[GIT PULL] bluetooth 2025-06-20

[GIT PULL] bluetooth 2025-06-20

[Luiz Augusto von Dentz]

The following changes since commit e0fca6f2cebff539e9317a15a37dcf432e3b851a:

  net: mana: Record doorbell physical address in PF mode (2025-06-19 15:55:22 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git tags/for-net-2025-06-20

for you to fetch changes up to 135c1294c585cf8d0d35f2fd13b8caade4aa1c61:

  Bluetooth: hci_core: Fix use-after-free in vhci_flush() (2025-06-20 11:55:16 -0400)

----------------------------------------------------------------
bluetooth pull request for net:

 - L2CAP: Fix L2CAP MTU negotiation
 - hci_core: Fix use-after-free in vhci_flush()
 - btintel_pcie: Fix potential race condition in firmware download
 - hci_qca: fix unable to load the BT driver

----------------------------------------------------------------
Frédéric Danis (1):
      Bluetooth: L2CAP: Fix L2CAP MTU negotiation

Kiran K (1):
      Bluetooth: btintel_pcie: Fix potential race condition in firmware download

Kuniyuki Iwashima (1):
      Bluetooth: hci_core: Fix use-after-free in vhci_flush()

Shuai Zhang (1):
      driver: bluetooth: hci_qca:fix unable to load the BT driver

 drivers/bluetooth/btintel_pcie.c | 33 +++++++++++++++++++++++++++++++--
 drivers/bluetooth/hci_qca.c      | 13 ++++++++++---
 include/net/bluetooth/hci_core.h |  2 ++
 net/bluetooth/hci_core.c         | 32 ++++++++++++++++++++++++++++----
 net/bluetooth/l2cap_core.c       |  9 ++++++++-
 5 files changed, 79 insertions(+), 10 deletions(-)

Re: [GIT PULL] bluetooth 2025-06-20

[Jakub Kicinski]

On Fri, 20 Jun 2025 13:57:47 -0400 Luiz Augusto von Dentz wrote:
> bluetooth pull request for net:
> 
>  - L2CAP: Fix L2CAP MTU negotiation
>  - hci_core: Fix use-after-free in vhci_flush()
>  - btintel_pcie: Fix potential race condition in firmware download
>  - hci_qca: fix unable to load the BT driver

commit 135c1294c585cf8

        alloc_size = sizeof(*hdev);
        if (sizeof_priv) {
                /* Fixme: May need ALIGN-ment? */
                alloc_size += sizeof_priv;
        }
 
        hdev = kzalloc(alloc_size, GFP_KERNEL);
        if (!hdev)
                return NULL;
 
+       if (init_srcu_struct(&hdev->srcu))
+               return NULL;
+
        hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);

Isn't this leaking hdev?

Re: [GIT PULL] bluetooth 2025-06-20

[Luiz Augusto von Dentz]

Hi,

On Sat, Jun 21, 2025 at 10:51 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Fri, 20 Jun 2025 13:57:47 -0400 Luiz Augusto von Dentz wrote:
> > bluetooth pull request for net:
> >
> >  - L2CAP: Fix L2CAP MTU negotiation
> >  - hci_core: Fix use-after-free in vhci_flush()
> >  - btintel_pcie: Fix potential race condition in firmware download
> >  - hci_qca: fix unable to load the BT driver
>
> commit 135c1294c585cf8
>
>         alloc_size = sizeof(*hdev);
>         if (sizeof_priv) {
>                 /* Fixme: May need ALIGN-ment? */
>                 alloc_size += sizeof_priv;
>         }
>
>         hdev = kzalloc(alloc_size, GFP_KERNEL);
>         if (!hdev)
>                 return NULL;
>
> +       if (init_srcu_struct(&hdev->srcu))
> +               return NULL;
> +
>         hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
>
> Isn't this leaking hdev?

Yeah looks like we shall free the hdev before returning NULL, will fix
that and resend.



-- 
Luiz Augusto von Dentz