Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v6.15 2025-05-15T17:12:54Z 2025-05-15T17:12:54Z En-Wei Wu en-wei.wu@canonical.com 2025-05-08T14:15:20Z urn:sha1:4bcb0c7dc25446b99fc7a8fa2a143d69f3314162 Use skb_pull() and skb_pull_data() to safely parse QCA dump packets. This avoids direct pointer math on skb->data, which could lead to invalid access if the packet is shorter than expected. Fixes: 20981ce2d5a5 ("Bluetooth: btusb: Add WCN6855 devcoredump support") Signed-off-by: En-Wei Wu <en-wei.wu@canonical.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-04-25T19:03:19Z Kiran K kiran.k@intel.com 2025-04-20T01:51:56Z urn:sha1:1c7664957e4edb234c69de2db4be1f740d2df564 Due to a hardware issue, there is a possibility that the driver may miss an MSIx interrupt on the RX/TX data path. Since the TX and RX paths are independent, when a TX MSIx interrupt occurs, the driver can check the RX queue for any pending data and process it if present. The same approach applies to the RX path. Fixes: c2b636b3f788 ("Bluetooth: btintel_pcie: Add support for PCIe transport") Signed-off-by: Chandrashekar Devegowda <chandrashekar.devegowda@intel.com> Signed-off-by: Kiran K <kiran.k@intel.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-04-25T19:03:19Z Chris Lu chris.lu@mediatek.com 2025-04-22T01:21:56Z urn:sha1:0b6d58bc6ea85e57de25c828444928e4a0aa79cb To prevent Bluetooth SDIO card from be physically removed suddenly, driver needs to ensure btmtksdio_close is called before btmtksdio_remove to disable interrupts and txrx workqueue. Fixes: 6ac4233afb9a ("Bluetooth: btmtksdio: Prevent enabling interrupts after IRQ handler removal") Signed-off-by: Chris Lu <chris.lu@mediatek.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-04-25T19:03:19Z Chris Lu chris.lu@mediatek.com 2025-04-22T01:21:55Z urn:sha1:07e90048e356a29079fbc011cfc2e1fa1d1c5ac9 Check BTMTKSDIO_FUNC_ENABLED flag before doing close to prevent btmtksdio_close been called twice. Fixes: 6ac4233afb9a ("Bluetooth: btmtksdio: Prevent enabling interrupts after IRQ handler removal") Signed-off-by: Chris Lu <chris.lu@mediatek.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-04-25T19:03:19Z En-Wei Wu en-wei.wu@canonical.com 2025-04-21T13:00:37Z urn:sha1:0317b033abcd1d8dd2798f0e2de5e84543d0bd22 A NULL pointer dereference can occur in skb_dequeue() when processing a QCA firmware crash dump on WCN7851 (0489:e0f3). [ 93.672166] Bluetooth: hci0: ACL memdump size(589824) [ 93.672475] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 93.672517] Workqueue: hci0 hci_devcd_rx [bluetooth] [ 93.672598] RIP: 0010:skb_dequeue+0x50/0x80 The issue stems from handle_dump_pkt_qca() returning 0 even when a dump packet is successfully processed. This is because it incorrectly forwards the return value of hci_devcd_init() (which returns 0 on success). As a result, the caller (btusb_recv_acl_qca() or btusb_recv_evt_qca()) assumes the packet was not handled and passes it to hci_recv_frame(), leading to premature kfree() of the skb. Later, hci_devcd_rx() attempts to dequeue the same skb from the dump queue, resulting in a NULL pointer dereference. Fix this by: 1. Making handle_dump_pkt_qca() return 0 on success and negative errno on failure, consistent with kernel conventions. 2. Splitting dump packet detection into separate functions for ACL and event packets for better structure and readability. This ensures dump packets are properly identified and consumed, avoiding double handling and preventing NULL pointer access. Fixes: 20981ce2d5a5 ("Bluetooth: btusb: Add WCN6855 devcoredump support") Signed-off-by: En-Wei Wu <en-wei.wu@canonical.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-04-25T19:03:19Z Kiran K kiran.k@intel.com 2025-04-17T03:48:42Z urn:sha1:d1af1f02ef8653dea4573e444136c8331189cd59 Reuse the skb buffer provided by the PCIe driver to pass it onto the stack, instead of copying it to a new skb. Fixes: c2b636b3f788 ("Bluetooth: btintel_pcie: Add support for PCIe transport") Signed-off-by: Kiran K <kiran.k@intel.com> Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-04-16T20:50:47Z Kees Cook kees@kernel.org 2025-04-15T16:15:19Z urn:sha1:875db86e1ec75fe633f1e85ed2f92c731cdbf760 Avoid double-copying of string literals. Use a "const char *" for each string instead of copying from .rodata into stack and then into the skb. We can go directly from .rodata to the skb. This also works around a Clang bug (that has since been fixed[1]). Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202401250927.1poZERd6-lkp@intel.com/ Fixes: ab4e4380d4e1 ("Bluetooth: Add vhci devcoredump support") Link: https://github.com/llvm/llvm-project/commit/ea2e66aa8b6e363b89df66dc44275a0d7ecd70ce [1] Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <kees@kernel.org> Reviewed-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-04-11T23:34:04Z Jakub Kicinski kuba@kernel.org 2025-04-11T23:34:04Z urn:sha1:9767870e76f418cd19d101553668f1e06b724b35 Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - btrtl: Prevent potential NULL dereference - qca: fix NV variant for one of WCN3950 SoCs - l2cap: Check encryption key size on incoming connection - hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address - btnxpuart: Revert baudrate change in nxp_shutdown - btnxpuart: Add an error message if FW dump trigger fails - increment TX timestamping tskey always for stream sockets * tag 'for-net-2025-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: l2cap: Check encryption key size on incoming connection Bluetooth: btnxpuart: Add an error message if FW dump trigger fails Bluetooth: btnxpuart: Revert baudrate change in nxp_shutdown Bluetooth: increment TX timestamping tskey always for stream sockets Bluetooth: qca: fix NV variant for one of WCN3950 SoCs Bluetooth: btrtl: Prevent potential NULL dereference Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address ==================== Link: https://patch.msgid.link/20250410173542.625232-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2025-04-10T17:09:36Z Neeraj Sanjay Kale neeraj.sanjaykale@nxp.com 2025-04-03T15:02:22Z urn:sha1:103308e50db92d1e705cd9818aaf7fb327c14fad This prints an error message if the FW Dump trigger command fails. This scenario is mainly observed in legacy chipsets 8987 and 8997 and also IW416, where this feature is unavailable due to memory constraints. Fixes: 998e447f443f ("Bluetooth: btnxpuart: Add support for HCI coredump feature") Signed-off-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-04-10T17:09:31Z Neeraj Sanjay Kale neeraj.sanjaykale@nxp.com 2025-04-03T15:02:23Z urn:sha1:61a9c6e39c8dfe2fd56dee44f817cf2a1b3f3c71 This reverts the change baudrate logic in nxp_shutdown. Earlier, when the driver was removed, it restored the controller baudrate to fw_init_baudrate, so that on re-loading the driver, things work fine. However, if the driver was removed while hci0 interface is down, the change baudrate vendor command could not be sent by the driver. When the driver was re-loaded, host and controller baudrate would be mismatched and hci initialization would fail. The only way to recover would be to reboot the system. This issue was fixed by moving the restore baudrate logic from nxp_serdev_remove() to nxp_shutdown(). This fix however caused another issue with the command "hciconfig hci0 reset", which makes hci0 DOWN and UP immediately. Running "bluetoothctl power off" and "bluetoothctl power on" in a tight loop works fine. To maintain support for "hciconfig reset" command, the above mentioned fix is reverted. Fixes: 6fca6781d19d ("Bluetooth: btnxpuart: Move vendor specific initialization to .post_init") Signed-off-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>