+++ /dev/null
-From 1b8851da51113f6a7f01297823eaf22b4b772063 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Wed, 13 Nov 2024 15:43:55 +0100
-Subject: Revert "Bluetooth: af_bluetooth: Fix deadlock"
-
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-This reverts commit cb8adca52f306563d958a863bb0cbae9c184d1ae which is
-commit f7b94bdc1ec107c92262716b073b3e816d4784fb upstream.
-
-It is reported to cause regressions in the 6.1.y tree, so revert it for
-now.
-
-Link: https://lore.kernel.org/all/CADRbXaDqx6S+7tzdDPPEpRu9eDLrHQkqoWTTGfKJSRxY=hT5MQ@mail.gmail.com/
-Reported-by: Jeremy Lainé <jeremy.laine@m4x.org>
-Cc: Salvatore Bonaccorso <carnil@debian.org>
-Cc: Mike <user.service2016@gmail.com>
-Cc: Marcel Holtmann <marcel@holtmann.org>
-Cc: Johan Hedberg <johan.hedberg@gmail.com>
-Cc: Paul Menzel <pmenzel@molgen.mpg.de>
-Cc: Pauli Virtanen <pav@iki.fi>
-Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Cc: Sasha Levin <sashal@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/bluetooth/af_bluetooth.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
---- a/net/bluetooth/af_bluetooth.c
-+++ b/net/bluetooth/af_bluetooth.c
-@@ -307,11 +307,14 @@ int bt_sock_recvmsg(struct socket *sock,
- if (flags & MSG_OOB)
- return -EOPNOTSUPP;
-
-+ lock_sock(sk);
-+
- skb = skb_recv_datagram(sk, flags, &err);
- if (!skb) {
- if (sk->sk_shutdown & RCV_SHUTDOWN)
- err = 0;
-
-+ release_sock(sk);
- return err;
- }
-
-@@ -337,6 +340,8 @@ int bt_sock_recvmsg(struct socket *sock,
-
- skb_free_datagram(sk, skb);
-
-+ release_sock(sk);
-+
- if (flags & MSG_TRUNC)
- copied = skblen;
-
-@@ -559,11 +564,10 @@ int bt_sock_ioctl(struct socket *sock, u
- if (sk->sk_state == BT_LISTEN)
- return -EINVAL;
-
-- spin_lock(&sk->sk_receive_queue.lock);
-+ lock_sock(sk);
- skb = skb_peek(&sk->sk_receive_queue);
- amount = skb ? skb->len : 0;
-- spin_unlock(&sk->sk_receive_queue.lock);
--
-+ release_sock(sk);
- err = put_user(amount, (int __user *)arg);
- break;
-
+++ /dev/null
-From bb6015962fa5e0f3b624c605e502fc0b29c325ff Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Wed, 13 Nov 2024 15:42:18 +0100
-Subject: Revert "Bluetooth: fix use-after-free in accessing skb after sending it"
-
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-This reverts commit 715264ad09fd4004e347cdb79fa58a4f2344f13f which is
-commit 947ec0d002dce8577b655793dcc6fc78d67b7cb6 upstream.
-
-It is reported to cause regressions in the 6.1.y tree, so revert it for
-now.
-
-Link: https://lore.kernel.org/all/CADRbXaDqx6S+7tzdDPPEpRu9eDLrHQkqoWTTGfKJSRxY=hT5MQ@mail.gmail.com/
-Reported-by: Jeremy Lainé <jeremy.laine@m4x.org>
-Cc: Salvatore Bonaccorso <carnil@debian.org>
-Cc: Mike <user.service2016@gmail.com>
-Cc: Marcel Holtmann <marcel@holtmann.org>
-Cc: Johan Hedberg <johan.hedberg@gmail.com>
-Cc: Paul Menzel <pmenzel@molgen.mpg.de>
-Cc: Pauli Virtanen <pav@iki.fi>
-Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Cc: Sasha Levin <sashal@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/bluetooth/hci_core.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/bluetooth/hci_core.c
-+++ b/net/bluetooth/hci_core.c
-@@ -4146,7 +4146,7 @@ static void hci_send_cmd_sync(struct hci
- if (hci_req_status_pend(hdev) &&
- !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) {
- kfree_skb(hdev->req_skb);
-- hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
-+ hdev->req_skb = skb_clone(skb, GFP_KERNEL);
- }
-
- atomic_dec(&hdev->cmd_cnt);
+++ /dev/null
-From 898205b3df400a1d9e8311778fae9219e526c444 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Wed, 13 Nov 2024 15:45:02 +0100
-Subject: Revert "Bluetooth: hci_conn: Consolidate code for aborting connections"
-
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-This reverts commit 6083089ab00631617f9eac678df3ab050a9d837a which is
-commit a13f316e90fdb1fb6df6582e845aa9b3270f3581 upstream.
-
-It is reported to cause regressions in the 6.1.y tree, so revert it for
-now.
-
-Link: https://lore.kernel.org/all/CADRbXaDqx6S+7tzdDPPEpRu9eDLrHQkqoWTTGfKJSRxY=hT5MQ@mail.gmail.com/
-Reported-by: Jeremy Lainé <jeremy.laine@m4x.org>
-Cc: Salvatore Bonaccorso <carnil@debian.org>
-Cc: Mike <user.service2016@gmail.com>
-Cc: Marcel Holtmann <marcel@holtmann.org>
-Cc: Johan Hedberg <johan.hedberg@gmail.com>
-Cc: Paul Menzel <pmenzel@molgen.mpg.de>
-Cc: Pauli Virtanen <pav@iki.fi>
-Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Cc: Sasha Levin <sashal@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/net/bluetooth/hci_core.h | 2
- net/bluetooth/hci_conn.c | 156 +++++++++++++++++++++++++++++++--------
- net/bluetooth/hci_sync.c | 23 ++---
- net/bluetooth/mgmt.c | 15 +++
- 4 files changed, 148 insertions(+), 48 deletions(-)
-
---- a/include/net/bluetooth/hci_core.h
-+++ b/include/net/bluetooth/hci_core.h
-@@ -734,7 +734,6 @@ struct hci_conn {
- unsigned long flags;
-
- enum conn_reasons conn_reason;
-- __u8 abort_reason;
-
- __u32 clock;
- __u16 clock_accuracy;
-@@ -754,6 +753,7 @@ struct hci_conn {
- struct delayed_work auto_accept_work;
- struct delayed_work idle_work;
- struct delayed_work le_conn_timeout;
-+ struct work_struct le_scan_cleanup;
-
- struct device dev;
- struct dentry *debugfs;
---- a/net/bluetooth/hci_conn.c
-+++ b/net/bluetooth/hci_conn.c
-@@ -174,6 +174,57 @@ static void hci_conn_cleanup(struct hci_
- hci_dev_put(hdev);
- }
-
-+static void le_scan_cleanup(struct work_struct *work)
-+{
-+ struct hci_conn *conn = container_of(work, struct hci_conn,
-+ le_scan_cleanup);
-+ struct hci_dev *hdev = conn->hdev;
-+ struct hci_conn *c = NULL;
-+
-+ BT_DBG("%s hcon %p", hdev->name, conn);
-+
-+ hci_dev_lock(hdev);
-+
-+ /* Check that the hci_conn is still around */
-+ rcu_read_lock();
-+ list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) {
-+ if (c == conn)
-+ break;
-+ }
-+ rcu_read_unlock();
-+
-+ if (c == conn) {
-+ hci_connect_le_scan_cleanup(conn, 0x00);
-+ hci_conn_cleanup(conn);
-+ }
-+
-+ hci_dev_unlock(hdev);
-+ hci_dev_put(hdev);
-+ hci_conn_put(conn);
-+}
-+
-+static void hci_connect_le_scan_remove(struct hci_conn *conn)
-+{
-+ BT_DBG("%s hcon %p", conn->hdev->name, conn);
-+
-+ /* We can't call hci_conn_del/hci_conn_cleanup here since that
-+ * could deadlock with another hci_conn_del() call that's holding
-+ * hci_dev_lock and doing cancel_delayed_work_sync(&conn->disc_work).
-+ * Instead, grab temporary extra references to the hci_dev and
-+ * hci_conn and perform the necessary cleanup in a separate work
-+ * callback.
-+ */
-+
-+ hci_dev_hold(conn->hdev);
-+ hci_conn_get(conn);
-+
-+ /* Even though we hold a reference to the hdev, many other
-+ * things might get cleaned up meanwhile, including the hdev's
-+ * own workqueue, so we can't use that for scheduling.
-+ */
-+ schedule_work(&conn->le_scan_cleanup);
-+}
-+
- static void hci_acl_create_connection(struct hci_conn *conn)
- {
- struct hci_dev *hdev = conn->hdev;
-@@ -625,6 +676,13 @@ static void hci_conn_timeout(struct work
- if (refcnt > 0)
- return;
-
-+ /* LE connections in scanning state need special handling */
-+ if (conn->state == BT_CONNECT && conn->type == LE_LINK &&
-+ test_bit(HCI_CONN_SCANNING, &conn->flags)) {
-+ hci_connect_le_scan_remove(conn);
-+ return;
-+ }
-+
- hci_abort_conn(conn, hci_proto_disconn_ind(conn));
- }
-
-@@ -996,6 +1054,7 @@ struct hci_conn *hci_conn_add(struct hci
- INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
- INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
- INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
-+ INIT_WORK(&conn->le_scan_cleanup, le_scan_cleanup);
-
- atomic_set(&conn->refcnt, 0);
-
-@@ -2781,46 +2840,81 @@ u32 hci_conn_get_phy(struct hci_conn *co
- return phys;
- }
-
--static int abort_conn_sync(struct hci_dev *hdev, void *data)
-+int hci_abort_conn(struct hci_conn *conn, u8 reason)
- {
-- struct hci_conn *conn;
-- u16 handle = PTR_ERR(data);
-+ int r = 0;
-
-- conn = hci_conn_hash_lookup_handle(hdev, handle);
-- if (!conn)
-+ if (test_and_set_bit(HCI_CONN_CANCEL, &conn->flags))
- return 0;
-
-- return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
--}
--
--int hci_abort_conn(struct hci_conn *conn, u8 reason)
--{
-- struct hci_dev *hdev = conn->hdev;
-+ switch (conn->state) {
-+ case BT_CONNECTED:
-+ case BT_CONFIG:
-+ if (conn->type == AMP_LINK) {
-+ struct hci_cp_disconn_phy_link cp;
-+
-+ cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
-+ cp.reason = reason;
-+ r = hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
-+ sizeof(cp), &cp);
-+ } else {
-+ struct hci_cp_disconnect dc;
-
-- /* If abort_reason has already been set it means the connection is
-- * already being aborted so don't attempt to overwrite it.
-- */
-- if (conn->abort_reason)
-- return 0;
-+ dc.handle = cpu_to_le16(conn->handle);
-+ dc.reason = reason;
-+ r = hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT,
-+ sizeof(dc), &dc);
-+ }
-
-- bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
-+ conn->state = BT_DISCONN;
-
-- conn->abort_reason = reason;
-+ break;
-+ case BT_CONNECT:
-+ if (conn->type == LE_LINK) {
-+ if (test_bit(HCI_CONN_SCANNING, &conn->flags))
-+ break;
-+ r = hci_send_cmd(conn->hdev,
-+ HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
-+ } else if (conn->type == ACL_LINK) {
-+ if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
-+ break;
-+ r = hci_send_cmd(conn->hdev,
-+ HCI_OP_CREATE_CONN_CANCEL,
-+ 6, &conn->dst);
-+ }
-+ break;
-+ case BT_CONNECT2:
-+ if (conn->type == ACL_LINK) {
-+ struct hci_cp_reject_conn_req rej;
-+
-+ bacpy(&rej.bdaddr, &conn->dst);
-+ rej.reason = reason;
-+
-+ r = hci_send_cmd(conn->hdev,
-+ HCI_OP_REJECT_CONN_REQ,
-+ sizeof(rej), &rej);
-+ } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
-+ struct hci_cp_reject_sync_conn_req rej;
-+
-+ bacpy(&rej.bdaddr, &conn->dst);
-+
-+ /* SCO rejection has its own limited set of
-+ * allowed error values (0x0D-0x0F) which isn't
-+ * compatible with most values passed to this
-+ * function. To be safe hard-code one of the
-+ * values that's suitable for SCO.
-+ */
-+ rej.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
-
-- /* If the connection is pending check the command opcode since that
-- * might be blocking on hci_cmd_sync_work while waiting its respective
-- * event so we need to hci_cmd_sync_cancel to cancel it.
-- */
-- if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
-- switch (hci_skb_event(hdev->sent_cmd)) {
-- case HCI_EV_LE_CONN_COMPLETE:
-- case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
-- case HCI_EVT_LE_CIS_ESTABLISHED:
-- hci_cmd_sync_cancel(hdev, -ECANCELED);
-- break;
-+ r = hci_send_cmd(conn->hdev,
-+ HCI_OP_REJECT_SYNC_CONN_REQ,
-+ sizeof(rej), &rej);
- }
-+ break;
-+ default:
-+ conn->state = BT_CLOSED;
-+ break;
- }
-
-- return hci_cmd_sync_queue(hdev, abort_conn_sync, ERR_PTR(conn->handle),
-- NULL);
-+ return r;
- }
---- a/net/bluetooth/hci_sync.c
-+++ b/net/bluetooth/hci_sync.c
-@@ -5293,27 +5293,22 @@ static int hci_disconnect_sync(struct hc
- }
-
- static int hci_le_connect_cancel_sync(struct hci_dev *hdev,
-- struct hci_conn *conn, u8 reason)
-+ struct hci_conn *conn)
- {
-- /* Return reason if scanning since the connection shall probably be
-- * cleanup directly.
-- */
- if (test_bit(HCI_CONN_SCANNING, &conn->flags))
-- return reason;
-+ return 0;
-
-- if (conn->role == HCI_ROLE_SLAVE ||
-- test_and_set_bit(HCI_CONN_CANCEL, &conn->flags))
-+ if (test_and_set_bit(HCI_CONN_CANCEL, &conn->flags))
- return 0;
-
- return __hci_cmd_sync_status(hdev, HCI_OP_LE_CREATE_CONN_CANCEL,
- 0, NULL, HCI_CMD_TIMEOUT);
- }
-
--static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn,
-- u8 reason)
-+static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn)
- {
- if (conn->type == LE_LINK)
-- return hci_le_connect_cancel_sync(hdev, conn, reason);
-+ return hci_le_connect_cancel_sync(hdev, conn);
-
- if (hdev->hci_ver < BLUETOOTH_VER_1_2)
- return 0;
-@@ -5366,11 +5361,9 @@ int hci_abort_conn_sync(struct hci_dev *
- case BT_CONFIG:
- return hci_disconnect_sync(hdev, conn, reason);
- case BT_CONNECT:
-- err = hci_connect_cancel_sync(hdev, conn, reason);
-+ err = hci_connect_cancel_sync(hdev, conn);
- /* Cleanup hci_conn object if it cannot be cancelled as it
-- * likelly means the controller and host stack are out of sync
-- * or in case of LE it was still scanning so it can be cleanup
-- * safely.
-+ * likelly means the controller and host stack are out of sync.
- */
- if (err) {
- hci_dev_lock(hdev);
-@@ -6285,7 +6278,7 @@ int hci_le_create_conn_sync(struct hci_d
-
- done:
- if (err == -ETIMEDOUT)
-- hci_le_connect_cancel_sync(hdev, conn, 0x00);
-+ hci_le_connect_cancel_sync(hdev, conn);
-
- /* Re-enable advertising after the connection attempt is finished. */
- hci_resume_advertising_sync(hdev);
---- a/net/bluetooth/mgmt.c
-+++ b/net/bluetooth/mgmt.c
-@@ -3600,6 +3600,18 @@ unlock:
- return err;
- }
-
-+static int abort_conn_sync(struct hci_dev *hdev, void *data)
-+{
-+ struct hci_conn *conn;
-+ u16 handle = PTR_ERR(data);
-+
-+ conn = hci_conn_hash_lookup_handle(hdev, handle);
-+ if (!conn)
-+ return 0;
-+
-+ return hci_abort_conn_sync(hdev, conn, HCI_ERROR_REMOTE_USER_TERM);
-+}
-+
- static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
- u16 len)
- {
-@@ -3650,7 +3662,8 @@ static int cancel_pair_device(struct soc
- le_addr_type(addr->type));
-
- if (conn->conn_reason == CONN_REASON_PAIR_DEVICE)
-- hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
-+ hci_cmd_sync_queue(hdev, abort_conn_sync, ERR_PTR(conn->handle),
-+ NULL);
-
- unlock:
- hci_dev_unlock(hdev);
+++ /dev/null
-From ed41cfef23ae134993de32a77ed6a30df2b5bb2a Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Wed, 13 Nov 2024 15:44:07 +0100
-Subject: Revert "Bluetooth: hci_core: Fix possible buffer overflow"
-
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-This reverts commit 68644bf5ec6baaff40fc39b3529c874bfda709bd which is
-commit 81137162bfaa7278785b24c1fd2e9e74f082e8e4 upstream.
-
-It is reported to cause regressions in the 6.1.y tree, so revert it for
-now.
-
-Link: https://lore.kernel.org/all/CADRbXaDqx6S+7tzdDPPEpRu9eDLrHQkqoWTTGfKJSRxY=hT5MQ@mail.gmail.com/
-Reported-by: Jeremy Lainé <jeremy.laine@m4x.org>
-Cc: Salvatore Bonaccorso <carnil@debian.org>
-Cc: Mike <user.service2016@gmail.com>
-Cc: Marcel Holtmann <marcel@holtmann.org>
-Cc: Johan Hedberg <johan.hedberg@gmail.com>
-Cc: Paul Menzel <pmenzel@molgen.mpg.de>
-Cc: Pauli Virtanen <pav@iki.fi>
-Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Cc: Sasha Levin <sashal@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/bluetooth/hci_core.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/bluetooth/hci_core.c
-+++ b/net/bluetooth/hci_core.c
-@@ -869,7 +869,7 @@ int hci_get_dev_info(void __user *arg)
- else
- flags = hdev->flags;
-
-- strscpy(di.name, hdev->name, sizeof(di.name));
-+ strcpy(di.name, hdev->name);
- di.bdaddr = hdev->bdaddr;
- di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
- di.flags = flags;
+++ /dev/null
-From 9cb0d1e2bf8f7faeb42466768b46f0cf2da80941 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Wed, 13 Nov 2024 15:42:48 +0100
-Subject: Revert "Bluetooth: hci_sync: Fix overwriting request callback"
-
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-This reverts commit da77c1d39bc527b31890bfa0405763c82828defb which is
-commit 2615fd9a7c2507eb3be3fbe49dcec88a2f56454a upstream.
-
-It is reported to cause regressions in the 6.1.y tree, so revert it for
-now.
-
-Link: https://lore.kernel.org/all/CADRbXaDqx6S+7tzdDPPEpRu9eDLrHQkqoWTTGfKJSRxY=hT5MQ@mail.gmail.com/
-Reported-by: Jeremy Lainé <jeremy.laine@m4x.org>
-Cc: Salvatore Bonaccorso <carnil@debian.org>
-Cc: Mike <user.service2016@gmail.com>
-Cc: Marcel Holtmann <marcel@holtmann.org>
-Cc: Johan Hedberg <johan.hedberg@gmail.com>
-Cc: Paul Menzel <pmenzel@molgen.mpg.de>
-Cc: Pauli Virtanen <pav@iki.fi>
-Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Cc: Sasha Levin <sashal@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/net/bluetooth/hci_core.h | 1
- net/bluetooth/hci_conn.c | 2 -
- net/bluetooth/hci_core.c | 46 +++++++++++----------------------------
- net/bluetooth/hci_event.c | 18 +++++++--------
- net/bluetooth/hci_sync.c | 21 ++---------------
- 5 files changed, 27 insertions(+), 61 deletions(-)
-
---- a/include/net/bluetooth/hci_core.h
-+++ b/include/net/bluetooth/hci_core.h
-@@ -544,7 +544,6 @@ struct hci_dev {
- __u32 req_status;
- __u32 req_result;
- struct sk_buff *req_skb;
-- struct sk_buff *req_rsp;
-
- void *smp_data;
- void *smp_bredr_data;
---- a/net/bluetooth/hci_conn.c
-+++ b/net/bluetooth/hci_conn.c
-@@ -2816,7 +2816,7 @@ int hci_abort_conn(struct hci_conn *conn
- case HCI_EV_LE_CONN_COMPLETE:
- case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
- case HCI_EVT_LE_CIS_ESTABLISHED:
-- hci_cmd_sync_cancel(hdev, ECANCELED);
-+ hci_cmd_sync_cancel(hdev, -ECANCELED);
- break;
- }
- }
---- a/net/bluetooth/hci_core.c
-+++ b/net/bluetooth/hci_core.c
-@@ -1452,8 +1452,8 @@ static void hci_cmd_timeout(struct work_
- struct hci_dev *hdev = container_of(work, struct hci_dev,
- cmd_timer.work);
-
-- if (hdev->req_skb) {
-- u16 opcode = hci_skb_opcode(hdev->req_skb);
-+ if (hdev->sent_cmd) {
-+ u16 opcode = hci_skb_opcode(hdev->sent_cmd);
-
- bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
-
-@@ -2762,7 +2762,6 @@ void hci_release_dev(struct hci_dev *hde
-
- ida_simple_remove(&hci_index_ida, hdev->id);
- kfree_skb(hdev->sent_cmd);
-- kfree_skb(hdev->req_skb);
- kfree_skb(hdev->recv_event);
- kfree(hdev);
- }
-@@ -3092,33 +3091,21 @@ int __hci_cmd_send(struct hci_dev *hdev,
- EXPORT_SYMBOL(__hci_cmd_send);
-
- /* Get data from the previously sent command */
--static void *hci_cmd_data(struct sk_buff *skb, __u16 opcode)
-+void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
- {
- struct hci_command_hdr *hdr;
-
-- if (!skb || skb->len < HCI_COMMAND_HDR_SIZE)
-+ if (!hdev->sent_cmd)
- return NULL;
-
-- hdr = (void *)skb->data;
-+ hdr = (void *) hdev->sent_cmd->data;
-
- if (hdr->opcode != cpu_to_le16(opcode))
- return NULL;
-
-- return skb->data + HCI_COMMAND_HDR_SIZE;
--}
-+ BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
-
--/* Get data from the previously sent command */
--void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
--{
-- void *data;
--
-- /* Check if opcode matches last sent command */
-- data = hci_cmd_data(hdev->sent_cmd, opcode);
-- if (!data)
-- /* Check if opcode matches last request */
-- data = hci_cmd_data(hdev->req_skb, opcode);
--
-- return data;
-+ return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
- }
-
- /* Get data from last received event */
-@@ -4014,19 +4001,17 @@ void hci_req_cmd_complete(struct hci_dev
- if (!status && !hci_req_is_complete(hdev))
- return;
-
-- skb = hdev->req_skb;
--
- /* If this was the last command in a request the complete
-- * callback would be found in hdev->req_skb instead of the
-+ * callback would be found in hdev->sent_cmd instead of the
- * command queue (hdev->cmd_q).
- */
-- if (skb && bt_cb(skb)->hci.req_flags & HCI_REQ_SKB) {
-- *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
-+ if (bt_cb(hdev->sent_cmd)->hci.req_flags & HCI_REQ_SKB) {
-+ *req_complete_skb = bt_cb(hdev->sent_cmd)->hci.req_complete_skb;
- return;
- }
-
-- if (skb && bt_cb(skb)->hci.req_complete) {
-- *req_complete = bt_cb(skb)->hci.req_complete;
-+ if (bt_cb(hdev->sent_cmd)->hci.req_complete) {
-+ *req_complete = bt_cb(hdev->sent_cmd)->hci.req_complete;
- return;
- }
-
-@@ -4143,11 +4128,8 @@ static void hci_send_cmd_sync(struct hci
- return;
- }
-
-- if (hci_req_status_pend(hdev) &&
-- !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) {
-- kfree_skb(hdev->req_skb);
-- hdev->req_skb = skb_clone(skb, GFP_KERNEL);
-- }
-+ if (hci_req_status_pend(hdev))
-+ hci_dev_set_flag(hdev, HCI_CMD_PENDING);
-
- atomic_dec(&hdev->cmd_cnt);
- }
---- a/net/bluetooth/hci_event.c
-+++ b/net/bluetooth/hci_event.c
-@@ -4354,7 +4354,7 @@ static void hci_cmd_status_evt(struct hc
- * (since for this kind of commands there will not be a command
- * complete event).
- */
-- if (ev->status || (hdev->req_skb && !hci_skb_event(hdev->req_skb))) {
-+ if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) {
- hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
- req_complete_skb);
- if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
-@@ -7171,10 +7171,10 @@ static void hci_le_meta_evt(struct hci_d
- bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
-
- /* Only match event if command OGF is for LE */
-- if (hdev->req_skb &&
-- hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) == 0x08 &&
-- hci_skb_event(hdev->req_skb) == ev->subevent) {
-- *opcode = hci_skb_opcode(hdev->req_skb);
-+ if (hdev->sent_cmd &&
-+ hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 &&
-+ hci_skb_event(hdev->sent_cmd) == ev->subevent) {
-+ *opcode = hci_skb_opcode(hdev->sent_cmd);
- hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
- req_complete_skb);
- }
-@@ -7561,10 +7561,10 @@ void hci_event_packet(struct hci_dev *hd
- }
-
- /* Only match event if command OGF is not for LE */
-- if (hdev->req_skb &&
-- hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) != 0x08 &&
-- hci_skb_event(hdev->req_skb) == event) {
-- hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->req_skb),
-+ if (hdev->sent_cmd &&
-+ hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 &&
-+ hci_skb_event(hdev->sent_cmd) == event) {
-+ hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd),
- status, &req_complete, &req_complete_skb);
- req_evt = event;
- }
---- a/net/bluetooth/hci_sync.c
-+++ b/net/bluetooth/hci_sync.c
-@@ -31,10 +31,6 @@ static void hci_cmd_sync_complete(struct
- hdev->req_result = result;
- hdev->req_status = HCI_REQ_DONE;
-
-- /* Free the request command so it is not used as response */
-- kfree_skb(hdev->req_skb);
-- hdev->req_skb = NULL;
--
- if (skb) {
- struct sock *sk = hci_skb_sk(skb);
-
-@@ -42,7 +38,7 @@ static void hci_cmd_sync_complete(struct
- if (sk)
- sock_put(sk);
-
-- hdev->req_rsp = skb_get(skb);
-+ hdev->req_skb = skb_get(skb);
- }
-
- wake_up_interruptible(&hdev->req_wait_q);
-@@ -190,8 +186,8 @@ struct sk_buff *__hci_cmd_sync_sk(struct
-
- hdev->req_status = 0;
- hdev->req_result = 0;
-- skb = hdev->req_rsp;
-- hdev->req_rsp = NULL;
-+ skb = hdev->req_skb;
-+ hdev->req_skb = NULL;
-
- bt_dev_dbg(hdev, "end: err %d", err);
-
-@@ -4941,11 +4937,6 @@ int hci_dev_open_sync(struct hci_dev *hd
- hdev->sent_cmd = NULL;
- }
-
-- if (hdev->req_skb) {
-- kfree_skb(hdev->req_skb);
-- hdev->req_skb = NULL;
-- }
--
- clear_bit(HCI_RUNNING, &hdev->flags);
- hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
-
-@@ -5107,12 +5098,6 @@ int hci_dev_close_sync(struct hci_dev *h
- hdev->sent_cmd = NULL;
- }
-
-- /* Drop last request */
-- if (hdev->req_skb) {
-- kfree_skb(hdev->req_skb);
-- hdev->req_skb = NULL;
-- }
--
- clear_bit(HCI_RUNNING, &hdev->flags);
- hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
-
+++ /dev/null
-revert-bluetooth-fix-use-after-free-in-accessing-skb-after-sending-it.patch
-revert-bluetooth-hci_sync-fix-overwriting-request-callback.patch
-revert-bluetooth-af_bluetooth-fix-deadlock.patch
-revert-bluetooth-hci_core-fix-possible-buffer-overflow.patch
-revert-bluetooth-hci_conn-consolidate-code-for-aborting-connections.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
