From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, cen zhang <zzzccc427@gmail.com>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Chen Yu <xnguchen@sina.cn>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 090/185] Bluetooth: MGMT: Fix possible UAFs
Date: Fri, 21 Nov 2025 14:11:57 +0100 [thread overview]
Message-ID: <20251121130147.115792024@linuxfoundation.org> (raw)
In-Reply-To: <20251121130143.857798067@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 302a1f674c00dd5581ab8e493ef44767c5101aab ]
This attemps to fix possible UAFs caused by struct mgmt_pending being
freed while still being processed like in the following trace, in order
to fix mgmt_pending_valid is introduce and use to check if the
mgmt_pending hasn't been removed from the pending list, on the complete
callbacks it is used to check and in addtion remove the cmd from the list
while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd
is left on the list it can still be accessed and freed.
BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55
CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 12210:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
__add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247
add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:729
sock_write_iter+0x258/0x330 net/socket.c:1133
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 12221:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4648 [inline]
kfree+0x18e/0x440 mm/slub.c:4847
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
__mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444
hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290
hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526
sock_do_ioctl+0xd9/0x300 net/socket.c:1192
sock_ioctl+0x576/0x790 net/socket.c:1313
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: cf75ad8b41d2 ("Bluetooth: hci_sync: Convert MGMT_SET_POWERED")
Fixes: 2bd1b237616b ("Bluetooth: hci_sync: Convert MGMT_OP_SET_DISCOVERABLE to use cmd_sync")
Fixes: f056a65783cc ("Bluetooth: hci_sync: Convert MGMT_OP_SET_CONNECTABLE to use cmd_sync")
Fixes: 3244845c6307 ("Bluetooth: hci_sync: Convert MGMT_OP_SSP")
Fixes: d81a494c43df ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LE")
Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Fixes: 6f6ff38a1e14 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LOCAL_NAME")
Fixes: 71efbb08b538 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_PHY_CONFIGURATION")
Fixes: b747a83690c8 ("Bluetooth: hci_sync: Refactor add Adv Monitor")
Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY")
Fixes: 26ac4c56f03f ("Bluetooth: hci_sync: Convert MGMT_OP_SET_ADVERTISING")
Reported-by: cen zhang <zzzccc427@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Chen Yu <xnguchen@sina.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt.c | 259 ++++++++++++++++++++++++++------------
net/bluetooth/mgmt_util.c | 46 +++++++
net/bluetooth/mgmt_util.h | 3 +
3 files changed, 231 insertions(+), 77 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index c54cc701cdd48..83e33d9cfb33c 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1318,8 +1318,7 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
struct mgmt_mode *cp;
/* Make sure cmd still outstanding. */
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
cp = cmd->param;
@@ -1346,23 +1345,29 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
mgmt_status(err));
}
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
}
static int set_powered_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp;
+ struct mgmt_mode cp;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
/* Make sure cmd still outstanding. */
- if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
return -ECANCELED;
+ }
- cp = cmd->param;
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
BT_DBG("%s", hdev->name);
- return hci_set_powered_sync(hdev, cp->val);
+ return hci_set_powered_sync(hdev, cp.val);
}
static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
@@ -1511,8 +1516,7 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
bt_dev_dbg(hdev, "err %d", err);
/* Make sure cmd still outstanding. */
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
hci_dev_lock(hdev);
@@ -1534,12 +1538,15 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
new_settings(hdev, cmd->sk);
done:
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
hci_dev_unlock(hdev);
}
static int set_discoverable_sync(struct hci_dev *hdev, void *data)
{
+ if (!mgmt_pending_listed(hdev, data))
+ return -ECANCELED;
+
BT_DBG("%s", hdev->name);
return hci_update_discoverable_sync(hdev);
@@ -1686,8 +1693,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
bt_dev_dbg(hdev, "err %d", err);
/* Make sure cmd still outstanding. */
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
hci_dev_lock(hdev);
@@ -1702,7 +1708,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
new_settings(hdev, cmd->sk);
done:
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
hci_dev_unlock(hdev);
}
@@ -1738,6 +1744,9 @@ static int set_connectable_update_settings(struct hci_dev *hdev,
static int set_connectable_sync(struct hci_dev *hdev, void *data)
{
+ if (!mgmt_pending_listed(hdev, data))
+ return -ECANCELED;
+
BT_DBG("%s", hdev->name);
return hci_update_connectable_sync(hdev);
@@ -1914,14 +1923,17 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
{
struct cmd_lookup match = { NULL, hdev };
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp = cmd->param;
- u8 enable = cp->val;
+ struct mgmt_mode *cp;
+ u8 enable;
bool changed;
/* Make sure cmd still outstanding. */
- if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
+ cp = cmd->param;
+ enable = cp->val;
+
if (err) {
u8 mgmt_err = mgmt_status(err);
@@ -1930,8 +1942,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
new_settings(hdev, NULL);
}
- mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true,
- cmd_status_rsp, &mgmt_err);
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
return;
}
@@ -1941,7 +1952,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
}
- mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, settings_rsp, &match);
+ settings_rsp(cmd, &match);
if (changed)
new_settings(hdev, match.sk);
@@ -1955,14 +1966,25 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
static int set_ssp_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp = cmd->param;
+ struct mgmt_mode cp;
bool changed = false;
int err;
- if (cp->val)
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ if (cp.val)
changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
- err = hci_write_ssp_mode_sync(hdev, cp->val);
+ err = hci_write_ssp_mode_sync(hdev, cp.val);
if (!err && changed)
hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
@@ -2055,32 +2077,50 @@ static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
static void set_le_complete(struct hci_dev *hdev, void *data, int err)
{
+ struct mgmt_pending_cmd *cmd = data;
struct cmd_lookup match = { NULL, hdev };
u8 status = mgmt_status(err);
bt_dev_dbg(hdev, "err %d", err);
- if (status) {
- mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, cmd_status_rsp,
- &status);
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, data))
return;
+
+ if (status) {
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status);
+ goto done;
}
- mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, settings_rsp, &match);
+ settings_rsp(cmd, &match);
new_settings(hdev, match.sk);
if (match.sk)
sock_put(match.sk);
+
+done:
+ mgmt_pending_free(cmd);
}
static int set_le_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp = cmd->param;
- u8 val = !!cp->val;
+ struct mgmt_mode cp;
+ u8 val;
int err;
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+ val = !!cp.val;
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
if (!val) {
hci_clear_adv_instance_sync(hdev, NULL, 0x00, true);
@@ -2122,7 +2162,12 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
{
struct mgmt_pending_cmd *cmd = data;
u8 status = mgmt_status(err);
- struct sock *sk = cmd->sk;
+ struct sock *sk;
+
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
+ return;
+
+ sk = cmd->sk;
if (status) {
mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true,
@@ -2137,24 +2182,37 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
static int set_mesh_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_cp_set_mesh *cp = cmd->param;
- size_t len = cmd->param_len;
+ struct mgmt_cp_set_mesh cp;
+ size_t len;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ len = cmd->param_len;
memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types));
- if (cp->enable)
+ if (cp.enable)
hci_dev_set_flag(hdev, HCI_MESH);
else
hci_dev_clear_flag(hdev, HCI_MESH);
- hdev->le_scan_interval = __le16_to_cpu(cp->period);
- hdev->le_scan_window = __le16_to_cpu(cp->window);
+ hdev->le_scan_interval = __le16_to_cpu(cp.period);
+ hdev->le_scan_window = __le16_to_cpu(cp.window);
- len -= sizeof(*cp);
+ len -= sizeof(cp);
/* If filters don't fit, forward all adv pkts */
if (len <= sizeof(hdev->mesh_ad_types))
- memcpy(hdev->mesh_ad_types, cp->ad_types, len);
+ memcpy(hdev->mesh_ad_types, cp.ad_types, len);
hci_update_passive_scan_sync(hdev);
return 0;
@@ -3801,15 +3859,16 @@ static int name_changed_sync(struct hci_dev *hdev, void *data)
static void set_name_complete(struct hci_dev *hdev, void *data, int err)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_cp_set_local_name *cp = cmd->param;
+ struct mgmt_cp_set_local_name *cp;
u8 status = mgmt_status(err);
bt_dev_dbg(hdev, "err %d", err);
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
+ cp = cmd->param;
+
if (status) {
mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
status);
@@ -3821,16 +3880,27 @@ static void set_name_complete(struct hci_dev *hdev, void *data, int err)
hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL);
}
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
}
static int set_name_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_cp_set_local_name *cp = cmd->param;
+ struct mgmt_cp_set_local_name cp;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
if (lmp_bredr_capable(hdev)) {
- hci_update_name_sync(hdev, cp->name);
+ hci_update_name_sync(hdev, cp.name);
hci_update_eir_sync(hdev);
}
@@ -3982,12 +4052,10 @@ int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
{
struct mgmt_pending_cmd *cmd = data;
- struct sk_buff *skb = cmd->skb;
+ struct sk_buff *skb;
u8 status = mgmt_status(err);
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
- return;
+ skb = cmd->skb;
if (!status) {
if (!skb)
@@ -4014,7 +4082,7 @@ static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
if (skb && !IS_ERR(skb))
kfree_skb(skb);
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
}
static int set_default_phy_sync(struct hci_dev *hdev, void *data)
@@ -4022,7 +4090,9 @@ static int set_default_phy_sync(struct hci_dev *hdev, void *data)
struct mgmt_pending_cmd *cmd = data;
struct mgmt_cp_set_phy_configuration *cp = cmd->param;
struct hci_cp_le_set_default_phy cp_phy;
- u32 selected_phys = __le32_to_cpu(cp->selected_phys);
+ u32 selected_phys;
+
+ selected_phys = __le32_to_cpu(cp->selected_phys);
memset(&cp_phy, 0, sizeof(cp_phy));
@@ -4162,7 +4232,7 @@ static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
goto unlock;
}
- cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
+ cmd = mgmt_pending_new(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
len);
if (!cmd)
err = -ENOMEM;
@@ -5252,7 +5322,17 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
{
struct mgmt_rp_add_adv_patterns_monitor rp;
struct mgmt_pending_cmd *cmd = data;
- struct adv_monitor *monitor = cmd->user_data;
+ struct adv_monitor *monitor;
+
+ /* This is likely the result of hdev being closed and mgmt_index_removed
+ * is attempting to clean up any pending command so
+ * hci_adv_monitors_clear is about to be called which will take care of
+ * freeing the adv_monitor instances.
+ */
+ if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd))
+ return;
+
+ monitor = cmd->user_data;
hci_dev_lock(hdev);
@@ -5278,9 +5358,20 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct adv_monitor *monitor = cmd->user_data;
+ struct adv_monitor *mon;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ mon = cmd->user_data;
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
- return hci_add_adv_monitor(hdev, monitor);
+ return hci_add_adv_monitor(hdev, mon);
}
static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
@@ -5547,7 +5638,8 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
status);
}
-static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err)
+static void read_local_oob_data_complete(struct hci_dev *hdev, void *data,
+ int err)
{
struct mgmt_rp_read_local_oob_data mgmt_rp;
size_t rp_size = sizeof(mgmt_rp);
@@ -5567,7 +5659,8 @@ static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int e
bt_dev_dbg(hdev, "status %d", status);
if (status) {
- mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status);
+ mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
+ status);
goto remove;
}
@@ -5872,17 +5965,12 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
bt_dev_dbg(hdev, "err %d", err);
- if (err == -ECANCELED)
- return;
-
- if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
- cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
- cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
cmd->param, 1);
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED:
DISCOVERY_FINDING);
@@ -5890,6 +5978,9 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
static int start_discovery_sync(struct hci_dev *hdev, void *data)
{
+ if (!mgmt_pending_listed(hdev, data))
+ return -ECANCELED;
+
return hci_start_discovery_sync(hdev);
}
@@ -6112,15 +6203,14 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
{
struct mgmt_pending_cmd *cmd = data;
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
bt_dev_dbg(hdev, "err %d", err);
mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
cmd->param, 1);
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
if (!err)
hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
@@ -6128,6 +6218,9 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
static int stop_discovery_sync(struct hci_dev *hdev, void *data)
{
+ if (!mgmt_pending_listed(hdev, data))
+ return -ECANCELED;
+
return hci_stop_discovery_sync(hdev);
}
@@ -6337,14 +6430,18 @@ static void enable_advertising_instance(struct hci_dev *hdev, int err)
static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
{
+ struct mgmt_pending_cmd *cmd = data;
struct cmd_lookup match = { NULL, hdev };
u8 instance;
struct adv_info *adv_instance;
u8 status = mgmt_status(err);
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, data))
+ return;
+
if (status) {
- mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true,
- cmd_status_rsp, &status);
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status);
+ mgmt_pending_free(cmd);
return;
}
@@ -6353,8 +6450,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
else
hci_dev_clear_flag(hdev, HCI_ADVERTISING);
- mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, settings_rsp,
- &match);
+ settings_rsp(cmd, &match);
new_settings(hdev, match.sk);
@@ -6386,10 +6482,23 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
static int set_adv_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp = cmd->param;
- u8 val = !!cp->val;
+ struct mgmt_mode cp;
+ u8 val;
- if (cp->val == 0x02)
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ val = !!cp.val;
+
+ if (cp.val == 0x02)
hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
else
hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
@@ -8142,10 +8251,6 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
u8 status = mgmt_status(err);
u16 eir_len;
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
- return;
-
if (!status) {
if (!skb)
status = MGMT_STATUS_FAILED;
@@ -8252,7 +8357,7 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
kfree_skb(skb);
kfree(mgmt_rp);
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
}
static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
@@ -8261,7 +8366,7 @@ static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
struct mgmt_pending_cmd *cmd;
int err;
- cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
+ cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
cp, sizeof(*cp));
if (!cmd)
return -ENOMEM;
diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index a88a07da39473..aa7b5585cb268 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -320,6 +320,52 @@ void mgmt_pending_remove(struct mgmt_pending_cmd *cmd)
mgmt_pending_free(cmd);
}
+bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
+{
+ struct mgmt_pending_cmd *tmp;
+
+ lockdep_assert_held(&hdev->mgmt_pending_lock);
+
+ if (!cmd)
+ return false;
+
+ list_for_each_entry(tmp, &hdev->mgmt_pending, list) {
+ if (cmd == tmp)
+ return true;
+ }
+
+ return false;
+}
+
+bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
+{
+ bool listed;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+ listed = __mgmt_pending_listed(hdev, cmd);
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ return listed;
+}
+
+bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
+{
+ bool listed;
+
+ if (!cmd)
+ return false;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ listed = __mgmt_pending_listed(hdev, cmd);
+ if (listed)
+ list_del(&cmd->list);
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ return listed;
+}
+
void mgmt_mesh_foreach(struct hci_dev *hdev,
void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data),
void *data, struct sock *sk)
diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
index 024e51dd69375..bcba8c9d89528 100644
--- a/net/bluetooth/mgmt_util.h
+++ b/net/bluetooth/mgmt_util.h
@@ -65,6 +65,9 @@ struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode,
void *data, u16 len);
void mgmt_pending_free(struct mgmt_pending_cmd *cmd);
void mgmt_pending_remove(struct mgmt_pending_cmd *cmd);
+bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
+bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
+bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
void mgmt_mesh_foreach(struct hci_dev *hdev,
void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data),
void *data, struct sock *sk);
--
2.51.0
next prev parent reply other threads:[~2025-11-21 13:31 UTC|newest]
Thread overview: 203+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-21 13:10 [PATCH 6.12 000/185] 6.12.59-rc1 review Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 001/185] drm/mediatek: Add pm_runtime support for GCE power control Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 002/185] drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 003/185] drm/i915: Fix conversion between clock ticks and nanoseconds Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 004/185] smb: client: fix refcount leak in smb2_set_path_attr Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 005/185] iommufd: Make vfio_compats unmap succeed if the range is already empty Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 006/185] drm/amd: Fix suspend failure with secure display TA Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 007/185] drm/xe/guc: Synchronize Dead CT worker with unbind Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 008/185] drm/xe: Move declarations under conditional branch Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 009/185] drm/xe: Do clean shutdown also when using flr Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 010/185] arm64: kprobes: check the return value of set_memory_rox() Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 011/185] compiler_types: Move unused static inline functions warning to W=2 Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 012/185] riscv: Build loader.bin exclusively for Canaan K210 Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 013/185] RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid rfence errors Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 014/185] riscv: acpi: avoid errors caused by probing DT devices when ACPI is used Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 015/185] drm/amdgpu: remove two invalid BUG_ON()s Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 016/185] drm/amd/pm: Disable MCLK switching on SI at high pixel clocks Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 017/185] drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 018/185] drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 019/185] NFS4: Fix state renewals missing after boot Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 020/185] NFS4: Apply delay_retrans to async operations Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 021/185] HID: quirks: avoid Cooler Master MM712 dongle wakeup bug Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 022/185] HID: nintendo: Wait longer for initial probe Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 023/185] NFS: check if suid/sgid was cleared after a write as needed Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 024/185] HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 025/185] exfat: fix improper check of dentry.stream.valid_size Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 026/185] smb/server: fix possible memory leak in smb2_read() Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 027/185] smb/server: fix possible refcount leak in smb2_sess_setup() Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 028/185] HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 029/185] ASoC: max98090/91: fixed max98091 ALSA widget powering up/down Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 030/185] wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp() Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 031/185] erofs: avoid infinite loop due to incomplete zstd-compressed data Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 032/185] selftests: net: local_termination: Wait for interfaces to come up Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 033/185] net: fec: correct rx_bytes statistic for the case SHIFT16 is set Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 034/185] net: phy: micrel: Introduce lanphy_modify_page_reg Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 035/185] net: phy: micrel: Replace hardcoded pages with defines Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 036/185] net: phy: micrel: lan8814 fix reset of the QSGMII interface Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 037/185] rust: Add -fno-isolate-erroneous-paths-dereference to bindgen_skip_c_flags Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 038/185] NFSD: Skip close replay processing if XDR encoding fails Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 039/185] Bluetooth: MGMT: cancel mesh send timer when hdev removed Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 040/185] Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 041/185] Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 042/185] Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 043/185] Bluetooth: 6lowpan: Dont hold spin lock over sleeping functions Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 044/185] sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 045/185] net/smc: fix mismatch between CLC header and proposal Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 046/185] net/handshake: Fix memory leak in tls_handshake_accept() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 047/185] net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 048/185] net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 049/185] tipc: Fix use-after-free in tipc_mon_reinit_self() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 050/185] net: mdio: fix resource leak in mdiobus_register_device() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 051/185] wifi: mac80211: skip rate verification for not captured PSDUs Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 052/185] af_unix: Initialise scc_index in unix_add_edge() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 053/185] net_sched: act_connmark: use RCU in tcf_connmark_dump() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 054/185] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 055/185] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 056/185] net/mlx5e: Fix maxrate wraparound in threshold between units Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 057/185] net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 058/185] net/mlx5e: Fix potentially misleading debug message Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 059/185] net_sched: limit try_bulk_dequeue_skb() batches Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 060/185] virtio-net: fix incorrect flags recording in big mode Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 061/185] hsr: Fix supervision frame sending on HSRv0 Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 062/185] ACPI: CPPC: Detect preferred core availability on online CPUs Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 063/185] ACPI: CPPC: Check _CPC validity for only the " Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 064/185] ACPI: CPPC: Perform fast check switch only for " Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 065/185] ACPI: CPPC: Limit perf ctrs in PCC check only to " Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 066/185] Bluetooth: L2CAP: export l2cap_chan_hold for modules Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 067/185] acpi,srat: Fix incorrect device handle check for Generic Initiator Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 068/185] regulator: fixed: fix GPIO descriptor leak on register failure Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 069/185] ASoC: cs4271: Fix regulator leak on probe failure Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 070/185] ASoC: codecs: va-macro: fix resource leak in probe error path Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 071/185] drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 072/185] ASoC: tas2781: fix getting the wrong device number Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 073/185] pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 074/185] pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 075/185] simplify nfs_atomic_open_v23() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 076/185] NFSv2/v3: Fix error handling in nfs_atomic_open_v23() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 077/185] NFS: sysfs: fix leak when nfs_client kobject add fails Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 078/185] NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 079/185] NFS: Fix LTP test failures when timestamps are delegated Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 080/185] ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 081/185] acpi/hmat: Fix lockdep warning for hmem_register_resource() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 082/185] bpf: Add bpf_prog_run_data_pointers() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 083/185] bpf: account for current allocated stack depth in widen_imprecise_scalars() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 084/185] irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 085/185] wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 086/185] proc: fix the issue of proc_mem_open returning NULL Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 087/185] ext4: introduce ITAIL helper Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 088/185] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 089/185] ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
2025-11-21 13:11 ` Greg Kroah-Hartman [this message]
2025-11-21 13:11 ` [PATCH 6.12 091/185] f2fs: fix to avoid overflow while left shift operation Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 092/185] hostfs: Fix only passing host root in boot stage with new mount Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 093/185] mtd: onenand: Pass correct pointer to IRQ handler Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 094/185] virtio-fs: fix incorrect check for fsvq->kobj Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 095/185] fs/namespace: correctly handle errors returned by grab_requested_mnt_ns Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 096/185] sched_ext: Fix unsafe locking in the scx_dump_state() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 097/185] Revert "netfilter: nf_tables: Reintroduce shortened deletion notifications" Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 098/185] netfilter: nf_tables: reject duplicate device on updates Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 099/185] arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1 Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 100/185] arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 101/185] ARM: dts: imx51-zii-rdu1: Fix audmux node names Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 102/185] HID: hid-ntrig: Prevent memory leak in ntrig_report_version() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 103/185] ARM: dts: BCM53573: Fix address of Luxul XAP-1440s Ethernet PHY Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 104/185] HID: playstation: Fix memory leak in dualshock4_get_calibration_data() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 105/185] HID: uclogic: Fix potential memory leak in error path Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 106/185] net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 107/185] LoongArch: KVM: Restore guest PMU if it is enabled Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 108/185] LoongArch: KVM: Add delay until timer interrupt injected Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 109/185] KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 110/185] nfsd: fix refcount leak in nfsd_set_fh_dentry() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 111/185] nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 112/185] NFSD: free copynotify stateid in nfs4_free_ol_stateid() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 113/185] gcov: add support for GCC 15 Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 114/185] ksmbd: close accepted socket when per-IP limit rejects connection Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 115/185] ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 116/185] strparser: Fix signed/unsigned mismatch bug Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 117/185] dma-mapping: benchmark: Restore padding to ensure uABI remained consistent Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 118/185] LoongArch: Use correct accessor to read FWPC/MWPC Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 119/185] LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 120/185] ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 121/185] nilfs2: avoid having an active sc_timer before freeing sci Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 122/185] selftests/tracing: Run sample events to clear page cache events Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 123/185] wifi: mac80211: reject address change while connecting Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 124/185] fs/proc: fix uaf in proc_readdir_de() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 125/185] mm/mm_init: fix hash table order logging in alloc_large_system_hash() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 126/185] mm/shmem: fix THP allocation and fallback loop Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 127/185] mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 128/185] mmc: dw_mmc-rockchip: Fix wrong internal phase calculate Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 129/185] ALSA: usb-audio: Fix potential overflow of PCM transfer buffer Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 130/185] cifs: client: fix memory leak in smb3_fs_context_parse_param Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 131/185] codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 132/185] crash: fix crashkernel resource shrink Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 133/185] crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 134/185] smb: client: fix cifs_pick_channel when channel needs reconnect Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 135/185] spi: Try to get ACPI GPIO IRQ earlier Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 136/185] x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 137/185] selftests/user_events: fix type cast for write_index packed member in perf_test Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 138/185] ftrace: Fix BPF fexit with livepatch Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 139/185] LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 140/185] EDAC/altera: Handle OCRAM ECC enable after warm reset Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 141/185] EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 142/185] PM: hibernate: Emit an error when image writing fails Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 143/185] PM: hibernate: Use atomic64_t for compressed_size variable Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 144/185] btrfs: zoned: fix conventional zone capacity calculation Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 145/185] btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 146/185] btrfs: do not update last_log_commit when logging inode due to a new name Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 147/185] btrfs: release root after error in data_reloc_print_warning_inode() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 148/185] drm/amdkfd: relax checks for over allocation of save area Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 149/185] drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM surfaces Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 150/185] pmdomain: arm: scmi: Fix genpd leak on provider registration failure Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 151/185] pmdomain: imx: Fix reference count leak in imx_gpc_remove Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 152/185] pmdomain: samsung: plug potential memleak during probe Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 153/185] selftests: mptcp: connect: fix fallback note due to OoO Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 154/185] selftests: mptcp: join: rm: set backup flag Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 155/185] selftests: mptcp: join: endpoints: longer transfer Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 156/185] selftests: mptcp: connect: trunc: read all recv data Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 157/185] selftests: mptcp: join: userspace: longer transfer Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 158/185] selftests: mptcp: join: properly kill background tasks Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 159/185] mptcp: fix MSG_PEEK stream corruption Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 160/185] wifi: cfg80211: add an hrtimer based delayed work item Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 161/185] wifi: mac80211: use wiphy_hrtimer_work for csa.switch_work Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 162/185] mm, percpu: do not consider sleepable allocations atomic Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 163/185] KVM: guest_memfd: Pass index, not gfn, to __kvm_gmem_get_pfn() Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 164/185] KVM: guest_memfd: Remove RCU-protected attribute from slot->gmem.file Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 165/185] KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 166/185] net: netpoll: Individualize the skb pool Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 167/185] net: netpoll: flush skb pool during cleanup Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 168/185] net: netpoll: fix incorrect refcount handling causing incorrect cleanup Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 169/185] KVM: VMX: Split out guts of EPT violation to common/exposed function Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 170/185] KVM: VMX: Fix check for valid GVA on an EPT violation Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 171/185] ALSA: hda: Fix missing pointer check in hda_component_manager_init function Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 172/185] io_uring/napi: fix io_napi_entry RCU accesses Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 173/185] rust: kbuild: treat `build_error` and `rustdoc` as kernel objects Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 174/185] rust: kbuild: workaround `rustdoc` doctests modifier bug Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 175/185] uio_hv_generic: Set event for all channels on the device Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 176/185] mm/memory: do not populate page table entries beyond i_size Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 177/185] mm/truncate: unmap large folio on split failure Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 178/185] mm/secretmem: fix use-after-free race in fault handler Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 179/185] mm/huge_memory: do not change split_huge_page*() target order silently Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 180/185] mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0 order Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 181/185] isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 182/185] net: phy: micrel: Fix lan8814_config_init Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 183/185] net: netpoll: ensure skb_pool list is always initialized Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 184/185] proc: proc_maps_open allow proc_mem_open to return NULL Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 185/185] Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete Greg Kroah-Hartman
2025-11-21 13:46 ` [PATCH 6.12 000/185] 6.12.59-rc1 review Pavel Machek
2025-11-21 16:28 ` Jon Hunter
2025-11-21 17:05 ` Brett Mastbergen
2025-11-21 18:22 ` Florian Fainelli
2025-11-22 4:46 ` Naresh Kamboju
2025-11-22 6:47 ` Greg Kroah-Hartman
2025-11-22 5:53 ` Brett A C Sheffield
2025-11-22 8:51 ` Pavel Machek
2025-11-22 9:05 ` Peter Schneider
2025-11-22 10:54 ` Jeffrin Thalakkottoor
2025-11-22 11:09 ` Ron Economos
2025-11-22 23:37 ` Miguel Ojeda
2025-11-23 11:53 ` Mark Brown
2025-11-25 13:20 ` Pavel Machek
2025-11-25 13:54 ` Takashi Iwai
2025-11-26 10:01 ` Pavel Machek
2025-11-26 10:06 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251121130147.115792024@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=luiz.von.dentz@intel.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=xnguchen@sina.cn \
--cc=zzzccc427@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.