<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/net/bluetooth/hidp, branch v5.12</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>Bluetooth: hidp: use correct wait queue when removing ctrl_wait</title>
<updated>2020-11-09T13:02:47+00:00</updated>
<author>
<name>Ole Bjørn Midtbø</name>
<email>omidtbo@cisco.com</email>
</author>
<published>2020-10-17T11:15:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=cca342d98bef68151a80b024f7bf5f388d1fbdea'/>
<id>cca342d98bef68151a80b024f7bf5f388d1fbdea</id>
<content type='text'>
A different wait queue was used when removing ctrl_wait than when adding
it. This effectively made the remove operation without locking compared
to other operations on the wait queue ctrl_wait was part of. This caused
issues like below where dead000000000100 is LIST_POISON1 and
dead000000000200 is LIST_POISON2.

 list_add corruption. next-&gt;prev should be prev (ffffffc1b0a33a08), \
	but was dead000000000200. (next=ffffffc03ac77de0).
 ------------[ cut here ]------------
 CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G           O    4.4.238+ #9
 ...
 ---[ end trace 0adc2158f0646eac ]---
 Call trace:
 [&lt;ffffffc000443f78&gt;] __list_add+0x38/0xb0
 [&lt;ffffffc0000f0d04&gt;] add_wait_queue+0x4c/0x68
 [&lt;ffffffc00020eecc&gt;] __pollwait+0xec/0x100
 [&lt;ffffffc000d1556c&gt;] bt_sock_poll+0x74/0x200
 [&lt;ffffffc000bdb8a8&gt;] sock_poll+0x110/0x128
 [&lt;ffffffc000210378&gt;] do_sys_poll+0x220/0x480
 [&lt;ffffffc0002106f0&gt;] SyS_poll+0x80/0x138
 [&lt;ffffffc00008510c&gt;] __sys_trace_return+0x0/0x4

 Unable to handle kernel paging request at virtual address dead000000000100
 ...
 CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G        W  O    4.4.238+ #9
 ...
 Call trace:
  [&lt;ffffffc0000f079c&gt;] __wake_up_common+0x7c/0xa8
  [&lt;ffffffc0000f0818&gt;] __wake_up+0x50/0x70
  [&lt;ffffffc000be11b0&gt;] sock_def_wakeup+0x58/0x60
  [&lt;ffffffc000de5e10&gt;] l2cap_sock_teardown_cb+0x200/0x224
  [&lt;ffffffc000d3f2ac&gt;] l2cap_chan_del+0xa4/0x298
  [&lt;ffffffc000d45ea0&gt;] l2cap_conn_del+0x118/0x198
  [&lt;ffffffc000d45f8c&gt;] l2cap_disconn_cfm+0x6c/0x78
  [&lt;ffffffc000d29934&gt;] hci_event_packet+0x564/0x2e30
  [&lt;ffffffc000d19b0c&gt;] hci_rx_work+0x10c/0x360
  [&lt;ffffffc0000c2218&gt;] process_one_work+0x268/0x460
  [&lt;ffffffc0000c2678&gt;] worker_thread+0x268/0x480
  [&lt;ffffffc0000c94e0&gt;] kthread+0x118/0x128
  [&lt;ffffffc000085070&gt;] ret_from_fork+0x10/0x20
  ---[ end trace 0adc2158f0646ead ]---

Signed-off-by: Ole Bjørn Midtbø &lt;omidtbo@cisco.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
A different wait queue was used when removing ctrl_wait than when adding
it. This effectively made the remove operation without locking compared
to other operations on the wait queue ctrl_wait was part of. This caused
issues like below where dead000000000100 is LIST_POISON1 and
dead000000000200 is LIST_POISON2.

 list_add corruption. next-&gt;prev should be prev (ffffffc1b0a33a08), \
	but was dead000000000200. (next=ffffffc03ac77de0).
 ------------[ cut here ]------------
 CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G           O    4.4.238+ #9
 ...
 ---[ end trace 0adc2158f0646eac ]---
 Call trace:
 [&lt;ffffffc000443f78&gt;] __list_add+0x38/0xb0
 [&lt;ffffffc0000f0d04&gt;] add_wait_queue+0x4c/0x68
 [&lt;ffffffc00020eecc&gt;] __pollwait+0xec/0x100
 [&lt;ffffffc000d1556c&gt;] bt_sock_poll+0x74/0x200
 [&lt;ffffffc000bdb8a8&gt;] sock_poll+0x110/0x128
 [&lt;ffffffc000210378&gt;] do_sys_poll+0x220/0x480
 [&lt;ffffffc0002106f0&gt;] SyS_poll+0x80/0x138
 [&lt;ffffffc00008510c&gt;] __sys_trace_return+0x0/0x4

 Unable to handle kernel paging request at virtual address dead000000000100
 ...
 CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G        W  O    4.4.238+ #9
 ...
 Call trace:
  [&lt;ffffffc0000f079c&gt;] __wake_up_common+0x7c/0xa8
  [&lt;ffffffc0000f0818&gt;] __wake_up+0x50/0x70
  [&lt;ffffffc000be11b0&gt;] sock_def_wakeup+0x58/0x60
  [&lt;ffffffc000de5e10&gt;] l2cap_sock_teardown_cb+0x200/0x224
  [&lt;ffffffc000d3f2ac&gt;] l2cap_chan_del+0xa4/0x298
  [&lt;ffffffc000d45ea0&gt;] l2cap_conn_del+0x118/0x198
  [&lt;ffffffc000d45f8c&gt;] l2cap_disconn_cfm+0x6c/0x78
  [&lt;ffffffc000d29934&gt;] hci_event_packet+0x564/0x2e30
  [&lt;ffffffc000d19b0c&gt;] hci_rx_work+0x10c/0x360
  [&lt;ffffffc0000c2218&gt;] process_one_work+0x268/0x460
  [&lt;ffffffc0000c2678&gt;] worker_thread+0x268/0x480
  [&lt;ffffffc0000c94e0&gt;] kthread+0x118/0x128
  [&lt;ffffffc000085070&gt;] ret_from_fork+0x10/0x20
  ---[ end trace 0adc2158f0646ead ]---

Signed-off-by: Ole Bjørn Midtbø &lt;omidtbo@cisco.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: make -&gt;{get,set}sockopt in proto_ops optional</title>
<updated>2020-07-20T01:16:41+00:00</updated>
<author>
<name>Christoph Hellwig</name>
<email>hch@lst.de</email>
</author>
<published>2020-07-17T06:23:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a44d9e72100f7044ac46e4e6dc475f5b4097830f'/>
<id>a44d9e72100f7044ac46e4e6dc475f5b4097830f</id>
<content type='text'>
Just check for a NULL method instead of wiring up
sock_no_{get,set}sockopt.

Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Acked-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Just check for a NULL method instead of wiring up
sock_no_{get,set}sockopt.

Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Acked-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: optimize barrier usage for Rmw atomics</title>
<updated>2020-01-29T18:50:44+00:00</updated>
<author>
<name>Davidlohr Bueso</name>
<email>dave@stgolabs.net</email>
</author>
<published>2020-01-29T18:10:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=fe66483156050f4eb63c4a1988f3b439e6c9ff2a'/>
<id>fe66483156050f4eb63c4a1988f3b439e6c9ff2a</id>
<content type='text'>
Use smp_mb__before_atomic() instead of smp_mb() and avoid the
unnecessary barrier for non LL/SC architectures, such as x86.

Signed-off-by: Davidlohr Bueso &lt;dbueso@suse.de&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Use smp_mb__before_atomic() instead of smp_mb() and avoid the
unnecessary barrier for non LL/SC architectures, such as x86.

Signed-off-by: Davidlohr Bueso &lt;dbueso@suse.de&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: Fix assumptions on the return value of hidp_send_message</title>
<updated>2019-09-06T13:55:40+00:00</updated>
<author>
<name>Dan Elkouby</name>
<email>streetwalkermc@gmail.com</email>
</author>
<published>2019-09-06T11:06:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8bb3537095f107ed55ad51f6241165b397aaafac'/>
<id>8bb3537095f107ed55ad51f6241165b397aaafac</id>
<content type='text'>
hidp_send_message was changed to return non-zero values on success,
which some other bits did not expect. This caused spurious errors to be
propagated through the stack, breaking some drivers, such as hid-sony
for the Dualshock 4 in Bluetooth mode.

As pointed out by Dan Carpenter, hid-microsoft directly relied on that
assumption as well.

Fixes: 48d9cc9d85dd ("Bluetooth: hidp: Let hidp_send_message return number of queued bytes")

Signed-off-by: Dan Elkouby &lt;streetwalkermc@gmail.com&gt;
Reviewed-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
hidp_send_message was changed to return non-zero values on success,
which some other bits did not expect. This caused spurious errors to be
propagated through the stack, breaking some drivers, such as hid-sony
for the Dualshock 4 in Bluetooth mode.

As pointed out by Dan Carpenter, hid-microsoft directly relied on that
assumption as well.

Fixes: 48d9cc9d85dd ("Bluetooth: hidp: Let hidp_send_message return number of queued bytes")

Signed-off-by: Dan Elkouby &lt;streetwalkermc@gmail.com&gt;
Reviewed-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: Let hidp_send_message return number of queued bytes</title>
<updated>2019-08-12T16:23:50+00:00</updated>
<author>
<name>Fabian Henneke</name>
<email>fabian.henneke@gmail.com</email>
</author>
<published>2019-07-15T17:40:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=48d9cc9d85dde37c87abb7ac9bbec6598ba44b56'/>
<id>48d9cc9d85dde37c87abb7ac9bbec6598ba44b56</id>
<content type='text'>
Let hidp_send_message return the number of successfully queued bytes
instead of an unconditional 0.

With the return value fixed to 0, other drivers relying on hidp, such as
hidraw, can not return meaningful values from their respective
implementations of write(). In particular, with the current behavior, a
hidraw device's write() will have different return values depending on
whether the device is connected via USB or Bluetooth, which makes it
harder to abstract away the transport layer.

Signed-off-by: Fabian Henneke &lt;fabian.henneke@gmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Let hidp_send_message return the number of successfully queued bytes
instead of an unconditional 0.

With the return value fixed to 0, other drivers relying on hidp, such as
hidraw, can not return meaningful values from their respective
implementations of write(). In particular, with the current behavior, a
hidraw device's write() will have different return values depending on
whether the device is connected via USB or Bluetooth, which makes it
harder to abstract away the transport layer.

Signed-off-by: Fabian Henneke &lt;fabian.henneke@gmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: NUL terminate a string in the compat ioctl</title>
<updated>2019-07-06T11:07:41+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2019-05-16T18:24:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=dcae9052ebb0c5b2614de620323d615fcbfda7f8'/>
<id>dcae9052ebb0c5b2614de620323d615fcbfda7f8</id>
<content type='text'>
This change is similar to commit a1616a5ac99e ("Bluetooth: hidp: fix
buffer overflow") but for the compat ioctl.  We take a string from the
user and forgot to ensure that it's NUL terminated.

I have also changed the strncpy() in to strscpy() in hidp_setup_hid().
The difference is the strncpy() doesn't necessarily NUL terminate the
destination string.  Either change would fix the problem but it's nice
to take a belt and suspenders approach and do both.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This change is similar to commit a1616a5ac99e ("Bluetooth: hidp: fix
buffer overflow") but for the compat ioctl.  We take a string from the
user and forgot to ensure that it's NUL terminated.

I have also changed the strncpy() in to strscpy() in hidp_setup_hid().
The difference is the strncpy() doesn't necessarily NUL terminate the
destination string.  Either change would fix the problem but it's nice
to take a belt and suspenders approach and do both.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>treewide: Add SPDX license identifier - Makefile/Kconfig</title>
<updated>2019-05-21T08:50:46+00:00</updated>
<author>
<name>Thomas Gleixner</name>
<email>tglx@linutronix.de</email>
</author>
<published>2019-05-19T12:07:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1'/>
<id>ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1</id>
<content type='text'>
Add SPDX license identifiers to all Make/Kconfig files which:

 - Have no license information of any form

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add SPDX license identifiers to all Make/Kconfig files which:

 - Have no license information of any form

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: fix buffer overflow</title>
<updated>2019-04-23T17:04:38+00:00</updated>
<author>
<name>Young Xiao</name>
<email>YangX92@hotmail.com</email>
</author>
<published>2019-04-12T07:24:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a1616a5ac99ede5d605047a9012481ce7ff18b16'/>
<id>a1616a5ac99ede5d605047a9012481ce7ff18b16</id>
<content type='text'>
Struct ca is copied from userspace. It is not checked whether the "name"
field is NULL terminated, which allows local users to obtain potentially
sensitive information from kernel stack memory, via a HIDPCONNADD command.

This vulnerability is similar to CVE-2011-1079.

Signed-off-by: Young Xiao &lt;YangX92@hotmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: stable@vger.kernel.org
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Struct ca is copied from userspace. It is not checked whether the "name"
field is NULL terminated, which allows local users to obtain potentially
sensitive information from kernel stack memory, via a HIDPCONNADD command.

This vulnerability is similar to CVE-2011-1079.

Signed-off-by: Young Xiao &lt;YangX92@hotmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: stable@vger.kernel.org
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs</title>
<updated>2018-10-25T19:48:22+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2018-10-25T19:48:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ba7d4f36a2ec7d6f8d9e5c6cabbc57469dd4dc22'/>
<id>ba7d4f36a2ec7d6f8d9e5c6cabbc57469dd4dc22</id>
<content type='text'>
Pull compat_ioctl fixes from Al Viro:
 "A bunch of compat_ioctl fixes, mostly in bluetooth.

  Hopefully, most of fs/compat_ioctl.c will get killed off over the next
  few cycles; between this, tty series already merged and Arnd's work
  this cycle ought to take a good chunk out of the damn thing..."

* 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  hidp: fix compat_ioctl
  hidp: constify hidp_connection_add()
  cmtp: fix compat_ioctl
  bnep: fix compat_ioctl
  compat_ioctl: trim the pointless includes
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull compat_ioctl fixes from Al Viro:
 "A bunch of compat_ioctl fixes, mostly in bluetooth.

  Hopefully, most of fs/compat_ioctl.c will get killed off over the next
  few cycles; between this, tty series already merged and Arnd's work
  this cycle ought to take a good chunk out of the damn thing..."

* 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  hidp: fix compat_ioctl
  hidp: constify hidp_connection_add()
  cmtp: fix compat_ioctl
  bnep: fix compat_ioctl
  compat_ioctl: trim the pointless includes
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Remove unnecessary smp_mb__{before,after}_atomic</title>
<updated>2018-09-27T09:59:58+00:00</updated>
<author>
<name>Andrea Parri</name>
<email>andrea.parri@amarulasolutions.com</email>
</author>
<published>2018-08-14T18:41:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=5aac49378742a52bbe8af3d25bc51b487be7b17f'/>
<id>5aac49378742a52bbe8af3d25bc51b487be7b17f</id>
<content type='text'>
The barriers are unneeded; wait_woken() and woken_wake_function()
already provide us with the required synchronization: remove them
and document that we're relying on the (implicit) synchronization
provided by wait_woken() and woken_wake_function().

Signed-off-by: Andrea Parri &lt;andrea.parri@amarulasolutions.com&gt;
Reviewed-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The barriers are unneeded; wait_woken() and woken_wake_function()
already provide us with the required synchronization: remove them
and document that we're relying on the (implicit) synchronization
provided by wait_woken() and woken_wake_function().

Signed-off-by: Andrea Parri &lt;andrea.parri@amarulasolutions.com&gt;
Reviewed-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
