!13009 CVE-2024-49950 (f705e909) · Commits · EulixOS / Software / Kernel

include/net/bluetooth/hci_core.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -1730,7 +1730,7 @@ void __mgmt_power_off(struct hci_dev *hdev);
		void mgmt_new_link_key(struct hci_dev hdev, struct link_key key,
		bool persistent);
		void mgmt_device_connected(struct hci_dev hdev, struct hci_conn conn,
		u32 flags, u8 *name, u8 name_len);
		u8 *name, u8 name_len);
		void mgmt_device_disconnected(struct hci_dev hdev, bdaddr_t bdaddr,
		u8 link_type, u8 addr_type, u8 reason,
		bool mgmt_connected);

include/net/bluetooth/mgmt.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -883,6 +883,7 @@ struct mgmt_ev_auth_failed {
		#define MGMT_DEV_FOUND_CONFIRM_NAME 0x01
		#define MGMT_DEV_FOUND_LEGACY_PAIRING 0x02
		#define MGMT_DEV_FOUND_NOT_CONNECTABLE 0x04
		#define MGMT_DEV_FOUND_INITIATED_CONN 0x08

		#define MGMT_EV_DEVICE_FOUND 0x0012
		struct mgmt_ev_device_found {

net/bluetooth/hci_core.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -4775,6 +4775,9 @@ static void hci_acldata_packet(struct hci_dev hdev, struct sk_buff skb)

		hci_dev_lock(hdev);
		conn = hci_conn_hash_lookup_handle(hdev, handle);
		if (conn && hci_dev_test_flag(hdev, HCI_MGMT) &&
		!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
		mgmt_device_connected(hdev, conn, NULL, 0);
		hci_dev_unlock(hdev);

		if (conn) {

net/bluetooth/hci_event.c

+5 −5

Original line number	Diff line number	Diff line
		@@ -2044,7 +2044,7 @@ static void hci_check_pending_name(struct hci_dev hdev, struct hci_conn conn,
		if (conn &&
		(conn->state == BT_CONFIG \|\| conn->state == BT_CONNECTED) &&
		!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
		mgmt_device_connected(hdev, conn, 0, name, name_len);
		mgmt_device_connected(hdev, conn, name, name_len);

		if (discov->state == DISCOVERY_STOPPED)
		return;
		@@ -3255,14 +3255,14 @@ static void hci_remote_features_evt(struct hci_dev *hdev,
		goto unlock;
		}

		if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
		if (!ev->status) {
		struct hci_cp_remote_name_req cp;
		memset(&cp, 0, sizeof(cp));
		bacpy(&cp.bdaddr, &conn->dst);
		cp.pscan_rep_mode = 0x02;
		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
		} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
		mgmt_device_connected(hdev, conn, 0, NULL, 0);
		mgmt_device_connected(hdev, conn, NULL, 0);

		if (!hci_outgoing_auth_needed(hdev, conn)) {
		conn->state = BT_CONNECTED;
		@@ -4337,7 +4337,7 @@ static void hci_remote_ext_features_evt(struct hci_dev *hdev,
		cp.pscan_rep_mode = 0x02;
		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
		} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
		mgmt_device_connected(hdev, conn, 0, NULL, 0);
		mgmt_device_connected(hdev, conn, NULL, 0);

		if (!hci_outgoing_auth_needed(hdev, conn)) {
		conn->state = BT_CONNECTED;
		@@ -5277,7 +5277,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
		}

		if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
		mgmt_device_connected(hdev, conn, 0, NULL, 0);
		mgmt_device_connected(hdev, conn, NULL, 0);

		conn->sec_level = BT_SECURITY_LOW;
		conn->handle = handle;

net/bluetooth/l2cap_core.c

+0 −9

Original line number	Diff line number	Diff line
		@@ -4272,18 +4272,9 @@ static struct l2cap_chan l2cap_connect(struct l2cap_conn conn,
		static int l2cap_connect_req(struct l2cap_conn *conn,
		struct l2cap_cmd_hdr cmd, u16 cmd_len, u8 data)
		{
		struct hci_dev *hdev = conn->hcon->hdev;
		struct hci_conn *hcon = conn->hcon;

		if (cmd_len < sizeof(struct l2cap_conn_req))
		return -EPROTO;

		hci_dev_lock(hdev);
		if (hci_dev_test_flag(hdev, HCI_MGMT) &&
		!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
		mgmt_device_connected(hdev, hcon, 0, NULL, 0);
		hci_dev_unlock(hdev);

		l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
		return 0;
		}