From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Pavel Shpakovskiy <pashpakovskii@salutedevices.com>,
Paul Menzel <pmenzel@molgen.mpg.de>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.6 25/75] Bluetooth: hci_sync: fix set_local_name race condition
Date: Tue, 2 Sep 2025 15:20:37 +0200 [thread overview]
Message-ID: <20250902131936.104791082@linuxfoundation.org> (raw)
In-Reply-To: <20250902131935.107897242@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Shpakovskiy <pashpakovskii@salutedevices.com>
[ Upstream commit 6bbd0d3f0c23fc53c17409dd7476f38ae0ff0cd9 ]
Function set_name_sync() uses hdev->dev_name field to send
HCI_OP_WRITE_LOCAL_NAME command, but copying from data to hdev->dev_name
is called after mgmt cmd was queued, so it is possible that function
set_name_sync() will read old name value.
This change adds name as a parameter for function hci_update_name_sync()
to avoid race condition.
Fixes: 6f6ff38a1e14 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LOCAL_NAME")
Signed-off-by: Pavel Shpakovskiy <pashpakovskii@salutedevices.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/bluetooth/hci_sync.h | 2 +-
net/bluetooth/hci_sync.c | 6 +++---
net/bluetooth/mgmt.c | 5 ++++-
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/include/net/bluetooth/hci_sync.h b/include/net/bluetooth/hci_sync.h
index 3cb2d10cac930..e2e588b08fe90 100644
--- a/include/net/bluetooth/hci_sync.h
+++ b/include/net/bluetooth/hci_sync.h
@@ -72,7 +72,7 @@ int hci_update_class_sync(struct hci_dev *hdev);
int hci_update_eir_sync(struct hci_dev *hdev);
int hci_update_class_sync(struct hci_dev *hdev);
-int hci_update_name_sync(struct hci_dev *hdev);
+int hci_update_name_sync(struct hci_dev *hdev, const u8 *name);
int hci_write_ssp_mode_sync(struct hci_dev *hdev, u8 mode);
int hci_get_random_address(struct hci_dev *hdev, bool require_privacy,
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 01aca07707117..020f1809fc994 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -3491,13 +3491,13 @@ int hci_update_scan_sync(struct hci_dev *hdev)
return hci_write_scan_enable_sync(hdev, scan);
}
-int hci_update_name_sync(struct hci_dev *hdev)
+int hci_update_name_sync(struct hci_dev *hdev, const u8 *name)
{
struct hci_cp_write_local_name cp;
memset(&cp, 0, sizeof(cp));
- memcpy(cp.name, hdev->dev_name, sizeof(cp.name));
+ memcpy(cp.name, name, sizeof(cp.name));
return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_LOCAL_NAME,
sizeof(cp), &cp,
@@ -3550,7 +3550,7 @@ int hci_powered_update_sync(struct hci_dev *hdev)
hci_write_fast_connectable_sync(hdev, false);
hci_update_scan_sync(hdev);
hci_update_class_sync(hdev);
- hci_update_name_sync(hdev);
+ hci_update_name_sync(hdev, hdev->dev_name);
hci_update_eir_sync(hdev);
}
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 82fa8c28438f2..9b01eaaa0eb2d 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -3819,8 +3819,11 @@ static void set_name_complete(struct hci_dev *hdev, void *data, int err)
static int set_name_sync(struct hci_dev *hdev, void *data)
{
+ struct mgmt_pending_cmd *cmd = data;
+ struct mgmt_cp_set_local_name *cp = cmd->param;
+
if (lmp_bredr_capable(hdev)) {
- hci_update_name_sync(hdev);
+ hci_update_name_sync(hdev, cp->name);
hci_update_eir_sync(hdev);
}
--
2.50.1
next prev parent reply other threads:[~2025-09-02 13:36 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-02 13:20 [PATCH 6.6 00/75] 6.6.104-rc1 review Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 01/75] of: dynamic: Fix memleak when of_pci_add_properties() failed Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 02/75] pinctrl: STMFX: add missing HAS_IOMEM dependency Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 03/75] mips: dts: lantiq: danube: add missing burst length property Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 04/75] mips: lantiq: xway: sysctrl: rename the etop node Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 05/75] of: Add a helper to free property struct Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 06/75] of: dynamic: Fix use after free in of_changeset_add_prop_helper() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 07/75] ftrace: Fix potential warning in trace_printk_seq during ftrace_dump Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 08/75] scsi: core: sysfs: Correct sysfs attributes access rights Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 09/75] smb: client: fix race with concurrent opens in unlink(2) Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 10/75] smb: client: fix race with concurrent opens in rename(2) Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 11/75] ASoC: codecs: tx-macro: correct tx_macro_component_drv name Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 12/75] erofs: fix atomic context detection when !CONFIG_DEBUG_LOCK_ALLOC Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 13/75] ACPI: EC: Add device to acpi_ec_no_wakeup[] qurik list Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 14/75] nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 15/75] NFS: Fix a race when updating an existing write Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 16/75] vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 17/75] net: ipv4: fix regression in local-broadcast routes Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 18/75] drm/msm: Defer fd_install in SUBMIT ioctl Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 19/75] powerpc/kvm: Fix ifdef to remove build warning Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 20/75] HID: input: rename hidinput_set_battery_charge_status() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 21/75] HID: input: report battery status changes immediately Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 22/75] Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 23/75] Bluetooth: hci_event: Mark connection as closed during suspend disconnect Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 24/75] Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced Greg Kroah-Hartman
2025-09-02 13:20 ` Greg Kroah-Hartman [this message]
2025-09-02 13:20 ` [PATCH 6.6 26/75] atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 27/75] drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 28/75] drm/nouveau: remove unused memory target test Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 29/75] ice: Introduce ice_xdp_buff Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 30/75] ice: gather page_count()s of each frag right before XDP prog call Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 31/75] ice: stop storing XDP verdict within ice_rx_buf Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 32/75] ice: fix incorrect counter for buffer allocation failures Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 33/75] dt-bindings: display/msm: qcom,mdp5: drop lut clock Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 34/75] net: dlink: fix multicast stats being counted incorrectly Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 35/75] phy: mscc: Fix when PTP clock is register and unregister Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 36/75] net/mlx5: Reload auxiliary drivers on fw_activate Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 37/75] net/mlx5: Add device cap for supporting hot reset in sync reset flow Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 38/75] net/mlx5: Add support for sync reset using hot reset Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 39/75] net/mlx5: Fix lockdep assertion on sync reset unload event Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 40/75] net/mlx5: Call mlx5_sf_id_erase() once in mlx5_sf_dealloc() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 41/75] net/mlx5: Use devlink port pointer to get the pointer of container SF struct Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 42/75] net/mlx5: Convert SF port_indices xarray to function_ids xarray Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 43/75] net/mlx5: Nack sync reset when SFs are present Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 44/75] net/mlx5e: Update and set Xon/Xoff upon MTU set Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 45/75] net/mlx5e: Update and set Xon/Xoff upon port speed set Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 46/75] net/mlx5e: Set local Xoff after FW update Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 47/75] net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 48/75] net: stmmac: Rename phylink_get_caps() callback to update_caps() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 49/75] net: stmmac: xgmac: Correct supported speed modes Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 50/75] net: stmmac: Set CIC bit only for TX queues with COE Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 51/75] net: rose: split remove and free operations in rose_remove_neigh() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 52/75] net: rose: convert use field to refcount_t Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 53/75] net: rose: include node references in rose_neigh refcount Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 54/75] sctp: initialize more fields in sctp_v6_from_sk() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 55/75] efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 56/75] KVM: x86: use array_index_nospec with indices that come from guest Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 57/75] x86/microcode/AMD: Handle the case of no BIOS microcode Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 58/75] HID: asus: fix UAF via HID_CLAIMED_INPUT validation Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 59/75] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 60/75] HID: quirks: add support for Legion Go dual dinput modes Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 61/75] HID: logitech: Add ids for G PRO 2 LIGHTSPEED Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 62/75] HID: wacom: Add a new Art Pen 2 Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 63/75] HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 64/75] Revert "drm/amdgpu: fix incorrect vm flags to map bo" Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 65/75] dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 66/75] fs/smb: Fix inconsistent refcnt update Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 67/75] net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 68/75] smb3 client: fix return code mapping of remap_file_range Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 69/75] drm/nouveau/disp: Always accept linear modifier Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 70/75] net: rose: fix a typo in rose_clear_routes() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 71/75] net/mlx5: SF, Fix add port error handling Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 72/75] HID: mcp2221: Dont set bus speed on every transfer Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 73/75] HID: mcp2221: Handle reads greater than 60 bytes Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 74/75] Revert "drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS" Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 75/75] xfs: do not propagate ENODATA disk errors into xattr code Greg Kroah-Hartman
2025-09-02 16:30 ` 6.6.104-rc1 review Brett A C Sheffield
2025-09-02 18:03 ` [PATCH 6.6 00/75] " Jon Hunter
2025-09-02 19:17 ` Florian Fainelli
2025-09-03 8:28 ` Naresh Kamboju
2025-09-03 9:02 ` Ron Economos
2025-09-03 10:47 ` Mark Brown
2025-09-03 11:51 ` Peter Schneider
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250902131936.104791082@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=luiz.von.dentz@intel.com \
--cc=pashpakovskii@salutedevices.com \
--cc=patches@lists.linux.dev \
--cc=pmenzel@molgen.mpg.de \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.