Commit 579028de authored by David S. Miller's avatar David S. Miller

Merge tag 'for-net-2021-06-03' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

bluetooth pull request for net:

 - Fixes UAF and CVE-2021-3564
 - Fix VIRTIO_ID_BT to use an unassigned ID
 - Fix firmware loading on some Intel Controllers
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 1a802423 1f14a620
...@@ -2527,10 +2527,17 @@ static int btusb_intel_download_firmware_newgen(struct hci_dev *hdev, ...@@ -2527,10 +2527,17 @@ static int btusb_intel_download_firmware_newgen(struct hci_dev *hdev,
} }
btusb_setup_intel_newgen_get_fw_name(ver, fwname, sizeof(fwname), "sfi"); btusb_setup_intel_newgen_get_fw_name(ver, fwname, sizeof(fwname), "sfi");
err = request_firmware(&fw, fwname, &hdev->dev); err = firmware_request_nowarn(&fw, fwname, &hdev->dev);
if (err < 0) { if (err < 0) {
if (!test_bit(BTUSB_BOOTLOADER, &data->flags)) {
/* Firmware has already been loaded */
set_bit(BTUSB_FIRMWARE_LOADED, &data->flags);
return 0;
}
bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)",
fwname, err); fwname, err);
return err; return err;
} }
...@@ -2680,12 +2687,24 @@ static int btusb_intel_download_firmware(struct hci_dev *hdev, ...@@ -2680,12 +2687,24 @@ static int btusb_intel_download_firmware(struct hci_dev *hdev,
err = btusb_setup_intel_new_get_fw_name(ver, params, fwname, err = btusb_setup_intel_new_get_fw_name(ver, params, fwname,
sizeof(fwname), "sfi"); sizeof(fwname), "sfi");
if (err < 0) { if (err < 0) {
if (!test_bit(BTUSB_BOOTLOADER, &data->flags)) {
/* Firmware has already been loaded */
set_bit(BTUSB_FIRMWARE_LOADED, &data->flags);
return 0;
}
bt_dev_err(hdev, "Unsupported Intel firmware naming"); bt_dev_err(hdev, "Unsupported Intel firmware naming");
return -EINVAL; return -EINVAL;
} }
err = request_firmware(&fw, fwname, &hdev->dev); err = firmware_request_nowarn(&fw, fwname, &hdev->dev);
if (err < 0) { if (err < 0) {
if (!test_bit(BTUSB_BOOTLOADER, &data->flags)) {
/* Firmware has already been loaded */
set_bit(BTUSB_FIRMWARE_LOADED, &data->flags);
return 0;
}
bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)",
fwname, err); fwname, err);
return err; return err;
......
...@@ -54,7 +54,7 @@ ...@@ -54,7 +54,7 @@
#define VIRTIO_ID_SOUND 25 /* virtio sound */ #define VIRTIO_ID_SOUND 25 /* virtio sound */
#define VIRTIO_ID_FS 26 /* virtio filesystem */ #define VIRTIO_ID_FS 26 /* virtio filesystem */
#define VIRTIO_ID_PMEM 27 /* virtio pmem */ #define VIRTIO_ID_PMEM 27 /* virtio pmem */
#define VIRTIO_ID_BT 28 /* virtio bluetooth */
#define VIRTIO_ID_MAC80211_HWSIM 29 /* virtio mac80211-hwsim */ #define VIRTIO_ID_MAC80211_HWSIM 29 /* virtio mac80211-hwsim */
#define VIRTIO_ID_BT 40 /* virtio bluetooth */
#endif /* _LINUX_VIRTIO_IDS_H */ #endif /* _LINUX_VIRTIO_IDS_H */
...@@ -1610,8 +1610,13 @@ static int hci_dev_do_open(struct hci_dev *hdev) ...@@ -1610,8 +1610,13 @@ static int hci_dev_do_open(struct hci_dev *hdev)
} else { } else {
/* Init failed, cleanup */ /* Init failed, cleanup */
flush_work(&hdev->tx_work); flush_work(&hdev->tx_work);
flush_work(&hdev->cmd_work);
/* Since hci_rx_work() is possible to awake new cmd_work
* it should be flushed first to avoid unexpected call of
* hci_cmd_work()
*/
flush_work(&hdev->rx_work); flush_work(&hdev->rx_work);
flush_work(&hdev->cmd_work);
skb_queue_purge(&hdev->cmd_q); skb_queue_purge(&hdev->cmd_q);
skb_queue_purge(&hdev->rx_q); skb_queue_purge(&hdev->rx_q);
......
...@@ -762,7 +762,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) ...@@ -762,7 +762,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
/* Detach sockets from device */ /* Detach sockets from device */
read_lock(&hci_sk_list.lock); read_lock(&hci_sk_list.lock);
sk_for_each(sk, &hci_sk_list.head) { sk_for_each(sk, &hci_sk_list.head) {
bh_lock_sock_nested(sk); lock_sock(sk);
if (hci_pi(sk)->hdev == hdev) { if (hci_pi(sk)->hdev == hdev) {
hci_pi(sk)->hdev = NULL; hci_pi(sk)->hdev = NULL;
sk->sk_err = EPIPE; sk->sk_err = EPIPE;
...@@ -771,7 +771,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) ...@@ -771,7 +771,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
hci_dev_put(hdev); hci_dev_put(hdev);
} }
bh_unlock_sock(sk); release_sock(sk);
} }
read_unlock(&hci_sk_list.lock); read_unlock(&hci_sk_list.lock);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment