Merge tag 'for-net-2021-06-03' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

bluetooth pull request for net:

- Fixes UAF and CVE-2021-3564
- Fix VIRTIO_ID_BT to use an unassigned ID
- Fix firmware loading on some Intel Controllers

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 4 years ago 579028de 1a802423

+30 -6

4 changed files

expand all

drivers

bluetooth

btusb.c

include

uapi

linux

virtio_ids.h

net

bluetooth

hci_core.c

hci_sock.c

+21 -2

drivers/bluetooth/btusb.c

··· 2527 2527 } 2528 2528 2529 2529 btusb_setup_intel_newgen_get_fw_name(ver, fwname, sizeof(fwname), "sfi"); 2530 - err = request_firmware(&fw, fwname, &hdev->dev); 2530 + err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2531 2531 if (err < 0) { 2532 + if (!test_bit(BTUSB_BOOTLOADER, &data->flags)) { 2533 + /* Firmware has already been loaded */ 2534 + set_bit(BTUSB_FIRMWARE_LOADED, &data->flags); 2535 + return 0; 2536 + } 2537 + 2532 2538 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2533 2539 fwname, err); 2540 + 2534 2541 return err; 2535 2542 } 2536 2543 ··· 2687 2680 err = btusb_setup_intel_new_get_fw_name(ver, params, fwname, 2688 2681 sizeof(fwname), "sfi"); 2689 2682 if (err < 0) { 2683 + if (!test_bit(BTUSB_BOOTLOADER, &data->flags)) { 2684 + /* Firmware has already been loaded */ 2685 + set_bit(BTUSB_FIRMWARE_LOADED, &data->flags); 2686 + return 0; 2687 + } 2688 + 2690 2689 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2691 2690 return -EINVAL; 2692 2691 } 2693 2692 2694 - err = request_firmware(&fw, fwname, &hdev->dev); 2693 + err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2695 2694 if (err < 0) { 2695 + if (!test_bit(BTUSB_BOOTLOADER, &data->flags)) { 2696 + /* Firmware has already been loaded */ 2697 + set_bit(BTUSB_FIRMWARE_LOADED, &data->flags); 2698 + return 0; 2699 + } 2700 + 2696 2701 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2697 2702 fwname, err); 2698 2703 return err;

+1 -1

include/uapi/linux/virtio_ids.h

··· 54 54 #define VIRTIO_ID_SOUND 25 /* virtio sound */ 55 55 #define VIRTIO_ID_FS 26 /* virtio filesystem */ 56 56 #define VIRTIO_ID_PMEM 27 /* virtio pmem */ 57 - #define VIRTIO_ID_BT 28 /* virtio bluetooth */ 58 57 #define VIRTIO_ID_MAC80211_HWSIM 29 /* virtio mac80211-hwsim */ 58 + #define VIRTIO_ID_BT 40 /* virtio bluetooth */ 59 59 60 60 #endif /* _LINUX_VIRTIO_IDS_H */

+6 -1

net/bluetooth/hci_core.c

··· 1610 1610 } else { 1611 1611 /* Init failed, cleanup */ 1612 1612 flush_work(&hdev->tx_work); 1613 - flush_work(&hdev->cmd_work); 1613 + 1614 + /* Since hci_rx_work() is possible to awake new cmd_work 1615 + * it should be flushed first to avoid unexpected call of 1616 + * hci_cmd_work() 1617 + */ 1614 1618 flush_work(&hdev->rx_work); 1619 + flush_work(&hdev->cmd_work); 1615 1620 1616 1621 skb_queue_purge(&hdev->cmd_q); 1617 1622 skb_queue_purge(&hdev->rx_q);

+2 -2

net/bluetooth/hci_sock.c

··· 762 762 /* Detach sockets from device */ 763 763 read_lock(&hci_sk_list.lock); 764 764 sk_for_each(sk, &hci_sk_list.head) { 765 - bh_lock_sock_nested(sk); 765 + lock_sock(sk); 766 766 if (hci_pi(sk)->hdev == hdev) { 767 767 hci_pi(sk)->hdev = NULL; 768 768 sk->sk_err = EPIPE; ··· 771 771 772 772 hci_dev_put(hdev); 773 773 } 774 - bh_unlock_sock(sk); 774 + release_sock(sk); 775 775 } 776 776 read_unlock(&hci_sk_list.lock); 777 777 }