Bluetooth: vhci: validate devcoredump state before side effects

The VHCI force_devcoredump debugfs hook accepts a small test record from
userspace. It validates the requested terminal state only after
registering, initializing and appending a Bluetooth devcoredump.

As a result, an invalid state returns -EINVAL but still leaves queued
devcoredump work behind. With a non-zero timeout field, the rejected
write can still emit a devcoredump after the timeout expires.

Reject unsupported states before allocating the skb or changing the HCI
devcoredump state machine.

Fixes: ab4e4380d4e1 ("Bluetooth: Add vhci devcoredump support")
Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 2762eacf7f20ed93310ae38009082d9fc056e574..eddb32b30539ffe0bfcbc7d315cb9e3a847165e3 100644 (file)
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -337,7 +337,17 @@ static ssize_t force_devcd_write(struct file *file, const char __user *user_buf,
        if (copy_from_user(&dump_data, user_buf, count))
                return -EFAULT;
 
+       switch (dump_data.state) {
+       case HCI_DEVCOREDUMP_DONE:
+       case HCI_DEVCOREDUMP_ABORT:
+       case HCI_DEVCOREDUMP_TIMEOUT:
+               break;
+       default:
+               return -EINVAL;
+       }
+
        data_size = count - offsetof(struct devcoredump_test_data, data);
+
        skb = alloc_skb(data_size, GFP_ATOMIC);
        if (!skb)
                return -ENOMEM;