")
from the bluetooth tree.
I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging. You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.
diff --cc net/bluetooth/hci_conn.c
index 8455ba141ee61,640b951bf40a1..0000000000000
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
^ permalink raw reply [flat|nested] 6+ messages in thread
* linux-next: manual merge of the bluetooth tree with the origin tree
@ 2025-09-17 11:34 Mark Brown
0 siblings, 0 replies; 6+ messages in thread
From: Mark Brown @ 2025-09-17 11:34 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg
Cc: Linux Kernel Mailing List, Linux Next Mailing List,
Luiz Augusto von Dentz, Pavel Shpakovskiy
[-- Attachment #1: Type: text/plain, Size: 860 bytes --]
Hi all,
Today's linux-next merge of the bluetooth tree got a conflict in:
net/bluetooth/mgmt.c
between commit:
6bbd0d3f0c23f ("Bluetooth: hci_sync: fix set_local_name race condition")
from the origin tree and commit:
c49a788e88e48 ("Bluetooth: hci_sync: fix set_local_name race condition")
from the bluetooth tree.
I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging. You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.
diff --cc net/bluetooth/mgmt.c
index 50634ef5c8b70,b9c53810bf06b..0000000000000
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* linux-next: manual merge of the bluetooth tree with the origin tree
@ 2025-09-22 9:23 Mark Brown
0 siblings, 0 replies; 6+ messages in thread
From: Mark Brown @ 2025-09-22 9:23 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg
Cc: Linux Kernel Mailing List, Linux Next Mailing List,
Luiz Augusto von Dentz, Pavel Shpakovskiy
[-- Attachment #1: Type: text/plain, Size: 840 bytes --]
Hi all,
Today's linux-next merge of the bluetooth tree got a conflict in:
net/bluetooth/mgmt.c
between commit:
6bbd0d3f0c23f ("Bluetooth: hci_sync: fix set_local_name race condition")
from the origin tree and commit:
3b3eb857d5ab6 ("Bluetooth: MGMT: Fix possible UAFs")
from the bluetooth tree.
I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging. You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.
diff --cc net/bluetooth/mgmt.c
index 50634ef5c8b70,ee7068fb9fb59..0000000000000
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* linux-next: manual merge of the bluetooth tree with the origin tree
@ 2026-03-12 13:14 Mark Brown
0 siblings, 0 replies; 6+ messages in thread
From: Mark Brown @ 2026-03-12 13:14 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg
Cc: Linux Kernel Mailing List, Linux Next Mailing List,
Luiz Augusto von Dentz
[-- Attachment #1: Type: text/plain, Size: 5920 bytes --]
Hi all,
Today's linux-next merge of the bluetooth tree got a conflict in:
net/bluetooth/l2cap_core.c
between commit:
c28d2bff70444 ("Bluetooth: L2CAP: Fix result of L2CAP_ECRED_CONN_RSP when MTU is too short")
from the origin tree and commit:
19ba9c64840d4 ("Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ")
from the bluetooth tree.
I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging. You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.
diff --combined net/bluetooth/l2cap_core.c
index ad98db9632fd2,475fdf1908cb8..0000000000000
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@@ -442,7 -442,7 +442,7 @@@ struct l2cap_chan *l2cap_chan_create(vo
{
struct l2cap_chan *chan;
- chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
+ chan = kzalloc_obj(*chan, GFP_ATOMIC);
if (!chan)
return NULL;
@@@ -1678,17 -1678,15 +1678,15 @@@ static void l2cap_info_timeout(struct w
int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
{
- struct hci_dev *hdev = conn->hcon->hdev;
int ret;
/* We need to check whether l2cap_conn is registered. If it is not, we
- * must not register the l2cap_user. l2cap_conn_del() is unregisters
- * l2cap_conn objects, but doesn't provide its own locking. Instead, it
- * relies on the parent hci_conn object to be locked. This itself relies
- * on the hci_dev object to be locked. So we must lock the hci device
- * here, too. */
+ * must not register the l2cap_user. l2cap_conn_del() unregisters
+ * l2cap_conn objects under conn->lock, and we use the same lock here
+ * to protect access to conn->users and conn->hchan.
+ */
- hci_dev_lock(hdev);
+ mutex_lock(&conn->lock);
if (!list_empty(&user->list)) {
ret = -EINVAL;
@@@ -1709,16 -1707,14 +1707,14 @@@
ret = 0;
out_unlock:
- hci_dev_unlock(hdev);
+ mutex_unlock(&conn->lock);
return ret;
}
EXPORT_SYMBOL(l2cap_register_user);
void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
{
- struct hci_dev *hdev = conn->hcon->hdev;
-
- hci_dev_lock(hdev);
+ mutex_lock(&conn->lock);
if (list_empty(&user->list))
goto out_unlock;
@@@ -1727,7 -1723,7 +1723,7 @@@
user->remove(conn, user);
out_unlock:
- hci_dev_unlock(hdev);
+ mutex_unlock(&conn->lock);
}
EXPORT_SYMBOL(l2cap_unregister_user);
@@@ -4616,7 -4612,8 +4612,8 @@@ static inline int l2cap_information_rsp
switch (type) {
case L2CAP_IT_FEAT_MASK:
- conn->feat_mask = get_unaligned_le32(rsp->data);
+ if (cmd_len >= sizeof(*rsp) + sizeof(u32))
+ conn->feat_mask = get_unaligned_le32(rsp->data);
if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
struct l2cap_info_req req;
@@@ -4635,7 -4632,8 +4632,8 @@@
break;
case L2CAP_IT_FIXED_CHAN:
- conn->remote_fixed_chan = rsp->data[0];
+ if (cmd_len >= sizeof(*rsp) + sizeof(rsp->data[0]))
+ conn->remote_fixed_chan = rsp->data[0];
conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
conn->info_ident = 0;
@@@ -5059,7 -5057,7 +5057,7 @@@ static inline int l2cap_ecred_conn_req(
u16 mtu, mps;
__le16 psm;
u8 result, rsp_len = 0;
- int i, num_scid;
+ int i, num_scid = 0;
bool defer = false;
if (!enable_ecred)
@@@ -5072,6 -5070,14 +5070,14 @@@
goto response;
}
+ /* Check if there are no pending channels with the same ident */
+ __l2cap_chan_list_id(conn, cmd->ident, l2cap_ecred_list_defer,
+ &num_scid);
+ if (num_scid) {
+ result = L2CAP_CR_LE_INVALID_PARAMS;
+ goto response;
+ }
+
cmd_len -= sizeof(*req);
num_scid = cmd_len / sizeof(u16);
@@@ -5424,7 -5430,7 +5430,7 @@@ static inline int l2cap_ecred_reconf_rs
u8 *data)
{
struct l2cap_chan *chan, *tmp;
- struct l2cap_ecred_conn_rsp *rsp = (void *) data;
+ struct l2cap_ecred_reconf_rsp *rsp = (void *)data;
u16 result;
if (cmd_len < sizeof(*rsp))
@@@ -5432,7 -5438,7 +5438,7 @@@
result = __le16_to_cpu(rsp->result);
- BT_DBG("result 0x%4.4x", rsp->result);
+ BT_DBG("result 0x%4.4x", result);
if (!result)
return 0;
@@@ -6662,8 -6668,17 +6668,17 @@@ static int l2cap_ecred_data_rcv(struct
return -ENOBUFS;
}
- if (chan->imtu < skb->len) {
- BT_ERR("Too big LE L2CAP PDU");
+ if (skb->len > chan->imtu) {
+ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len,
+ chan->imtu);
+ l2cap_send_disconn_req(chan, ECONNRESET);
+ return -ENOBUFS;
+ }
+
+ if (skb->len > chan->mps) {
+ BT_ERR("Too big LE L2CAP MPS: len %u > %u", skb->len,
+ chan->mps);
+ l2cap_send_disconn_req(chan, ECONNRESET);
return -ENOBUFS;
}
@@@ -6689,7 -6704,9 +6704,9 @@@
sdu_len, skb->len, chan->imtu);
if (sdu_len > chan->imtu) {
- BT_ERR("Too big LE L2CAP SDU length received");
+ BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
+ skb->len, sdu_len);
+ l2cap_send_disconn_req(chan, ECONNRESET);
err = -EMSGSIZE;
goto failed;
}
@@@ -6725,6 -6742,7 +6742,7 @@@
if (chan->sdu->len + skb->len > chan->sdu_len) {
BT_ERR("Too much LE L2CAP data received");
+ l2cap_send_disconn_req(chan, ECONNRESET);
err = -EINVAL;
goto failed;
}
@@@ -6947,7 -6965,7 +6965,7 @@@ static struct l2cap_conn *l2cap_conn_ad
if (!hchan)
return NULL;
- conn = kzalloc(sizeof(*conn), GFP_KERNEL);
+ conn = kzalloc_obj(*conn);
if (!conn) {
hci_chan_del(hchan);
return NULL;
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* linux-next: manual merge of the bluetooth tree with the origin tree
@ 2026-05-18 12:47 Mark Brown
0 siblings, 0 replies; 6+ messages in thread
From: Mark Brown @ 2026-05-18 12:47 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg
Cc: Linux Kernel Mailing List, Linux Next Mailing List,
Luiz Augusto von Dentz, Pauli Virtanen, Tristan Madani
[-- Attachment #1: Type: text/plain, Size: 2134 bytes --]
Hi all,
Today's linux-next merge of the bluetooth tree got a conflict in:
drivers/bluetooth/btmtk.c
between commit:
634a4408c0615 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
from the origin tree and commits:
041e88fb0c086 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
162b1adeb057d ("Bluetooth: btmtk: accept too short WMT FUNC_CTRL events")
from the bluetooth tree.
I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging. You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.
diff --combined drivers/bluetooth/btmtk.c
index f70c1b0f89903,68a32d11e5ec9..0000000000000
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@@ -719,8 -719,8 +719,8 @@@ static int btmtk_usb_hci_wmt_sync(struc
case BTMTK_WMT_FUNC_CTRL:
if (!skb_pull_data(data->evt_skb,
sizeof(wmt_evt_funcc->status))) {
- err = -EINVAL;
- goto err_free_skb;
+ status = BTMTK_WMT_ON_UNDONE;
+ break;
}
wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
@@@ -1545,6 -1545,29 +1545,29 @@@ int btmtk_usb_shutdown(struct hci_dev *
return 0;
}
EXPORT_SYMBOL_GPL(btmtk_usb_shutdown);
+
+ int btmtk_recv_event(struct hci_dev *hdev, struct sk_buff *skb)
+ {
+ struct hci_event_hdr *hdr = (void *)skb->data;
+ struct hci_ev_cmd_complete *ec;
+
+ if (hdr->evt == HCI_EV_CMD_COMPLETE &&
+ skb->len >= HCI_EVENT_HDR_SIZE + sizeof(*ec)) {
+ u16 opcode;
+
+ ec = (void *)(skb->data + HCI_EVENT_HDR_SIZE);
+ opcode = __le16_to_cpu(ec->opcode);
+
+ /* Filter vendor opcode */
+ if (opcode == 0xfc5d) {
+ kfree_skb(skb);
+ return 0;
+ }
+ }
+
+ return hci_recv_frame(hdev, skb);
+ }
+ EXPORT_SYMBOL_GPL(btmtk_recv_event);
#endif
MODULE_AUTHOR("Sean Wang <sean.wang@mediatek•com>");
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* linux-next: manual merge of the bluetooth tree with the origin tree
@ 2026-06-01 14:48 Mark Brown
0 siblings, 0 replies; 6+ messages in thread
From: Mark Brown @ 2026-06-01 14:48 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg
Cc: Dudu Lu, Jann Horn, Linux Kernel Mailing List,
Linux Next Mailing List, Luiz Augusto von Dentz
[-- Attachment #1: Type: text/plain, Size: 3951 bytes --]
Hi all,
Today's linux-next merge of the bluetooth tree got a conflict in:
net/bluetooth/bnep/core.c
between commits:
59e932ded949f ("Bluetooth: bnep: Fix UAF read of dev->name")
72b8deccff17a ("Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling")
from the origin tree and commits:
feaef2aa27201 ("Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling")
ffeee619a13bf ("Bluetooth: bnep: Fix UAF read of dev->name")
from the bluetooth tree.
I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging. You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.
diff --combined net/bluetooth/bnep/core.c
index 0de5df690bd0b,5c5f53ff30e8e..0000000000000
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@@ -206,14 -206,11 +206,11 @@@ static int bnep_ctrl_set_mcfilter(struc
return 0;
}
- static int bnep_rx_control(struct bnep_session *s, void *data, int len)
+ static int bnep_rx_control_cmd(struct bnep_session *s, u8 cmd, void *data,
+ int len)
{
- u8 cmd = *(u8 *)data;
int err = 0;
- data++;
- len--;
-
switch (cmd) {
case BNEP_CMD_NOT_UNDERSTOOD:
case BNEP_SETUP_CONN_RSP:
@@@ -254,6 -251,14 +251,14 @@@
return err;
}
+ static int bnep_rx_control(struct bnep_session *s, void *data, int len)
+ {
+ if (len < 1)
+ return -EILSEQ;
+
+ return bnep_rx_control_cmd(s, *(u8 *)data, data + 1, len - 1);
+ }
+
static int bnep_rx_extension(struct bnep_session *s, struct sk_buff *skb)
{
struct bnep_ext_hdr *h;
@@@ -299,19 -304,26 +304,26 @@@ static int bnep_rx_frame(struct bnep_se
{
struct net_device *dev = s->dev;
struct sk_buff *nskb;
+ u8 *data;
u8 type, ctrl_type;
dev->stats.rx_bytes += skb->len;
- type = *(u8 *) skb->data;
- skb_pull(skb, 1);
- ctrl_type = *(u8 *)skb->data;
+ data = skb_pull_data(skb, sizeof(type));
+ if (!data)
+ goto badframe;
+ type = *data;
if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
goto badframe;
if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
- if (bnep_rx_control(s, skb->data, skb->len) < 0) {
+ data = skb_pull_data(skb, sizeof(ctrl_type));
+ if (!data)
+ goto badframe;
+ ctrl_type = *data;
+
+ if (bnep_rx_control_cmd(s, ctrl_type, skb->data, skb->len) < 0) {
dev->stats.tx_errors++;
kfree_skb(skb);
return 0;
@@@ -324,24 -336,27 +336,31 @@@
/* Verify and pull ctrl message since it's already processed */
switch (ctrl_type) {
- case BNEP_SETUP_CONN_REQ:
- /* Pull: ctrl type (1 b), len (1 b), data (len bytes) */
- if (!skb_pull(skb, 2 + *(u8 *)(skb->data + 1) * 2))
+ case BNEP_SETUP_CONN_REQ: {
+ u8 uuid_size;
+
+ /* Pull uuid_size and the dst/src service UUIDs. */
+ data = skb_pull_data(skb, sizeof(uuid_size));
+ if (!data)
+ goto badframe;
+ uuid_size = *data;
+ if (!skb_pull(skb, uuid_size + uuid_size))
goto badframe;
break;
+ }
case BNEP_FILTER_MULTI_ADDR_SET:
- case BNEP_FILTER_NET_TYPE_SET:
- /* Pull: len (2 b), data (len bytes) */
- data = skb_pull_data(skb, sizeof(u16));
- if (!data)
+ case BNEP_FILTER_NET_TYPE_SET: {
+ u8 *hdr;
+
+ /* Pull ctrl type (1 b) + len (2 b) */
+ hdr = skb_pull_data(skb, 3);
+ if (!hdr)
goto badframe;
- if (!skb_pull(skb, get_unaligned_be16(data)))
+ /* Pull data (len bytes); length is big-endian */
+ if (!skb_pull(skb, get_unaligned_be16(&hdr[1])))
goto badframe;
break;
+ }
default:
kfree_skb(skb);
return 0;
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-06-01 14:48 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-18 12:47 linux-next: manual merge of the bluetooth tree with the origin tree Mark Brown
-- strict thread matches above, loose matches on Subject: below --
2026-06-01 14:48 Mark Brown
2026-03-12 13:14 Mark Brown
2025-09-22 9:23 Mark Brown
2025-09-17 11:34 Mark Brown
2023-04-17 14:36 broonie
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox