From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, cen zhang <zzzccc427@gmail.com>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Chen Yu <xnguchen@sina.cn>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 090/185] Bluetooth: MGMT: Fix possible UAFs
Date: Fri, 21 Nov 2025 14:11:57 +0100 [thread overview]
Message-ID: <20251121130147.115792024@linuxfoundation.org> (raw)
In-Reply-To: <20251121130143.857798067@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 302a1f674c00dd5581ab8e493ef44767c5101aab ]
This attemps to fix possible UAFs caused by struct mgmt_pending being
freed while still being processed like in the following trace, in order
to fix mgmt_pending_valid is introduce and use to check if the
mgmt_pending hasn't been removed from the pending list, on the complete
callbacks it is used to check and in addtion remove the cmd from the list
while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd
is left on the list it can still be accessed and freed.
BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55
CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 12210:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
__add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247
add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:729
sock_write_iter+0x258/0x330 net/socket.c:1133
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 12221:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4648 [inline]
kfree+0x18e/0x440 mm/slub.c:4847
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
__mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444
hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290
hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526
sock_do_ioctl+0xd9/0x300 net/socket.c:1192
sock_ioctl+0x576/0x790 net/socket.c:1313
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: cf75ad8b41d2 ("Bluetooth: hci_sync: Convert MGMT_SET_POWERED")
Fixes: 2bd1b237616b ("Bluetooth: hci_sync: Convert MGMT_OP_SET_DISCOVERABLE to use cmd_sync")
Fixes: f056a65783cc ("Bluetooth: hci_sync: Convert MGMT_OP_SET_CONNECTABLE to use cmd_sync")
Fixes: 3244845c6307 ("Bluetooth: hci_sync: Convert MGMT_OP_SSP")
Fixes: d81a494c43df ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LE")
Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Fixes: 6f6ff38a1e14 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LOCAL_NAME")
Fixes: 71efbb08b538 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_PHY_CONFIGURATION")
Fixes: b747a83690c8 ("Bluetooth: hci_sync: Refactor add Adv Monitor")
Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY")
Fixes: 26ac4c56f03f ("Bluetooth: hci_sync: Convert MGMT_OP_SET_ADVERTISING")
Reported-by: cen zhang <zzzccc427@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Chen Yu <xnguchen@sina.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt.c | 259 ++++++++++++++++++++++++++------------
net/bluetooth/mgmt_util.c | 46 +++++++
net/bluetooth/mgmt_util.h | 3 +
3 files changed, 231 insertions(+), 77 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index c54cc701cdd48..83e33d9cfb33c 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1318,8 +1318,7 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
struct mgmt_mode *cp;
/* Make sure cmd still outstanding. */
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
cp = cmd->param;
@@ -1346,23 +1345,29 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
mgmt_status(err));
}
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
}
static int set_powered_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp;
+ struct mgmt_mode cp;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
/* Make sure cmd still outstanding. */
- if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
return -ECANCELED;
+ }
- cp = cmd->param;
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
BT_DBG("%s", hdev->name);
- return hci_set_powered_sync(hdev, cp->val);
+ return hci_set_powered_sync(hdev, cp.val);
}
static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
@@ -1511,8 +1516,7 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
bt_dev_dbg(hdev, "err %d", err);
/* Make sure cmd still outstanding. */
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
hci_dev_lock(hdev);
@@ -1534,12 +1538,15 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
new_settings(hdev, cmd->sk);
done:
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
hci_dev_unlock(hdev);
}
static int set_discoverable_sync(struct hci_dev *hdev, void *data)
{
+ if (!mgmt_pending_listed(hdev, data))
+ return -ECANCELED;
+
BT_DBG("%s", hdev->name);
return hci_update_discoverable_sync(hdev);
@@ -1686,8 +1693,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
bt_dev_dbg(hdev, "err %d", err);
/* Make sure cmd still outstanding. */
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
hci_dev_lock(hdev);
@@ -1702,7 +1708,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
new_settings(hdev, cmd->sk);
done:
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
hci_dev_unlock(hdev);
}
@@ -1738,6 +1744,9 @@ static int set_connectable_update_settings(struct hci_dev *hdev,
static int set_connectable_sync(struct hci_dev *hdev, void *data)
{
+ if (!mgmt_pending_listed(hdev, data))
+ return -ECANCELED;
+
BT_DBG("%s", hdev->name);
return hci_update_connectable_sync(hdev);
@@ -1914,14 +1923,17 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
{
struct cmd_lookup match = { NULL, hdev };
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp = cmd->param;
- u8 enable = cp->val;
+ struct mgmt_mode *cp;
+ u8 enable;
bool changed;
/* Make sure cmd still outstanding. */
- if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
+ cp = cmd->param;
+ enable = cp->val;
+
if (err) {
u8 mgmt_err = mgmt_status(err);
@@ -1930,8 +1942,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
new_settings(hdev, NULL);
}
- mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true,
- cmd_status_rsp, &mgmt_err);
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
return;
}
@@ -1941,7 +1952,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
}
- mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, settings_rsp, &match);
+ settings_rsp(cmd, &match);
if (changed)
new_settings(hdev, match.sk);
@@ -1955,14 +1966,25 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
static int set_ssp_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp = cmd->param;
+ struct mgmt_mode cp;
bool changed = false;
int err;
- if (cp->val)
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ if (cp.val)
changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
- err = hci_write_ssp_mode_sync(hdev, cp->val);
+ err = hci_write_ssp_mode_sync(hdev, cp.val);
if (!err && changed)
hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
@@ -2055,32 +2077,50 @@ static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
static void set_le_complete(struct hci_dev *hdev, void *data, int err)
{
+ struct mgmt_pending_cmd *cmd = data;
struct cmd_lookup match = { NULL, hdev };
u8 status = mgmt_status(err);
bt_dev_dbg(hdev, "err %d", err);
- if (status) {
- mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, cmd_status_rsp,
- &status);
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, data))
return;
+
+ if (status) {
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status);
+ goto done;
}
- mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, settings_rsp, &match);
+ settings_rsp(cmd, &match);
new_settings(hdev, match.sk);
if (match.sk)
sock_put(match.sk);
+
+done:
+ mgmt_pending_free(cmd);
}
static int set_le_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp = cmd->param;
- u8 val = !!cp->val;
+ struct mgmt_mode cp;
+ u8 val;
int err;
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+ val = !!cp.val;
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
if (!val) {
hci_clear_adv_instance_sync(hdev, NULL, 0x00, true);
@@ -2122,7 +2162,12 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
{
struct mgmt_pending_cmd *cmd = data;
u8 status = mgmt_status(err);
- struct sock *sk = cmd->sk;
+ struct sock *sk;
+
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
+ return;
+
+ sk = cmd->sk;
if (status) {
mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true,
@@ -2137,24 +2182,37 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
static int set_mesh_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_cp_set_mesh *cp = cmd->param;
- size_t len = cmd->param_len;
+ struct mgmt_cp_set_mesh cp;
+ size_t len;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ len = cmd->param_len;
memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types));
- if (cp->enable)
+ if (cp.enable)
hci_dev_set_flag(hdev, HCI_MESH);
else
hci_dev_clear_flag(hdev, HCI_MESH);
- hdev->le_scan_interval = __le16_to_cpu(cp->period);
- hdev->le_scan_window = __le16_to_cpu(cp->window);
+ hdev->le_scan_interval = __le16_to_cpu(cp.period);
+ hdev->le_scan_window = __le16_to_cpu(cp.window);
- len -= sizeof(*cp);
+ len -= sizeof(cp);
/* If filters don't fit, forward all adv pkts */
if (len <= sizeof(hdev->mesh_ad_types))
- memcpy(hdev->mesh_ad_types, cp->ad_types, len);
+ memcpy(hdev->mesh_ad_types, cp.ad_types, len);
hci_update_passive_scan_sync(hdev);
return 0;
@@ -3801,15 +3859,16 @@ static int name_changed_sync(struct hci_dev *hdev, void *data)
static void set_name_complete(struct hci_dev *hdev, void *data, int err)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_cp_set_local_name *cp = cmd->param;
+ struct mgmt_cp_set_local_name *cp;
u8 status = mgmt_status(err);
bt_dev_dbg(hdev, "err %d", err);
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
+ cp = cmd->param;
+
if (status) {
mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
status);
@@ -3821,16 +3880,27 @@ static void set_name_complete(struct hci_dev *hdev, void *data, int err)
hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL);
}
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
}
static int set_name_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_cp_set_local_name *cp = cmd->param;
+ struct mgmt_cp_set_local_name cp;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
if (lmp_bredr_capable(hdev)) {
- hci_update_name_sync(hdev, cp->name);
+ hci_update_name_sync(hdev, cp.name);
hci_update_eir_sync(hdev);
}
@@ -3982,12 +4052,10 @@ int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
{
struct mgmt_pending_cmd *cmd = data;
- struct sk_buff *skb = cmd->skb;
+ struct sk_buff *skb;
u8 status = mgmt_status(err);
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
- return;
+ skb = cmd->skb;
if (!status) {
if (!skb)
@@ -4014,7 +4082,7 @@ static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
if (skb && !IS_ERR(skb))
kfree_skb(skb);
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
}
static int set_default_phy_sync(struct hci_dev *hdev, void *data)
@@ -4022,7 +4090,9 @@ static int set_default_phy_sync(struct hci_dev *hdev, void *data)
struct mgmt_pending_cmd *cmd = data;
struct mgmt_cp_set_phy_configuration *cp = cmd->param;
struct hci_cp_le_set_default_phy cp_phy;
- u32 selected_phys = __le32_to_cpu(cp->selected_phys);
+ u32 selected_phys;
+
+ selected_phys = __le32_to_cpu(cp->selected_phys);
memset(&cp_phy, 0, sizeof(cp_phy));
@@ -4162,7 +4232,7 @@ static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
goto unlock;
}
- cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
+ cmd = mgmt_pending_new(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
len);
if (!cmd)
err = -ENOMEM;
@@ -5252,7 +5322,17 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
{
struct mgmt_rp_add_adv_patterns_monitor rp;
struct mgmt_pending_cmd *cmd = data;
- struct adv_monitor *monitor = cmd->user_data;
+ struct adv_monitor *monitor;
+
+ /* This is likely the result of hdev being closed and mgmt_index_removed
+ * is attempting to clean up any pending command so
+ * hci_adv_monitors_clear is about to be called which will take care of
+ * freeing the adv_monitor instances.
+ */
+ if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd))
+ return;
+
+ monitor = cmd->user_data;
hci_dev_lock(hdev);
@@ -5278,9 +5358,20 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct adv_monitor *monitor = cmd->user_data;
+ struct adv_monitor *mon;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ mon = cmd->user_data;
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
- return hci_add_adv_monitor(hdev, monitor);
+ return hci_add_adv_monitor(hdev, mon);
}
static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
@@ -5547,7 +5638,8 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
status);
}
-static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err)
+static void read_local_oob_data_complete(struct hci_dev *hdev, void *data,
+ int err)
{
struct mgmt_rp_read_local_oob_data mgmt_rp;
size_t rp_size = sizeof(mgmt_rp);
@@ -5567,7 +5659,8 @@ static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int e
bt_dev_dbg(hdev, "status %d", status);
if (status) {
- mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status);
+ mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
+ status);
goto remove;
}
@@ -5872,17 +5965,12 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
bt_dev_dbg(hdev, "err %d", err);
- if (err == -ECANCELED)
- return;
-
- if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
- cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
- cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
cmd->param, 1);
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED:
DISCOVERY_FINDING);
@@ -5890,6 +5978,9 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
static int start_discovery_sync(struct hci_dev *hdev, void *data)
{
+ if (!mgmt_pending_listed(hdev, data))
+ return -ECANCELED;
+
return hci_start_discovery_sync(hdev);
}
@@ -6112,15 +6203,14 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
{
struct mgmt_pending_cmd *cmd = data;
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
return;
bt_dev_dbg(hdev, "err %d", err);
mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
cmd->param, 1);
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
if (!err)
hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
@@ -6128,6 +6218,9 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
static int stop_discovery_sync(struct hci_dev *hdev, void *data)
{
+ if (!mgmt_pending_listed(hdev, data))
+ return -ECANCELED;
+
return hci_stop_discovery_sync(hdev);
}
@@ -6337,14 +6430,18 @@ static void enable_advertising_instance(struct hci_dev *hdev, int err)
static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
{
+ struct mgmt_pending_cmd *cmd = data;
struct cmd_lookup match = { NULL, hdev };
u8 instance;
struct adv_info *adv_instance;
u8 status = mgmt_status(err);
+ if (err == -ECANCELED || !mgmt_pending_valid(hdev, data))
+ return;
+
if (status) {
- mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true,
- cmd_status_rsp, &status);
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status);
+ mgmt_pending_free(cmd);
return;
}
@@ -6353,8 +6450,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
else
hci_dev_clear_flag(hdev, HCI_ADVERTISING);
- mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, settings_rsp,
- &match);
+ settings_rsp(cmd, &match);
new_settings(hdev, match.sk);
@@ -6386,10 +6482,23 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
static int set_adv_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
- struct mgmt_mode *cp = cmd->param;
- u8 val = !!cp->val;
+ struct mgmt_mode cp;
+ u8 val;
- if (cp->val == 0x02)
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ if (!__mgmt_pending_listed(hdev, cmd)) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
+ return -ECANCELED;
+ }
+
+ memcpy(&cp, cmd->param, sizeof(cp));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ val = !!cp.val;
+
+ if (cp.val == 0x02)
hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
else
hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
@@ -8142,10 +8251,6 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
u8 status = mgmt_status(err);
u16 eir_len;
- if (err == -ECANCELED ||
- cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
- return;
-
if (!status) {
if (!skb)
status = MGMT_STATUS_FAILED;
@@ -8252,7 +8357,7 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
kfree_skb(skb);
kfree(mgmt_rp);
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
}
static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
@@ -8261,7 +8366,7 @@ static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
struct mgmt_pending_cmd *cmd;
int err;
- cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
+ cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
cp, sizeof(*cp));
if (!cmd)
return -ENOMEM;
diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index a88a07da39473..aa7b5585cb268 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -320,6 +320,52 @@ void mgmt_pending_remove(struct mgmt_pending_cmd *cmd)
mgmt_pending_free(cmd);
}
+bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
+{
+ struct mgmt_pending_cmd *tmp;
+
+ lockdep_assert_held(&hdev->mgmt_pending_lock);
+
+ if (!cmd)
+ return false;
+
+ list_for_each_entry(tmp, &hdev->mgmt_pending, list) {
+ if (cmd == tmp)
+ return true;
+ }
+
+ return false;
+}
+
+bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
+{
+ bool listed;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+ listed = __mgmt_pending_listed(hdev, cmd);
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ return listed;
+}
+
+bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
+{
+ bool listed;
+
+ if (!cmd)
+ return false;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+
+ listed = __mgmt_pending_listed(hdev, cmd);
+ if (listed)
+ list_del(&cmd->list);
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+ return listed;
+}
+
void mgmt_mesh_foreach(struct hci_dev *hdev,
void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data),
void *data, struct sock *sk)
diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
index 024e51dd69375..bcba8c9d89528 100644
--- a/net/bluetooth/mgmt_util.h
+++ b/net/bluetooth/mgmt_util.h
@@ -65,6 +65,9 @@ struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode,
void *data, u16 len);
void mgmt_pending_free(struct mgmt_pending_cmd *cmd);
void mgmt_pending_remove(struct mgmt_pending_cmd *cmd);
+bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
+bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
+bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
void mgmt_mesh_foreach(struct hci_dev *hdev,
void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data),
void *data, struct sock *sk);
--
2.51.0
next prev parent reply other threads:[~2025-11-21 13:31 UTC|newest]
Thread overview: 203+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-21 13:10 [PATCH 6.12 000/185] 6.12.59-rc1 review Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 001/185] drm/mediatek: Add pm_runtime support for GCE power control Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 002/185] drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 003/185] drm/i915: Fix conversion between clock ticks and nanoseconds Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 004/185] smb: client: fix refcount leak in smb2_set_path_attr Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 005/185] iommufd: Make vfio_compats unmap succeed if the range is already empty Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 006/185] drm/amd: Fix suspend failure with secure display TA Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 007/185] drm/xe/guc: Synchronize Dead CT worker with unbind Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 008/185] drm/xe: Move declarations under conditional branch Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 009/185] drm/xe: Do clean shutdown also when using flr Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 010/185] arm64: kprobes: check the return value of set_memory_rox() Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 011/185] compiler_types: Move unused static inline functions warning to W=2 Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 012/185] riscv: Build loader.bin exclusively for Canaan K210 Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 013/185] RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid rfence errors Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 014/185] riscv: acpi: avoid errors caused by probing DT devices when ACPI is used Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 015/185] drm/amdgpu: remove two invalid BUG_ON()s Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 016/185] drm/amd/pm: Disable MCLK switching on SI at high pixel clocks Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 017/185] drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 018/185] drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 019/185] NFS4: Fix state renewals missing after boot Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 020/185] NFS4: Apply delay_retrans to async operations Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 021/185] HID: quirks: avoid Cooler Master MM712 dongle wakeup bug Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 022/185] HID: nintendo: Wait longer for initial probe Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 023/185] NFS: check if suid/sgid was cleared after a write as needed Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 024/185] HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 025/185] exfat: fix improper check of dentry.stream.valid_size Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 026/185] smb/server: fix possible memory leak in smb2_read() Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 027/185] smb/server: fix possible refcount leak in smb2_sess_setup() Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 028/185] HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 029/185] ASoC: max98090/91: fixed max98091 ALSA widget powering up/down Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 030/185] wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp() Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 031/185] erofs: avoid infinite loop due to incomplete zstd-compressed data Greg Kroah-Hartman
2025-11-21 13:10 ` [PATCH 6.12 032/185] selftests: net: local_termination: Wait for interfaces to come up Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 033/185] net: fec: correct rx_bytes statistic for the case SHIFT16 is set Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 034/185] net: phy: micrel: Introduce lanphy_modify_page_reg Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 035/185] net: phy: micrel: Replace hardcoded pages with defines Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 036/185] net: phy: micrel: lan8814 fix reset of the QSGMII interface Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 037/185] rust: Add -fno-isolate-erroneous-paths-dereference to bindgen_skip_c_flags Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 038/185] NFSD: Skip close replay processing if XDR encoding fails Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 039/185] Bluetooth: MGMT: cancel mesh send timer when hdev removed Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 040/185] Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 041/185] Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 042/185] Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 043/185] Bluetooth: 6lowpan: Dont hold spin lock over sleeping functions Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 044/185] sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 045/185] net/smc: fix mismatch between CLC header and proposal Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 046/185] net/handshake: Fix memory leak in tls_handshake_accept() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 047/185] net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 048/185] net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 049/185] tipc: Fix use-after-free in tipc_mon_reinit_self() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 050/185] net: mdio: fix resource leak in mdiobus_register_device() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 051/185] wifi: mac80211: skip rate verification for not captured PSDUs Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 052/185] af_unix: Initialise scc_index in unix_add_edge() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 053/185] net_sched: act_connmark: use RCU in tcf_connmark_dump() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 054/185] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 055/185] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 056/185] net/mlx5e: Fix maxrate wraparound in threshold between units Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 057/185] net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 058/185] net/mlx5e: Fix potentially misleading debug message Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 059/185] net_sched: limit try_bulk_dequeue_skb() batches Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 060/185] virtio-net: fix incorrect flags recording in big mode Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 061/185] hsr: Fix supervision frame sending on HSRv0 Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 062/185] ACPI: CPPC: Detect preferred core availability on online CPUs Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 063/185] ACPI: CPPC: Check _CPC validity for only the " Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 064/185] ACPI: CPPC: Perform fast check switch only for " Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 065/185] ACPI: CPPC: Limit perf ctrs in PCC check only to " Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 066/185] Bluetooth: L2CAP: export l2cap_chan_hold for modules Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 067/185] acpi,srat: Fix incorrect device handle check for Generic Initiator Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 068/185] regulator: fixed: fix GPIO descriptor leak on register failure Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 069/185] ASoC: cs4271: Fix regulator leak on probe failure Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 070/185] ASoC: codecs: va-macro: fix resource leak in probe error path Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 071/185] drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 072/185] ASoC: tas2781: fix getting the wrong device number Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 073/185] pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 074/185] pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 075/185] simplify nfs_atomic_open_v23() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 076/185] NFSv2/v3: Fix error handling in nfs_atomic_open_v23() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 077/185] NFS: sysfs: fix leak when nfs_client kobject add fails Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 078/185] NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 079/185] NFS: Fix LTP test failures when timestamps are delegated Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 080/185] ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 081/185] acpi/hmat: Fix lockdep warning for hmem_register_resource() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 082/185] bpf: Add bpf_prog_run_data_pointers() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 083/185] bpf: account for current allocated stack depth in widen_imprecise_scalars() Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 084/185] irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 085/185] wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 086/185] proc: fix the issue of proc_mem_open returning NULL Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 087/185] ext4: introduce ITAIL helper Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 088/185] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 089/185] ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
2025-11-21 13:11 ` Greg Kroah-Hartman [this message]
2025-11-21 13:11 ` [PATCH 6.12 091/185] f2fs: fix to avoid overflow while left shift operation Greg Kroah-Hartman
2025-11-21 13:11 ` [PATCH 6.12 092/185] hostfs: Fix only passing host root in boot stage with new mount Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 093/185] mtd: onenand: Pass correct pointer to IRQ handler Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 094/185] virtio-fs: fix incorrect check for fsvq->kobj Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 095/185] fs/namespace: correctly handle errors returned by grab_requested_mnt_ns Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 096/185] sched_ext: Fix unsafe locking in the scx_dump_state() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 097/185] Revert "netfilter: nf_tables: Reintroduce shortened deletion notifications" Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 098/185] netfilter: nf_tables: reject duplicate device on updates Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 099/185] arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1 Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 100/185] arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 101/185] ARM: dts: imx51-zii-rdu1: Fix audmux node names Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 102/185] HID: hid-ntrig: Prevent memory leak in ntrig_report_version() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 103/185] ARM: dts: BCM53573: Fix address of Luxul XAP-1440s Ethernet PHY Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 104/185] HID: playstation: Fix memory leak in dualshock4_get_calibration_data() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 105/185] HID: uclogic: Fix potential memory leak in error path Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 106/185] net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 107/185] LoongArch: KVM: Restore guest PMU if it is enabled Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 108/185] LoongArch: KVM: Add delay until timer interrupt injected Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 109/185] KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 110/185] nfsd: fix refcount leak in nfsd_set_fh_dentry() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 111/185] nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 112/185] NFSD: free copynotify stateid in nfs4_free_ol_stateid() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 113/185] gcov: add support for GCC 15 Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 114/185] ksmbd: close accepted socket when per-IP limit rejects connection Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 115/185] ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 116/185] strparser: Fix signed/unsigned mismatch bug Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 117/185] dma-mapping: benchmark: Restore padding to ensure uABI remained consistent Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 118/185] LoongArch: Use correct accessor to read FWPC/MWPC Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 119/185] LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 120/185] ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 121/185] nilfs2: avoid having an active sc_timer before freeing sci Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 122/185] selftests/tracing: Run sample events to clear page cache events Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 123/185] wifi: mac80211: reject address change while connecting Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 124/185] fs/proc: fix uaf in proc_readdir_de() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 125/185] mm/mm_init: fix hash table order logging in alloc_large_system_hash() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 126/185] mm/shmem: fix THP allocation and fallback loop Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 127/185] mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 128/185] mmc: dw_mmc-rockchip: Fix wrong internal phase calculate Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 129/185] ALSA: usb-audio: Fix potential overflow of PCM transfer buffer Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 130/185] cifs: client: fix memory leak in smb3_fs_context_parse_param Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 131/185] codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 132/185] crash: fix crashkernel resource shrink Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 133/185] crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 134/185] smb: client: fix cifs_pick_channel when channel needs reconnect Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 135/185] spi: Try to get ACPI GPIO IRQ earlier Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 136/185] x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 137/185] selftests/user_events: fix type cast for write_index packed member in perf_test Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 138/185] ftrace: Fix BPF fexit with livepatch Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 139/185] LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 140/185] EDAC/altera: Handle OCRAM ECC enable after warm reset Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 141/185] EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 142/185] PM: hibernate: Emit an error when image writing fails Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 143/185] PM: hibernate: Use atomic64_t for compressed_size variable Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 144/185] btrfs: zoned: fix conventional zone capacity calculation Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 145/185] btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 146/185] btrfs: do not update last_log_commit when logging inode due to a new name Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 147/185] btrfs: release root after error in data_reloc_print_warning_inode() Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 148/185] drm/amdkfd: relax checks for over allocation of save area Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 149/185] drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM surfaces Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 150/185] pmdomain: arm: scmi: Fix genpd leak on provider registration failure Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 151/185] pmdomain: imx: Fix reference count leak in imx_gpc_remove Greg Kroah-Hartman
2025-11-21 13:12 ` [PATCH 6.12 152/185] pmdomain: samsung: plug potential memleak during probe Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 153/185] selftests: mptcp: connect: fix fallback note due to OoO Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 154/185] selftests: mptcp: join: rm: set backup flag Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 155/185] selftests: mptcp: join: endpoints: longer transfer Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 156/185] selftests: mptcp: connect: trunc: read all recv data Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 157/185] selftests: mptcp: join: userspace: longer transfer Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 158/185] selftests: mptcp: join: properly kill background tasks Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 159/185] mptcp: fix MSG_PEEK stream corruption Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 160/185] wifi: cfg80211: add an hrtimer based delayed work item Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 161/185] wifi: mac80211: use wiphy_hrtimer_work for csa.switch_work Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 162/185] mm, percpu: do not consider sleepable allocations atomic Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 163/185] KVM: guest_memfd: Pass index, not gfn, to __kvm_gmem_get_pfn() Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 164/185] KVM: guest_memfd: Remove RCU-protected attribute from slot->gmem.file Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 165/185] KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 166/185] net: netpoll: Individualize the skb pool Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 167/185] net: netpoll: flush skb pool during cleanup Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 168/185] net: netpoll: fix incorrect refcount handling causing incorrect cleanup Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 169/185] KVM: VMX: Split out guts of EPT violation to common/exposed function Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 170/185] KVM: VMX: Fix check for valid GVA on an EPT violation Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 171/185] ALSA: hda: Fix missing pointer check in hda_component_manager_init function Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 172/185] io_uring/napi: fix io_napi_entry RCU accesses Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 173/185] rust: kbuild: treat `build_error` and `rustdoc` as kernel objects Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 174/185] rust: kbuild: workaround `rustdoc` doctests modifier bug Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 175/185] uio_hv_generic: Set event for all channels on the device Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 176/185] mm/memory: do not populate page table entries beyond i_size Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 177/185] mm/truncate: unmap large folio on split failure Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 178/185] mm/secretmem: fix use-after-free race in fault handler Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 179/185] mm/huge_memory: do not change split_huge_page*() target order silently Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 180/185] mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0 order Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 181/185] isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 182/185] net: phy: micrel: Fix lan8814_config_init Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 183/185] net: netpoll: ensure skb_pool list is always initialized Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 184/185] proc: proc_maps_open allow proc_mem_open to return NULL Greg Kroah-Hartman
2025-11-21 13:13 ` [PATCH 6.12 185/185] Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete Greg Kroah-Hartman
2025-11-21 13:46 ` [PATCH 6.12 000/185] 6.12.59-rc1 review Pavel Machek
2025-11-21 16:28 ` Jon Hunter
2025-11-21 17:05 ` Brett Mastbergen
2025-11-21 18:22 ` Florian Fainelli
2025-11-22 4:46 ` Naresh Kamboju
2025-11-22 6:47 ` Greg Kroah-Hartman
2025-11-22 5:53 ` Brett A C Sheffield
2025-11-22 8:51 ` Pavel Machek
2025-11-22 9:05 ` Peter Schneider
2025-11-22 10:54 ` Jeffrin Thalakkottoor
2025-11-22 11:09 ` Ron Economos
2025-11-22 23:37 ` Miguel Ojeda
2025-11-23 11:53 ` Mark Brown
2025-11-25 13:20 ` Pavel Machek
2025-11-25 13:54 ` Takashi Iwai
2025-11-26 10:01 ` Pavel Machek
2025-11-26 10:06 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251121130147.115792024@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=luiz.von.dentz@intel.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=xnguchen@sina.cn \
--cc=zzzccc427@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox