tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'for-net-2024-12-12' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

Luiz Augusto von Dentz says:

====================
bluetooth pull request for net:

- SCO: Fix transparent voice setting
- ISO: Locking fixes
- hci_core: Fix sleeping function called from invalid context
- hci_event: Fix using rcu_read_(un)lock while iterating
- btmtk: avoid UAF in btmtk_process_coredump

* tag 'for-net-2024-12-12' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
Bluetooth: btmtk: avoid UAF in btmtk_process_coredump
Bluetooth: iso: Fix circular lock in iso_conn_big_sync
Bluetooth: iso: Fix circular lock in iso_listen_bis
Bluetooth: SCO: Add support for 16 bits transparent voice setting
Bluetooth: iso: Fix recursive locking warning
Bluetooth: iso: Always release hdev at the end of iso_listen_bis
Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating
Bluetooth: hci_core: Fix sleeping function called from invalid context
Bluetooth: Improve setsockopt() handling of malformed user input
====================

Link: https://patch.msgid.link/20241212142806.2046274-1-luiz.dentz@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski ad913dfd 36ff681d

+216 -155
+12 -8
drivers/bluetooth/btmtk.c
··· 395 395 { 396 396 struct btmtk_data *data = hci_get_priv(hdev); 397 397 int err; 398 + bool complete = false; 398 399 399 400 if (!IS_ENABLED(CONFIG_DEV_COREDUMP)) { 400 401 kfree_skb(skb); ··· 417 416 fallthrough; 418 417 case HCI_DEVCOREDUMP_ACTIVE: 419 418 default: 419 + /* Mediatek coredump data would be more than MTK_COREDUMP_NUM */ 420 + if (data->cd_info.cnt >= MTK_COREDUMP_NUM && 421 + skb->len > MTK_COREDUMP_END_LEN) 422 + if (!memcmp((char *)&skb->data[skb->len - MTK_COREDUMP_END_LEN], 423 + MTK_COREDUMP_END, MTK_COREDUMP_END_LEN - 1)) 424 + complete = true; 425 + 420 426 err = hci_devcd_append(hdev, skb); 421 427 if (err < 0) 422 428 break; 423 429 data->cd_info.cnt++; 424 430 425 - /* Mediatek coredump data would be more than MTK_COREDUMP_NUM */ 426 - if (data->cd_info.cnt > MTK_COREDUMP_NUM && 427 - skb->len > MTK_COREDUMP_END_LEN) 428 - if (!memcmp((char *)&skb->data[skb->len - MTK_COREDUMP_END_LEN], 429 - MTK_COREDUMP_END, MTK_COREDUMP_END_LEN - 1)) { 430 - bt_dev_info(hdev, "Mediatek coredump end"); 431 - hci_devcd_complete(hdev); 432 - } 431 + if (complete) { 432 + bt_dev_info(hdev, "Mediatek coredump end"); 433 + hci_devcd_complete(hdev); 434 + } 433 435 434 436 break; 435 437 }
+1 -9
include/net/bluetooth/bluetooth.h
··· 123 123 124 124 #define BT_VOICE_TRANSPARENT 0x0003 125 125 #define BT_VOICE_CVSD_16BIT 0x0060 126 + #define BT_VOICE_TRANSPARENT_16BIT 0x0063 126 127 127 128 #define BT_SNDMTU 12 128 129 #define BT_RCVMTU 13 ··· 589 588 } 590 589 591 590 return skb; 592 - } 593 - 594 - static inline int bt_copy_from_sockptr(void *dst, size_t dst_size, 595 - sockptr_t src, size_t src_size) 596 - { 597 - if (dst_size > src_size) 598 - return -EINVAL; 599 - 600 - return copy_from_sockptr(dst, src, dst_size); 601 591 } 602 592 603 593 int bt_to_errno(u16 code);
+70 -38
include/net/bluetooth/hci_core.h
··· 804 804 extern struct list_head hci_dev_list; 805 805 extern struct list_head hci_cb_list; 806 806 extern rwlock_t hci_dev_list_lock; 807 - extern struct mutex hci_cb_list_lock; 808 807 809 808 #define hci_dev_set_flag(hdev, nr) set_bit((nr), (hdev)->dev_flags) 810 809 #define hci_dev_clear_flag(hdev, nr) clear_bit((nr), (hdev)->dev_flags) ··· 2016 2017 2017 2018 char *name; 2018 2019 2020 + bool (*match) (struct hci_conn *conn); 2019 2021 void (*connect_cfm) (struct hci_conn *conn, __u8 status); 2020 2022 void (*disconn_cfm) (struct hci_conn *conn, __u8 status); 2021 2023 void (*security_cfm) (struct hci_conn *conn, __u8 status, 2022 - __u8 encrypt); 2024 + __u8 encrypt); 2023 2025 void (*key_change_cfm) (struct hci_conn *conn, __u8 status); 2024 2026 void (*role_switch_cfm) (struct hci_conn *conn, __u8 status, __u8 role); 2025 2027 }; 2026 2028 2029 + static inline void hci_cb_lookup(struct hci_conn *conn, struct list_head *list) 2030 + { 2031 + struct hci_cb *cb, *cpy; 2032 + 2033 + rcu_read_lock(); 2034 + list_for_each_entry_rcu(cb, &hci_cb_list, list) { 2035 + if (cb->match && cb->match(conn)) { 2036 + cpy = kmalloc(sizeof(*cpy), GFP_ATOMIC); 2037 + if (!cpy) 2038 + break; 2039 + 2040 + *cpy = *cb; 2041 + INIT_LIST_HEAD(&cpy->list); 2042 + list_add_rcu(&cpy->list, list); 2043 + } 2044 + } 2045 + rcu_read_unlock(); 2046 + } 2047 + 2027 2048 static inline void hci_connect_cfm(struct hci_conn *conn, __u8 status) 2028 2049 { 2029 - struct hci_cb *cb; 2050 + struct list_head list; 2051 + struct hci_cb *cb, *tmp; 2030 2052 2031 - mutex_lock(&hci_cb_list_lock); 2032 - list_for_each_entry(cb, &hci_cb_list, list) { 2053 + INIT_LIST_HEAD(&list); 2054 + hci_cb_lookup(conn, &list); 2055 + 2056 + list_for_each_entry_safe(cb, tmp, &list, list) { 2033 2057 if (cb->connect_cfm) 2034 2058 cb->connect_cfm(conn, status); 2059 + kfree(cb); 2035 2060 } 2036 - mutex_unlock(&hci_cb_list_lock); 2037 2061 2038 2062 if (conn->connect_cfm_cb) 2039 2063 conn->connect_cfm_cb(conn, status); ··· 2064 2042 2065 2043 static inline void hci_disconn_cfm(struct hci_conn *conn, __u8 reason) 2066 2044 { 2067 - struct hci_cb *cb; 2045 + struct list_head list; 2046 + struct hci_cb *cb, *tmp; 2068 2047 2069 - mutex_lock(&hci_cb_list_lock); 2070 - list_for_each_entry(cb, &hci_cb_list, list) { 2048 + INIT_LIST_HEAD(&list); 2049 + hci_cb_lookup(conn, &list); 2050 + 2051 + list_for_each_entry_safe(cb, tmp, &list, list) { 2071 2052 if (cb->disconn_cfm) 2072 2053 cb->disconn_cfm(conn, reason); 2054 + kfree(cb); 2073 2055 } 2074 - mutex_unlock(&hci_cb_list_lock); 2075 2056 2076 2057 if (conn->disconn_cfm_cb) 2077 2058 conn->disconn_cfm_cb(conn, reason); 2078 2059 } 2079 2060 2061 + static inline void hci_security_cfm(struct hci_conn *conn, __u8 status, 2062 + __u8 encrypt) 2063 + { 2064 + struct list_head list; 2065 + struct hci_cb *cb, *tmp; 2066 + 2067 + INIT_LIST_HEAD(&list); 2068 + hci_cb_lookup(conn, &list); 2069 + 2070 + list_for_each_entry_safe(cb, tmp, &list, list) { 2071 + if (cb->security_cfm) 2072 + cb->security_cfm(conn, status, encrypt); 2073 + kfree(cb); 2074 + } 2075 + 2076 + if (conn->security_cfm_cb) 2077 + conn->security_cfm_cb(conn, status); 2078 + } 2079 + 2080 2080 static inline void hci_auth_cfm(struct hci_conn *conn, __u8 status) 2081 2081 { 2082 - struct hci_cb *cb; 2083 2082 __u8 encrypt; 2084 2083 2085 2084 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) ··· 2108 2065 2109 2066 encrypt = test_bit(HCI_CONN_ENCRYPT, &conn->flags) ? 0x01 : 0x00; 2110 2067 2111 - mutex_lock(&hci_cb_list_lock); 2112 - list_for_each_entry(cb, &hci_cb_list, list) { 2113 - if (cb->security_cfm) 2114 - cb->security_cfm(conn, status, encrypt); 2115 - } 2116 - mutex_unlock(&hci_cb_list_lock); 2117 - 2118 - if (conn->security_cfm_cb) 2119 - conn->security_cfm_cb(conn, status); 2068 + hci_security_cfm(conn, status, encrypt); 2120 2069 } 2121 2070 2122 2071 static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status) 2123 2072 { 2124 - struct hci_cb *cb; 2125 2073 __u8 encrypt; 2126 2074 2127 2075 if (conn->state == BT_CONFIG) { ··· 2139 2105 conn->sec_level = conn->pending_sec_level; 2140 2106 } 2141 2107 2142 - mutex_lock(&hci_cb_list_lock); 2143 - list_for_each_entry(cb, &hci_cb_list, list) { 2144 - if (cb->security_cfm) 2145 - cb->security_cfm(conn, status, encrypt); 2146 - } 2147 - mutex_unlock(&hci_cb_list_lock); 2148 - 2149 - if (conn->security_cfm_cb) 2150 - conn->security_cfm_cb(conn, status); 2108 + hci_security_cfm(conn, status, encrypt); 2151 2109 } 2152 2110 2153 2111 static inline void hci_key_change_cfm(struct hci_conn *conn, __u8 status) 2154 2112 { 2155 - struct hci_cb *cb; 2113 + struct list_head list; 2114 + struct hci_cb *cb, *tmp; 2156 2115 2157 - mutex_lock(&hci_cb_list_lock); 2158 - list_for_each_entry(cb, &hci_cb_list, list) { 2116 + INIT_LIST_HEAD(&list); 2117 + hci_cb_lookup(conn, &list); 2118 + 2119 + list_for_each_entry_safe(cb, tmp, &list, list) { 2159 2120 if (cb->key_change_cfm) 2160 2121 cb->key_change_cfm(conn, status); 2122 + kfree(cb); 2161 2123 } 2162 - mutex_unlock(&hci_cb_list_lock); 2163 2124 } 2164 2125 2165 2126 static inline void hci_role_switch_cfm(struct hci_conn *conn, __u8 status, 2166 2127 __u8 role) 2167 2128 { 2168 - struct hci_cb *cb; 2129 + struct list_head list; 2130 + struct hci_cb *cb, *tmp; 2169 2131 2170 - mutex_lock(&hci_cb_list_lock); 2171 - list_for_each_entry(cb, &hci_cb_list, list) { 2132 + INIT_LIST_HEAD(&list); 2133 + hci_cb_lookup(conn, &list); 2134 + 2135 + list_for_each_entry_safe(cb, tmp, &list, list) { 2172 2136 if (cb->role_switch_cfm) 2173 2137 cb->role_switch_cfm(conn, status, role); 2138 + kfree(cb); 2174 2139 } 2175 - mutex_unlock(&hci_cb_list_lock); 2176 2140 } 2177 2141 2178 2142 static inline bool hci_bdaddr_is_rpa(bdaddr_t *bdaddr, u8 addr_type)
+3 -7
net/bluetooth/hci_core.c
··· 57 57 58 58 /* HCI callback list */ 59 59 LIST_HEAD(hci_cb_list); 60 - DEFINE_MUTEX(hci_cb_list_lock); 61 60 62 61 /* HCI ID Numbering */ 63 62 static DEFINE_IDA(hci_index_ida); ··· 2992 2993 { 2993 2994 BT_DBG("%p name %s", cb, cb->name); 2994 2995 2995 - mutex_lock(&hci_cb_list_lock); 2996 - list_add_tail(&cb->list, &hci_cb_list); 2997 - mutex_unlock(&hci_cb_list_lock); 2996 + list_add_tail_rcu(&cb->list, &hci_cb_list); 2998 2997 2999 2998 return 0; 3000 2999 } ··· 3002 3005 { 3003 3006 BT_DBG("%p name %s", cb, cb->name); 3004 3007 3005 - mutex_lock(&hci_cb_list_lock); 3006 - list_del(&cb->list); 3007 - mutex_unlock(&hci_cb_list_lock); 3008 + list_del_rcu(&cb->list); 3009 + synchronize_rcu(); 3008 3010 3009 3011 return 0; 3010 3012 }
+11 -22
net/bluetooth/hci_event.c
··· 6870 6870 return; 6871 6871 6872 6872 hci_dev_lock(hdev); 6873 - rcu_read_lock(); 6874 6873 6875 6874 /* Connect all BISes that are bound to the BIG */ 6876 - list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 6877 - if (bacmp(&conn->dst, BDADDR_ANY) || 6878 - conn->type != ISO_LINK || 6879 - conn->iso_qos.bcast.big != ev->handle) 6875 + while ((conn = hci_conn_hash_lookup_big_state(hdev, ev->handle, 6876 + BT_BOUND))) { 6877 + if (ev->status) { 6878 + hci_connect_cfm(conn, ev->status); 6879 + hci_conn_del(conn); 6880 6880 continue; 6881 + } 6881 6882 6882 6883 if (hci_conn_set_handle(conn, 6883 6884 __le16_to_cpu(ev->bis_handle[i++]))) 6884 6885 continue; 6885 6886 6886 - if (!ev->status) { 6887 - conn->state = BT_CONNECTED; 6888 - set_bit(HCI_CONN_BIG_CREATED, &conn->flags); 6889 - rcu_read_unlock(); 6890 - hci_debugfs_create_conn(conn); 6891 - hci_conn_add_sysfs(conn); 6892 - hci_iso_setup_path(conn); 6893 - rcu_read_lock(); 6894 - continue; 6895 - } 6896 - 6897 - hci_connect_cfm(conn, ev->status); 6898 - rcu_read_unlock(); 6899 - hci_conn_del(conn); 6900 - rcu_read_lock(); 6887 + conn->state = BT_CONNECTED; 6888 + set_bit(HCI_CONN_BIG_CREATED, &conn->flags); 6889 + hci_debugfs_create_conn(conn); 6890 + hci_conn_add_sysfs(conn); 6891 + hci_iso_setup_path(conn); 6901 6892 } 6902 - 6903 - rcu_read_unlock(); 6904 6893 6905 6894 if (!ev->status && !i) 6906 6895 /* If no BISes have been connected for the BIG,
+7 -7
net/bluetooth/hci_sock.c
··· 1926 1926 } 1927 1927 1928 1928 static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, 1929 - sockptr_t optval, unsigned int len) 1929 + sockptr_t optval, unsigned int optlen) 1930 1930 { 1931 1931 struct hci_ufilter uf = { .opcode = 0 }; 1932 1932 struct sock *sk = sock->sk; ··· 1943 1943 1944 1944 switch (optname) { 1945 1945 case HCI_DATA_DIR: 1946 - err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); 1946 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1947 1947 if (err) 1948 1948 break; 1949 1949 ··· 1954 1954 break; 1955 1955 1956 1956 case HCI_TIME_STAMP: 1957 - err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); 1957 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1958 1958 if (err) 1959 1959 break; 1960 1960 ··· 1974 1974 uf.event_mask[1] = *((u32 *) f->event_mask + 1); 1975 1975 } 1976 1976 1977 - err = bt_copy_from_sockptr(&uf, sizeof(uf), optval, len); 1977 + err = copy_safe_from_sockptr(&uf, sizeof(uf), optval, optlen); 1978 1978 if (err) 1979 1979 break; 1980 1980 ··· 2005 2005 } 2006 2006 2007 2007 static int hci_sock_setsockopt(struct socket *sock, int level, int optname, 2008 - sockptr_t optval, unsigned int len) 2008 + sockptr_t optval, unsigned int optlen) 2009 2009 { 2010 2010 struct sock *sk = sock->sk; 2011 2011 int err = 0; ··· 2015 2015 2016 2016 if (level == SOL_HCI) 2017 2017 return hci_sock_setsockopt_old(sock, level, optname, optval, 2018 - len); 2018 + optlen); 2019 2019 2020 2020 if (level != SOL_BLUETOOTH) 2021 2021 return -ENOPROTOOPT; ··· 2035 2035 goto done; 2036 2036 } 2037 2037 2038 - err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); 2038 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 2039 2039 if (err) 2040 2040 break; 2041 2041
+58 -19
net/bluetooth/iso.c
··· 1129 1129 return -EHOSTUNREACH; 1130 1130 1131 1131 hci_dev_lock(hdev); 1132 + lock_sock(sk); 1132 1133 1133 1134 /* Fail if user set invalid QoS */ 1134 1135 if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) { ··· 1159 1158 goto unlock; 1160 1159 } 1161 1160 1162 - hci_dev_put(hdev); 1163 - 1164 1161 unlock: 1162 + release_sock(sk); 1165 1163 hci_dev_unlock(hdev); 1164 + hci_dev_put(hdev); 1166 1165 return err; 1167 1166 } 1168 1167 ··· 1189 1188 1190 1189 BT_DBG("sk %p backlog %d", sk, backlog); 1191 1190 1191 + sock_hold(sk); 1192 1192 lock_sock(sk); 1193 1193 1194 1194 if (sk->sk_state != BT_BOUND) { ··· 1202 1200 goto done; 1203 1201 } 1204 1202 1205 - if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) 1203 + if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) { 1206 1204 err = iso_listen_cis(sk); 1207 - else 1205 + } else { 1206 + /* Drop sock lock to avoid potential 1207 + * deadlock with the hdev lock. 1208 + */ 1209 + release_sock(sk); 1208 1210 err = iso_listen_bis(sk); 1211 + lock_sock(sk); 1212 + } 1209 1213 1210 1214 if (err) 1211 1215 goto done; ··· 1223 1215 1224 1216 done: 1225 1217 release_sock(sk); 1218 + sock_put(sk); 1226 1219 return err; 1227 1220 } 1228 1221 ··· 1235 1226 long timeo; 1236 1227 int err = 0; 1237 1228 1238 - lock_sock(sk); 1229 + /* Use explicit nested locking to avoid lockdep warnings generated 1230 + * because the parent socket and the child socket are locked on the 1231 + * same thread. 1232 + */ 1233 + lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 1239 1234 1240 1235 timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK); 1241 1236 ··· 1270 1257 release_sock(sk); 1271 1258 1272 1259 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 1273 - lock_sock(sk); 1260 + lock_sock_nested(sk, SINGLE_DEPTH_NESTING); 1274 1261 } 1275 1262 remove_wait_queue(sk_sleep(sk), &wait); 1276 1263 ··· 1411 1398 * change. 1412 1399 */ 1413 1400 hci_dev_lock(hdev); 1401 + lock_sock(sk); 1414 1402 1415 1403 if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) { 1416 1404 err = hci_le_big_create_sync(hdev, iso_pi(sk)->conn->hcon, ··· 1424 1410 err); 1425 1411 } 1426 1412 1413 + release_sock(sk); 1427 1414 hci_dev_unlock(hdev); 1428 1415 } 1429 1416 ··· 1433 1418 { 1434 1419 struct sock *sk = sock->sk; 1435 1420 struct iso_pinfo *pi = iso_pi(sk); 1421 + bool early_ret = false; 1422 + int err = 0; 1436 1423 1437 1424 BT_DBG("sk %p", sk); 1438 1425 1439 1426 if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 1427 + sock_hold(sk); 1440 1428 lock_sock(sk); 1429 + 1441 1430 switch (sk->sk_state) { 1442 1431 case BT_CONNECT2: 1443 1432 if (test_bit(BT_SK_PA_SYNC, &pi->flags)) { 1433 + release_sock(sk); 1444 1434 iso_conn_big_sync(sk); 1435 + lock_sock(sk); 1436 + 1445 1437 sk->sk_state = BT_LISTEN; 1446 1438 } else { 1447 1439 iso_conn_defer_accept(pi->conn->hcon); 1448 1440 sk->sk_state = BT_CONFIG; 1449 1441 } 1450 - release_sock(sk); 1451 - return 0; 1442 + 1443 + early_ret = true; 1444 + break; 1452 1445 case BT_CONNECTED: 1453 1446 if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) { 1454 - iso_conn_big_sync(sk); 1455 - sk->sk_state = BT_LISTEN; 1456 1447 release_sock(sk); 1457 - return 0; 1448 + iso_conn_big_sync(sk); 1449 + lock_sock(sk); 1450 + 1451 + sk->sk_state = BT_LISTEN; 1452 + early_ret = true; 1458 1453 } 1459 1454 1460 - release_sock(sk); 1461 1455 break; 1462 1456 case BT_CONNECT: 1463 1457 release_sock(sk); 1464 - return iso_connect_cis(sk); 1458 + err = iso_connect_cis(sk); 1459 + lock_sock(sk); 1460 + 1461 + early_ret = true; 1462 + break; 1465 1463 default: 1466 - release_sock(sk); 1467 1464 break; 1468 1465 } 1466 + 1467 + release_sock(sk); 1468 + sock_put(sk); 1469 + 1470 + if (early_ret) 1471 + return err; 1469 1472 } 1470 1473 1471 1474 return bt_sock_recvmsg(sock, msg, len, flags); ··· 1599 1566 break; 1600 1567 } 1601 1568 1602 - err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 1569 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1603 1570 if (err) 1604 1571 break; 1605 1572 ··· 1610 1577 break; 1611 1578 1612 1579 case BT_PKT_STATUS: 1613 - err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 1580 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1614 1581 if (err) 1615 1582 break; 1616 1583 ··· 1629 1596 break; 1630 1597 } 1631 1598 1632 - err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen); 1599 + err = copy_safe_from_sockptr(&qos, sizeof(qos), optval, optlen); 1633 1600 if (err) 1634 1601 break; 1635 1602 ··· 1650 1617 break; 1651 1618 } 1652 1619 1653 - err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval, 1654 - optlen); 1620 + err = copy_safe_from_sockptr(iso_pi(sk)->base, optlen, optval, 1621 + optlen); 1655 1622 if (err) 1656 1623 break; 1657 1624 ··· 2151 2118 return HCI_LM_ACCEPT; 2152 2119 } 2153 2120 2121 + static bool iso_match(struct hci_conn *hcon) 2122 + { 2123 + return hcon->type == ISO_LINK || hcon->type == LE_LINK; 2124 + } 2125 + 2154 2126 static void iso_connect_cfm(struct hci_conn *hcon, __u8 status) 2155 2127 { 2156 2128 if (hcon->type != ISO_LINK) { ··· 2337 2299 2338 2300 static struct hci_cb iso_cb = { 2339 2301 .name = "ISO", 2302 + .match = iso_match, 2340 2303 .connect_cfm = iso_connect_cfm, 2341 2304 .disconn_cfm = iso_disconn_cfm, 2342 2305 };
+6 -6
net/bluetooth/l2cap_core.c
··· 7217 7217 return NULL; 7218 7218 } 7219 7219 7220 + static bool l2cap_match(struct hci_conn *hcon) 7221 + { 7222 + return hcon->type == ACL_LINK || hcon->type == LE_LINK; 7223 + } 7224 + 7220 7225 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status) 7221 7226 { 7222 7227 struct hci_dev *hdev = hcon->hdev; 7223 7228 struct l2cap_conn *conn; 7224 7229 struct l2cap_chan *pchan; 7225 7230 u8 dst_type; 7226 - 7227 - if (hcon->type != ACL_LINK && hcon->type != LE_LINK) 7228 - return; 7229 7231 7230 7232 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); 7231 7233 ··· 7293 7291 7294 7292 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason) 7295 7293 { 7296 - if (hcon->type != ACL_LINK && hcon->type != LE_LINK) 7297 - return; 7298 - 7299 7294 BT_DBG("hcon %p reason %d", hcon, reason); 7300 7295 7301 7296 l2cap_conn_del(hcon, bt_to_errno(reason)); ··· 7571 7572 7572 7573 static struct hci_cb l2cap_cb = { 7573 7574 .name = "L2CAP", 7575 + .match = l2cap_match, 7574 7576 .connect_cfm = l2cap_connect_cfm, 7575 7577 .disconn_cfm = l2cap_disconn_cfm, 7576 7578 .security_cfm = l2cap_security_cfm,
+11 -9
net/bluetooth/l2cap_sock.c
··· 755 755 opts.max_tx = chan->max_tx; 756 756 opts.txwin_size = chan->tx_win; 757 757 758 - err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen); 758 + err = copy_safe_from_sockptr(&opts, sizeof(opts), optval, 759 + optlen); 759 760 if (err) 760 761 break; 761 762 ··· 801 800 break; 802 801 803 802 case L2CAP_LM: 804 - err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 803 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 805 804 if (err) 806 805 break; 807 806 ··· 910 909 911 910 sec.level = BT_SECURITY_LOW; 912 911 913 - err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); 912 + err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen); 914 913 if (err) 915 914 break; 916 915 ··· 957 956 break; 958 957 } 959 958 960 - err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 959 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 961 960 if (err) 962 961 break; 963 962 ··· 971 970 break; 972 971 973 972 case BT_FLUSHABLE: 974 - err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 973 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 975 974 if (err) 976 975 break; 977 976 ··· 1005 1004 1006 1005 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; 1007 1006 1008 - err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen); 1007 + err = copy_safe_from_sockptr(&pwr, sizeof(pwr), optval, optlen); 1009 1008 if (err) 1010 1009 break; 1011 1010 ··· 1016 1015 break; 1017 1016 1018 1017 case BT_CHANNEL_POLICY: 1019 - err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 1018 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 1020 1019 if (err) 1021 1020 break; 1022 1021 ··· 1047 1046 break; 1048 1047 } 1049 1048 1050 - err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen); 1049 + err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen); 1051 1050 if (err) 1052 1051 break; 1053 1052 ··· 1077 1076 break; 1078 1077 } 1079 1078 1080 - err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen); 1079 + err = copy_safe_from_sockptr(&mode, sizeof(mode), optval, 1080 + optlen); 1081 1081 if (err) 1082 1082 break; 1083 1083
+6
net/bluetooth/rfcomm/core.c
··· 2134 2134 return 0; 2135 2135 } 2136 2136 2137 + static bool rfcomm_match(struct hci_conn *hcon) 2138 + { 2139 + return hcon->type == ACL_LINK; 2140 + } 2141 + 2137 2142 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2138 2143 { 2139 2144 struct rfcomm_session *s; ··· 2185 2180 2186 2181 static struct hci_cb rfcomm_cb = { 2187 2182 .name = "RFCOMM", 2183 + .match = rfcomm_match, 2188 2184 .security_cfm = rfcomm_security_cfm 2189 2185 }; 2190 2186
+4 -5
net/bluetooth/rfcomm/sock.c
··· 629 629 630 630 switch (optname) { 631 631 case RFCOMM_LM: 632 - if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) { 633 - err = -EFAULT; 632 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 633 + if (err) 634 634 break; 635 - } 636 635 637 636 if (opt & RFCOMM_LM_FIPS) { 638 637 err = -EINVAL; ··· 684 685 685 686 sec.level = BT_SECURITY_LOW; 686 687 687 - err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); 688 + err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen); 688 689 if (err) 689 690 break; 690 691 ··· 702 703 break; 703 704 } 704 705 705 - err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 706 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 706 707 if (err) 707 708 break; 708 709
+27 -25
net/bluetooth/sco.c
··· 319 319 else 320 320 type = SCO_LINK; 321 321 322 - if (sco_pi(sk)->setting == BT_VOICE_TRANSPARENT && 323 - (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev))) { 324 - err = -EOPNOTSUPP; 325 - goto unlock; 322 + switch (sco_pi(sk)->setting & SCO_AIRMODE_MASK) { 323 + case SCO_AIRMODE_TRANSP: 324 + if (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev)) { 325 + err = -EOPNOTSUPP; 326 + goto unlock; 327 + } 328 + break; 326 329 } 327 330 328 331 hcon = hci_connect_sco(hdev, type, &sco_pi(sk)->dst, ··· 899 896 break; 900 897 } 901 898 902 - err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 899 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 903 900 if (err) 904 901 break; 905 902 ··· 918 915 919 916 voice.setting = sco_pi(sk)->setting; 920 917 921 - err = bt_copy_from_sockptr(&voice, sizeof(voice), optval, 922 - optlen); 918 + err = copy_safe_from_sockptr(&voice, sizeof(voice), optval, 919 + optlen); 923 920 if (err) 924 921 break; 925 - 926 - /* Explicitly check for these values */ 927 - if (voice.setting != BT_VOICE_TRANSPARENT && 928 - voice.setting != BT_VOICE_CVSD_16BIT) { 929 - err = -EINVAL; 930 - break; 931 - } 932 922 933 923 sco_pi(sk)->setting = voice.setting; 934 924 hdev = hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src, ··· 930 934 err = -EBADFD; 931 935 break; 932 936 } 933 - if (enhanced_sync_conn_capable(hdev) && 934 - voice.setting == BT_VOICE_TRANSPARENT) 935 - sco_pi(sk)->codec.id = BT_CODEC_TRANSPARENT; 937 + 938 + switch (sco_pi(sk)->setting & SCO_AIRMODE_MASK) { 939 + case SCO_AIRMODE_TRANSP: 940 + if (enhanced_sync_conn_capable(hdev)) 941 + sco_pi(sk)->codec.id = BT_CODEC_TRANSPARENT; 942 + break; 943 + } 944 + 936 945 hci_dev_put(hdev); 937 946 break; 938 947 939 948 case BT_PKT_STATUS: 940 - err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); 949 + err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); 941 950 if (err) 942 951 break; 943 952 ··· 985 984 break; 986 985 } 987 986 988 - err = bt_copy_from_sockptr(buffer, optlen, optval, optlen); 987 + err = copy_struct_from_sockptr(buffer, sizeof(buffer), optval, 988 + optlen); 989 989 if (err) { 990 990 hci_dev_put(hdev); 991 991 break; ··· 1398 1396 return lm; 1399 1397 } 1400 1398 1399 + static bool sco_match(struct hci_conn *hcon) 1400 + { 1401 + return hcon->type == SCO_LINK || hcon->type == ESCO_LINK; 1402 + } 1403 + 1401 1404 static void sco_connect_cfm(struct hci_conn *hcon, __u8 status) 1402 1405 { 1403 - if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK) 1404 - return; 1405 - 1406 1406 BT_DBG("hcon %p bdaddr %pMR status %u", hcon, &hcon->dst, status); 1407 1407 1408 1408 if (!status) { ··· 1419 1415 1420 1416 static void sco_disconn_cfm(struct hci_conn *hcon, __u8 reason) 1421 1417 { 1422 - if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK) 1423 - return; 1424 - 1425 1418 BT_DBG("hcon %p reason %d", hcon, reason); 1426 1419 1427 1420 sco_conn_del(hcon, bt_to_errno(reason)); ··· 1444 1443 1445 1444 static struct hci_cb sco_cb = { 1446 1445 .name = "SCO", 1446 + .match = sco_match, 1447 1447 .connect_cfm = sco_connect_cfm, 1448 1448 .disconn_cfm = sco_disconn_cfm, 1449 1449 };