Merge tag 'for-net-2025-11-21' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

+32 -7

drivers/bluetooth/btusb.c

··· 2711 2711 2712 2712 static void btusb_mtk_claim_iso_intf(struct btusb_data *data) 2713 2713 { 2714 - struct btmtk_data *btmtk_data = hci_get_priv(data->hdev); 2714 + struct btmtk_data *btmtk_data; 2715 2715 int err; 2716 + 2717 + if (!data->hdev) 2718 + return; 2719 + 2720 + btmtk_data = hci_get_priv(data->hdev); 2721 + if (!btmtk_data) 2722 + return; 2723 + 2724 + if (!btmtk_data->isopkt_intf) { 2725 + bt_dev_err(data->hdev, "Can't claim NULL iso interface"); 2726 + return; 2727 + } 2716 2728 2717 2729 /* 2718 2730 * The function usb_driver_claim_interface() is documented to need ··· 2747 2735 2748 2736 static void btusb_mtk_release_iso_intf(struct hci_dev *hdev) 2749 2737 { 2750 - struct btmtk_data *btmtk_data = hci_get_priv(hdev); 2738 + struct btmtk_data *btmtk_data; 2739 + 2740 + if (!hdev) 2741 + return; 2742 + 2743 + btmtk_data = hci_get_priv(hdev); 2744 + if (!btmtk_data) 2745 + return; 2751 2746 2752 2747 if (test_bit(BTMTK_ISOPKT_OVER_INTR, &btmtk_data->flags)) { 2753 2748 usb_kill_anchored_urbs(&btmtk_data->isopkt_anchor); 2754 2749 clear_bit(BTMTK_ISOPKT_RUNNING, &btmtk_data->flags); 2755 2750 2756 - dev_kfree_skb_irq(btmtk_data->isopkt_skb); 2757 - btmtk_data->isopkt_skb = NULL; 2758 - usb_set_intfdata(btmtk_data->isopkt_intf, NULL); 2759 - usb_driver_release_interface(&btusb_driver, 2760 - btmtk_data->isopkt_intf); 2751 + if (btmtk_data->isopkt_skb) { 2752 + dev_kfree_skb_irq(btmtk_data->isopkt_skb); 2753 + btmtk_data->isopkt_skb = NULL; 2754 + } 2755 + 2756 + if (btmtk_data->isopkt_intf) { 2757 + usb_set_intfdata(btmtk_data->isopkt_intf, NULL); 2758 + usb_driver_release_interface(&btusb_driver, 2759 + btmtk_data->isopkt_intf); 2760 + btmtk_data->isopkt_intf = NULL; 2761 + } 2761 2762 } 2762 2763 2763 2764 clear_bit(BTMTK_ISOPKT_OVER_INTR, &btmtk_data->flags);

+14 -7

include/net/bluetooth/hci_core.h

··· 749 749 750 750 __u8 remote_cap; 751 751 __u8 remote_auth; 752 - __u8 remote_id; 753 752 754 753 unsigned int sent; 755 754 ··· 856 857 /* ----- HCI interface to upper protocols ----- */ 857 858 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr); 858 859 int l2cap_disconn_ind(struct hci_conn *hcon); 859 - void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags); 860 + int l2cap_recv_acldata(struct hci_dev *hdev, u16 handle, struct sk_buff *skb, 861 + u16 flags); 860 862 861 863 #if IS_ENABLED(CONFIG_BT_BREDR) 862 864 int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags); 863 - void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb); 865 + int sco_recv_scodata(struct hci_dev *hdev, u16 handle, struct sk_buff *skb); 864 866 #else 865 867 static inline int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, 866 868 __u8 *flags) ··· 869 869 return 0; 870 870 } 871 871 872 - static inline void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb) 872 + static inline int sco_recv_scodata(struct hci_dev *hdev, u16 handle, 873 + struct sk_buff *skb) 873 874 { 875 + kfree_skb(skb); 876 + return -ENOENT; 874 877 } 875 878 #endif 876 879 877 880 #if IS_ENABLED(CONFIG_BT_LE) 878 881 int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags); 879 - void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags); 882 + int iso_recv(struct hci_dev *hdev, u16 handle, struct sk_buff *skb, 883 + u16 flags); 880 884 #else 881 885 static inline int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, 882 886 __u8 *flags) 883 887 { 884 888 return 0; 885 889 } 886 - static inline void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, 887 - u16 flags) 890 + 891 + static inline int iso_recv(struct hci_dev *hdev, u16 handle, 892 + struct sk_buff *skb, u16 flags) 888 893 { 894 + kfree_skb(skb); 895 + return -ENOENT; 889 896 } 890 897 #endif 891 898

+37 -52

net/bluetooth/hci_core.c

··· 3832 3832 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) 3833 3833 { 3834 3834 struct hci_acl_hdr *hdr; 3835 - struct hci_conn *conn; 3836 3835 __u16 handle, flags; 3836 + int err; 3837 3837 3838 3838 hdr = skb_pull_data(skb, sizeof(*hdr)); 3839 3839 if (!hdr) { 3840 3840 bt_dev_err(hdev, "ACL packet too small"); 3841 - goto drop; 3841 + kfree_skb(skb); 3842 + return; 3842 3843 } 3843 3844 3844 3845 handle = __le16_to_cpu(hdr->handle); ··· 3851 3850 3852 3851 hdev->stat.acl_rx++; 3853 3852 3854 - hci_dev_lock(hdev); 3855 - conn = hci_conn_hash_lookup_handle(hdev, handle); 3856 - hci_dev_unlock(hdev); 3857 - 3858 - if (conn) { 3859 - hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF); 3860 - 3861 - /* Send to upper protocol */ 3862 - l2cap_recv_acldata(conn, skb, flags); 3863 - return; 3864 - } else { 3853 + err = l2cap_recv_acldata(hdev, handle, skb, flags); 3854 + if (err == -ENOENT) 3865 3855 bt_dev_err(hdev, "ACL packet for unknown connection handle %d", 3866 3856 handle); 3867 - } 3868 - 3869 - drop: 3870 - kfree_skb(skb); 3857 + else if (err) 3858 + bt_dev_dbg(hdev, "ACL packet recv for handle %d failed: %d", 3859 + handle, err); 3871 3860 } 3872 3861 3873 3862 /* SCO data packet */ 3874 3863 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb) 3875 3864 { 3876 3865 struct hci_sco_hdr *hdr; 3877 - struct hci_conn *conn; 3878 3866 __u16 handle, flags; 3867 + int err; 3879 3868 3880 3869 hdr = skb_pull_data(skb, sizeof(*hdr)); 3881 3870 if (!hdr) { 3882 3871 bt_dev_err(hdev, "SCO packet too small"); 3883 - goto drop; 3872 + kfree_skb(skb); 3873 + return; 3884 3874 } 3885 3875 3886 3876 handle = __le16_to_cpu(hdr->handle); ··· 3883 3891 3884 3892 hdev->stat.sco_rx++; 3885 3893 3886 - hci_dev_lock(hdev); 3887 - conn = hci_conn_hash_lookup_handle(hdev, handle); 3888 - hci_dev_unlock(hdev); 3894 + hci_skb_pkt_status(skb) = flags & 0x03; 3889 3895 3890 - if (conn) { 3891 - /* Send to upper protocol */ 3892 - hci_skb_pkt_status(skb) = flags & 0x03; 3893 - sco_recv_scodata(conn, skb); 3894 - return; 3895 - } else { 3896 + err = sco_recv_scodata(hdev, handle, skb); 3897 + if (err == -ENOENT) 3896 3898 bt_dev_err_ratelimited(hdev, "SCO packet for unknown connection handle %d", 3897 3899 handle); 3898 - } 3899 - 3900 - drop: 3901 - kfree_skb(skb); 3900 + else if (err) 3901 + bt_dev_dbg(hdev, "SCO packet recv for handle %d failed: %d", 3902 + handle, err); 3902 3903 } 3903 3904 3904 3905 static void hci_isodata_packet(struct hci_dev *hdev, struct sk_buff *skb) 3905 3906 { 3906 3907 struct hci_iso_hdr *hdr; 3907 - struct hci_conn *conn; 3908 3908 __u16 handle, flags; 3909 + int err; 3909 3910 3910 3911 hdr = skb_pull_data(skb, sizeof(*hdr)); 3911 3912 if (!hdr) { 3912 3913 bt_dev_err(hdev, "ISO packet too small"); 3913 - goto drop; 3914 + kfree_skb(skb); 3915 + return; 3914 3916 } 3915 3917 3916 3918 handle = __le16_to_cpu(hdr->handle); ··· 3914 3928 bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len, 3915 3929 handle, flags); 3916 3930 3917 - hci_dev_lock(hdev); 3918 - conn = hci_conn_hash_lookup_handle(hdev, handle); 3919 - hci_dev_unlock(hdev); 3920 - 3921 - if (!conn) { 3931 + err = iso_recv(hdev, handle, skb, flags); 3932 + if (err == -ENOENT) 3922 3933 bt_dev_err(hdev, "ISO packet for unknown connection handle %d", 3923 3934 handle); 3924 - goto drop; 3925 - } 3926 - 3927 - /* Send to upper protocol */ 3928 - iso_recv(conn, skb, flags); 3929 - return; 3930 - 3931 - drop: 3932 - kfree_skb(skb); 3935 + else if (err) 3936 + bt_dev_dbg(hdev, "ISO packet recv for handle %d failed: %d", 3937 + handle, err); 3933 3938 } 3934 3939 3935 3940 static bool hci_req_is_complete(struct hci_dev *hdev) ··· 4098 4121 } 4099 4122 } 4100 4123 4101 - static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb) 4124 + static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb) 4102 4125 { 4103 4126 int err; 4104 4127 ··· 4110 4133 if (!hdev->sent_cmd) { 4111 4134 skb_queue_head(&hdev->cmd_q, skb); 4112 4135 queue_work(hdev->workqueue, &hdev->cmd_work); 4113 - return; 4136 + return -EINVAL; 4114 4137 } 4115 4138 4116 4139 if (hci_skb_opcode(skb) != HCI_OP_NOP) { 4117 4140 err = hci_send_frame(hdev, skb); 4118 4141 if (err < 0) { 4119 4142 hci_cmd_sync_cancel_sync(hdev, -err); 4120 - return; 4143 + return err; 4121 4144 } 4122 4145 atomic_dec(&hdev->cmd_cnt); 4146 + } else { 4147 + err = -ENODATA; 4148 + kfree_skb(skb); 4123 4149 } 4124 4150 4125 4151 if (hdev->req_status == HCI_REQ_PEND && ··· 4130 4150 kfree_skb(hdev->req_skb); 4131 4151 hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL); 4132 4152 } 4153 + 4154 + return err; 4133 4155 } 4134 4156 4135 4157 static void hci_cmd_work(struct work_struct *work) 4136 4158 { 4137 4159 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work); 4138 4160 struct sk_buff *skb; 4161 + int err; 4139 4162 4140 4163 BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name, 4141 4164 atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q)); ··· 4149 4166 if (!skb) 4150 4167 return; 4151 4168 4152 - hci_send_cmd_sync(hdev, skb); 4169 + err = hci_send_cmd_sync(hdev, skb); 4170 + if (err) 4171 + return; 4153 4172 4154 4173 rcu_read_lock(); 4155 4174 if (test_bit(HCI_RESET, &hdev->flags) ||

+2

net/bluetooth/hci_sock.c

··· 1311 1311 goto done; 1312 1312 } 1313 1313 1314 + hci_dev_lock(hdev); 1314 1315 mgmt_index_removed(hdev); 1316 + hci_dev_unlock(hdev); 1315 1317 1316 1318 err = hci_dev_open(hdev->id); 1317 1319 if (err) {

+25 -5

net/bluetooth/iso.c

··· 2314 2314 iso_conn_del(hcon, bt_to_errno(reason)); 2315 2315 } 2316 2316 2317 - void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 2317 + int iso_recv(struct hci_dev *hdev, u16 handle, struct sk_buff *skb, u16 flags) 2318 2318 { 2319 - struct iso_conn *conn = hcon->iso_data; 2319 + struct hci_conn *hcon; 2320 + struct iso_conn *conn; 2320 2321 struct skb_shared_hwtstamps *hwts; 2321 2322 __u16 pb, ts, len, sn; 2322 2323 2323 - if (!conn) 2324 - goto drop; 2324 + hci_dev_lock(hdev); 2325 + 2326 + hcon = hci_conn_hash_lookup_handle(hdev, handle); 2327 + if (!hcon) { 2328 + hci_dev_unlock(hdev); 2329 + kfree_skb(skb); 2330 + return -ENOENT; 2331 + } 2332 + 2333 + conn = iso_conn_hold_unless_zero(hcon->iso_data); 2334 + hcon = NULL; 2335 + 2336 + hci_dev_unlock(hdev); 2337 + 2338 + if (!conn) { 2339 + kfree_skb(skb); 2340 + return -EINVAL; 2341 + } 2325 2342 2326 2343 pb = hci_iso_flags_pb(flags); 2327 2344 ts = hci_iso_flags_ts(flags); ··· 2394 2377 hci_skb_pkt_status(skb) = flags & 0x03; 2395 2378 hci_skb_pkt_seqnum(skb) = sn; 2396 2379 iso_recv_frame(conn, skb); 2397 - return; 2380 + goto done; 2398 2381 } 2399 2382 2400 2383 if (pb == ISO_SINGLE) { ··· 2472 2455 2473 2456 drop: 2474 2457 kfree_skb(skb); 2458 + done: 2459 + iso_conn_put(conn); 2460 + return 0; 2475 2461 } 2476 2462 2477 2463 static struct hci_cb iso_cb = {

+18 -5

net/bluetooth/l2cap_core.c

··· 7510 7510 return c; 7511 7511 } 7512 7512 7513 - void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 7513 + int l2cap_recv_acldata(struct hci_dev *hdev, u16 handle, 7514 + struct sk_buff *skb, u16 flags) 7514 7515 { 7516 + struct hci_conn *hcon; 7515 7517 struct l2cap_conn *conn; 7516 7518 int len; 7517 7519 7518 - /* Lock hdev to access l2cap_data to avoid race with l2cap_conn_del */ 7519 - hci_dev_lock(hcon->hdev); 7520 + /* Lock hdev for hci_conn, and race on l2cap_data vs. l2cap_conn_del */ 7521 + hci_dev_lock(hdev); 7522 + 7523 + hcon = hci_conn_hash_lookup_handle(hdev, handle); 7524 + if (!hcon) { 7525 + hci_dev_unlock(hdev); 7526 + kfree_skb(skb); 7527 + return -ENOENT; 7528 + } 7529 + 7530 + hci_conn_enter_active_mode(hcon, BT_POWER_FORCE_ACTIVE_OFF); 7520 7531 7521 7532 conn = hcon->l2cap_data; 7522 7533 ··· 7535 7524 conn = l2cap_conn_add(hcon); 7536 7525 7537 7526 conn = l2cap_conn_hold_unless_zero(conn); 7527 + hcon = NULL; 7538 7528 7539 - hci_dev_unlock(hcon->hdev); 7529 + hci_dev_unlock(hdev); 7540 7530 7541 7531 if (!conn) { 7542 7532 kfree_skb(skb); 7543 - return; 7533 + return -EINVAL; 7544 7534 } 7545 7535 7546 7536 BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags); ··· 7655 7643 unlock: 7656 7644 mutex_unlock(&conn->lock); 7657 7645 l2cap_conn_put(conn); 7646 + return 0; 7658 7647 } 7659 7648 7660 7649 static struct hci_cb l2cap_cb = {

+26 -9

net/bluetooth/sco.c

··· 1458 1458 sco_conn_del(hcon, bt_to_errno(reason)); 1459 1459 } 1460 1460 1461 - void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb) 1461 + int sco_recv_scodata(struct hci_dev *hdev, u16 handle, struct sk_buff *skb) 1462 1462 { 1463 - struct sco_conn *conn = hcon->sco_data; 1463 + struct hci_conn *hcon; 1464 + struct sco_conn *conn; 1464 1465 1465 - if (!conn) 1466 - goto drop; 1466 + hci_dev_lock(hdev); 1467 + 1468 + hcon = hci_conn_hash_lookup_handle(hdev, handle); 1469 + if (!hcon) { 1470 + hci_dev_unlock(hdev); 1471 + kfree_skb(skb); 1472 + return -ENOENT; 1473 + } 1474 + 1475 + conn = sco_conn_hold_unless_zero(hcon->sco_data); 1476 + hcon = NULL; 1477 + 1478 + hci_dev_unlock(hdev); 1479 + 1480 + if (!conn) { 1481 + kfree_skb(skb); 1482 + return -EINVAL; 1483 + } 1467 1484 1468 1485 BT_DBG("conn %p len %u", conn, skb->len); 1469 1486 1470 - if (skb->len) { 1487 + if (skb->len) 1471 1488 sco_recv_frame(conn, skb); 1472 - return; 1473 - } 1489 + else 1490 + kfree_skb(skb); 1474 1491 1475 - drop: 1476 - kfree_skb(skb); 1492 + sco_conn_put(conn); 1493 + return 0; 1477 1494 } 1478 1495 1479 1496 static struct hci_cb sco_cb = {

+7 -24

net/bluetooth/smp.c

··· 2136 2136 struct smp_chan *smp = chan->data; 2137 2137 struct hci_conn *hcon = conn->hcon; 2138 2138 u8 *pkax, *pkbx, *na, *nb, confirm_hint; 2139 - u32 passkey; 2139 + u32 passkey = 0; 2140 2140 int err; 2141 2141 2142 2142 bt_dev_dbg(hcon->hdev, "conn %p", conn); ··· 2188 2188 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2189 2189 smp->prnd); 2190 2190 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2191 - 2192 - /* Only Just-Works pairing requires extra checks */ 2193 - if (smp->method != JUST_WORKS) 2194 - goto mackey_and_ltk; 2195 - 2196 - /* If there already exists long term key in local host, leave 2197 - * the decision to user space since the remote device could 2198 - * be legitimate or malicious. 2199 - */ 2200 - if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 2201 - hcon->role)) { 2202 - /* Set passkey to 0. The value can be any number since 2203 - * it'll be ignored anyway. 2204 - */ 2205 - passkey = 0; 2206 - confirm_hint = 1; 2207 - goto confirm; 2208 - } 2209 2191 } 2210 2192 2211 2193 mackey_and_ltk: ··· 2208 2226 if (err) 2209 2227 return SMP_UNSPECIFIED; 2210 2228 2211 - confirm_hint = 0; 2212 - 2213 - confirm: 2214 - if (smp->method == JUST_WORKS) 2215 - confirm_hint = 1; 2229 + /* Always require user confirmation for Just-Works pairing to prevent 2230 + * impersonation attacks, or in case of a legitimate device that is 2231 + * repairing use the confirmation as acknowledgment to proceed with the 2232 + * creation of new keys. 2233 + */ 2234 + confirm_hint = smp->method == JUST_WORKS ? 1 : 0; 2216 2235 2217 2236 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type, 2218 2237 hcon->dst_type, passkey, confirm_hint);