From nobody Mon Feb 9 04:35:25 2026 Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EC25C2701DC for ; Thu, 23 Oct 2025 18:47:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761245258; cv=none; b=Cotdp0mdOFKMwbajofGipZPYBZbUjAvS5aqQWO/DTmVGW26xIn6ZnvBazah3e0dsF8Ck25hlbkMM075S5khPPGrwOwBdrst3pEaM1nyVOzsVs06NxY5xg/CovzP5YbC4PhS6mFlaLrR2QxXo6w/QYBJxAm0NYQg0jMSo1lHaBMc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761245258; c=relaxed/simple; bh=giR1Ap2iAT4cSqjTbCqfpt2EFuxHIrCAvla6fe0mugo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=fTLBaBf2ssVuMwmQkKyAWbhKj7RBthRAT9/oPw2H9PJ29evwGMogtsCm1fIMfsqlN1q4Oem13FTd+XfAdY7QwpbcljqDGNgsVysJwQkUsnhLelCmvqAzkx/uEnIP/ugnhle8TKQjKGRI1bgqo5/aUl9UkuPz0N/byh436u2dSRo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=wbinvd.org; spf=pass smtp.mailfrom=wbinvd.org; dkim=pass (2048-bit key) header.d=wbinvd.org header.i=@wbinvd.org header.b=dlA7gAms; arc=none smtp.client-ip=209.85.210.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=wbinvd.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=wbinvd.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=wbinvd.org header.i=@wbinvd.org header.b="dlA7gAms" Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-77f67ba775aso1466244b3a.3 for ; Thu, 23 Oct 2025 11:47:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wbinvd.org; s=wbinvd; t=1761245256; x=1761850056; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=gDlTS66uQs02ZrCh1NQbJm6uxfOa1C37VmD1HX7Ng0A=; b=dlA7gAmsoJ1vVPXVmzHBVvcFxF3+h+Ywqi42UhDl/llWfLzpjfiGpB+FHBH9ijcjWd hmNVwAL/8A36jWJTIzvEYON/db2d1gR1HLA6k6Qlj3ribNS8g9u0H9cuUXM4oCAM54Kp HcUbKqktvIUyhxMsLZ6723z9E0Ap+F3Fx+Va71BvNgmhU8ToURdfwD4UWOnIgWoHeorL S6V9Eyltkk6ojvGJocgxzTxQ56mzcs1kOThCJheQJdyyWxgNKC7nLFGPW0bLlFQhnjOT acuCMJ4o2tb1+lRWpnfstL9TzW+PWEDi0Ut77NblSf+5mx/Gr9KnIUjeMmgqAtEoOWbv 6mew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761245256; x=1761850056; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gDlTS66uQs02ZrCh1NQbJm6uxfOa1C37VmD1HX7Ng0A=; b=BUzJ/pWNB42aL1lGfH/AQZEfWOXtv2xnndCrRnRmFU8ilu/qJKCoUuhEfB0PGV6Agi mycXttC0BhcHRnE/gu7BrzHi8B9mSHzF6S4+03gBbwEiOGvfcHuxKdyb1e0xofHhJk2M YCjae1RD3ToO8jEl+uUZe9wY7jnjpccoHZdxEzxM3Wy4PfIPh7zXnT29jPhXO9jQUTzz Ons0RqNdY6ZSsGx9azcPA1st/xbTfF0DvEmra00Vv6oATLCRb9opioCB/zN9HJlhQmUG VLBvZKbBPuhGwIkXHDIB08ClhRBS1GGG7mDJCPExz20tFkuRnjxgzwGmGp8q6KO6QPoR RNQQ== X-Gm-Message-State: AOJu0Yy/z76dVUNE3+dzOBV2r1LSFhgb6wv+ZzHRsyWJM+PsDZlOFPdt n7PB6rWFkl9Tfh0fr0yyiIQEJAD1BzwvBSOtRn50ezoEdcP4eAsApu169UICNAk909uqA8SUjYT d7fdy X-Gm-Gg: ASbGncu43F82dzmb6YC7U1VsLoNxV+o3fMtv+X8rgbBSvV9AvXtW0ih6N5pZTmnbsh4 djXspfIed5K5Snmp1xT+scO0TNoDrY7NqP4trXTC8AGn+HEPjR3ZartjVJRr8Y/tOznuhfJ3JOQ eIyJw7WC9191DzjEcuMmkEqxEc2rrc6HCoONCwe3CcYXc5jsLJL/bp+pUtYBwzYXLkZKRi5xXJX TUQE8u7koJQjUasGsl8VaD52CFW5NUhO1ySMm3Rk6wFwJGsD+AXqXpqiskaLJ++lJ/a/FdJZemn 2D3oROSFp0RRkvhy+aDwYtGTrT4ro7wTISRTxfbR3V70wXYVMXMvgSWzNe2XQ3F6Djz+aARwFMr K2gZG8F/TiS205tdx19hCm3C2lb+X4Rjw4paN7EMlsRyN1VmmSredwzDIPs88wURurkbQxo5O++ S1og== X-Google-Smtp-Source: AGHT+IF8HQIHdGLUBu61JKxd11Dvm79npjsLYZBdWDhc4aMFaVHyj557vf//cPT1d4ZxPBolSup6cw== X-Received: by 2002:a05:6a21:9986:b0:320:3da8:34d7 with SMTP id adf61e73a8af0-334a85661b7mr32411910637.22.1761245256047; Thu, 23 Oct 2025 11:47:36 -0700 (PDT) Received: from mozart.vkv.me ([192.184.167.117]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b6cf4bb9259sm2793961a12.2.2025.10.23.11.47.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Oct 2025 11:47:35 -0700 (PDT) From: Calvin Owens To: linux-kernel@vger.kernel.org Cc: Marcel Holtmann , Luiz Augusto von Dentz , Sean Wang , Matthias Brugger , AngeloGioacchino Del Regno , Amitkumar Karwar , Neeraj Kale , Yang Li , Paul Menzel , linux-bluetooth@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-arm-msm@vger.kernel.org, Francesco Valla Subject: [PATCH] Bluetooth: fix corruption in h4_recv_buf() after cleanup Date: Thu, 23 Oct 2025 11:47:19 -0700 Message-ID: X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Thanks to Francesco Valla's investigation, the reason for the duplicate code I recently cleaned up is finally clear: a different structure is stored in drvdata for the drivers which used that duplicate function, but h4_recv_buf() assumes drvdata is always an hci_uart structure. Consequently, alignment and padding are now randomly corrupted for btmtkuart, btnxpuart, and bpa10x in h4_recv_buf(), causing erratic breakage. Fix this by making the hci_uart structure the explicit argument to h4_recv_buf(). Every caller already has a reference to hci_uart, and already obtains the hci_hdev reference through it, so this actually eliminates a redundant pointer indirection for all existing callers. Fixes: 93f06f8f0daf ("Bluetooth: remove duplicate h4_recv_buf() in header") Reported-by: Francesco Valla Closes: https://lore.kernel.org/lkml/6837167.ZASKD2KPVS@fedora.fritz.box/ Signed-off-by: Calvin Owens --- drivers/bluetooth/bpa10x.c | 4 +++- drivers/bluetooth/btmtkuart.c | 4 +++- drivers/bluetooth/btnxpuart.c | 4 +++- drivers/bluetooth/hci_ag6xx.c | 2 +- drivers/bluetooth/hci_aml.c | 2 +- drivers/bluetooth/hci_ath.c | 2 +- drivers/bluetooth/hci_bcm.c | 2 +- drivers/bluetooth/hci_h4.c | 6 +++--- drivers/bluetooth/hci_intel.c | 2 +- drivers/bluetooth/hci_ll.c | 2 +- drivers/bluetooth/hci_mrvl.c | 6 +++--- drivers/bluetooth/hci_nokia.c | 4 ++-- drivers/bluetooth/hci_qca.c | 2 +- drivers/bluetooth/hci_uart.h | 2 +- 14 files changed, 25 insertions(+), 19 deletions(-) diff --git a/drivers/bluetooth/bpa10x.c b/drivers/bluetooth/bpa10x.c index b7ba667a3d09..e305d04aac9d 100644 --- a/drivers/bluetooth/bpa10x.c +++ b/drivers/bluetooth/bpa10x.c @@ -41,6 +41,7 @@ struct bpa10x_data { struct usb_anchor rx_anchor; =20 struct sk_buff *rx_skb[2]; + struct hci_uart hu; }; =20 static void bpa10x_tx_complete(struct urb *urb) @@ -96,7 +97,7 @@ static void bpa10x_rx_complete(struct urb *urb) if (urb->status =3D=3D 0) { bool idx =3D usb_pipebulk(urb->pipe); =20 - data->rx_skb[idx] =3D h4_recv_buf(hdev, data->rx_skb[idx], + data->rx_skb[idx] =3D h4_recv_buf(&data->hu, data->rx_skb[idx], urb->transfer_buffer, urb->actual_length, bpa10x_recv_pkts, @@ -388,6 +389,7 @@ static int bpa10x_probe(struct usb_interface *intf, hci_set_drvdata(hdev, data); =20 data->hdev =3D hdev; + data->hu.hdev =3D hdev; =20 SET_HCIDEV_DEV(hdev, &intf->dev); =20 diff --git a/drivers/bluetooth/btmtkuart.c b/drivers/bluetooth/btmtkuart.c index d9b90ea2ad38..27aa48ff3ac2 100644 --- a/drivers/bluetooth/btmtkuart.c +++ b/drivers/bluetooth/btmtkuart.c @@ -79,6 +79,7 @@ struct btmtkuart_dev { u16 stp_dlen; =20 const struct btmtkuart_data *data; + struct hci_uart hu; }; =20 #define btmtkuart_is_standalone(bdev) \ @@ -368,7 +369,7 @@ static void btmtkuart_recv(struct hci_dev *hdev, const = u8 *data, size_t count) sz_left -=3D adv; p_left +=3D adv; =20 - bdev->rx_skb =3D h4_recv_buf(bdev->hdev, bdev->rx_skb, p_h4, + bdev->rx_skb =3D h4_recv_buf(&bdev->hu, bdev->rx_skb, p_h4, sz_h4, mtk_recv_pkts, ARRAY_SIZE(mtk_recv_pkts)); if (IS_ERR(bdev->rx_skb)) { @@ -858,6 +859,7 @@ static int btmtkuart_probe(struct serdev_device *serdev) } =20 bdev->hdev =3D hdev; + bdev->hu.hdev =3D hdev; =20 hdev->bus =3D HCI_UART; hci_set_drvdata(hdev, bdev); diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c index d5153fed0518..3b1e9224e965 100644 --- a/drivers/bluetooth/btnxpuart.c +++ b/drivers/bluetooth/btnxpuart.c @@ -212,6 +212,7 @@ struct btnxpuart_dev { struct ps_data psdata; struct btnxpuart_data *nxp_data; struct reset_control *pdn; + struct hci_uart hu; }; =20 #define NXP_V1_FW_REQ_PKT 0xa5 @@ -1756,7 +1757,7 @@ static size_t btnxpuart_receive_buf(struct serdev_dev= ice *serdev, =20 ps_start_timer(nxpdev); =20 - nxpdev->rx_skb =3D h4_recv_buf(nxpdev->hdev, nxpdev->rx_skb, data, count, + nxpdev->rx_skb =3D h4_recv_buf(&nxpdev->hu, nxpdev->rx_skb, data, count, nxp_recv_pkts, ARRAY_SIZE(nxp_recv_pkts)); if (IS_ERR(nxpdev->rx_skb)) { int err =3D PTR_ERR(nxpdev->rx_skb); @@ -1875,6 +1876,7 @@ static int nxp_serdev_probe(struct serdev_device *ser= dev) reset_control_deassert(nxpdev->pdn); =20 nxpdev->hdev =3D hdev; + nxpdev->hu.hdev =3D hdev; =20 hdev->bus =3D HCI_UART; hci_set_drvdata(hdev, nxpdev); diff --git a/drivers/bluetooth/hci_ag6xx.c b/drivers/bluetooth/hci_ag6xx.c index 2d40302409ff..94588676510f 100644 --- a/drivers/bluetooth/hci_ag6xx.c +++ b/drivers/bluetooth/hci_ag6xx.c @@ -105,7 +105,7 @@ static int ag6xx_recv(struct hci_uart *hu, const void *= data, int count) if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) return -EUNATCH; =20 - ag6xx->rx_skb =3D h4_recv_buf(hu->hdev, ag6xx->rx_skb, data, count, + ag6xx->rx_skb =3D h4_recv_buf(hu, ag6xx->rx_skb, data, count, ag6xx_recv_pkts, ARRAY_SIZE(ag6xx_recv_pkts)); if (IS_ERR(ag6xx->rx_skb)) { diff --git a/drivers/bluetooth/hci_aml.c b/drivers/bluetooth/hci_aml.c index 707e90f80130..b1f32c5a8a3f 100644 --- a/drivers/bluetooth/hci_aml.c +++ b/drivers/bluetooth/hci_aml.c @@ -650,7 +650,7 @@ static int aml_recv(struct hci_uart *hu, const void *da= ta, int count) struct aml_data *aml_data =3D hu->priv; int err; =20 - aml_data->rx_skb =3D h4_recv_buf(hu->hdev, aml_data->rx_skb, data, count, + aml_data->rx_skb =3D h4_recv_buf(hu, aml_data->rx_skb, data, count, aml_recv_pkts, ARRAY_SIZE(aml_recv_pkts)); if (IS_ERR(aml_data->rx_skb)) { diff --git a/drivers/bluetooth/hci_ath.c b/drivers/bluetooth/hci_ath.c index dbfe34664633..8d2b5e7f0d6a 100644 --- a/drivers/bluetooth/hci_ath.c +++ b/drivers/bluetooth/hci_ath.c @@ -191,7 +191,7 @@ static int ath_recv(struct hci_uart *hu, const void *da= ta, int count) { struct ath_struct *ath =3D hu->priv; =20 - ath->rx_skb =3D h4_recv_buf(hu->hdev, ath->rx_skb, data, count, + ath->rx_skb =3D h4_recv_buf(hu, ath->rx_skb, data, count, ath_recv_pkts, ARRAY_SIZE(ath_recv_pkts)); if (IS_ERR(ath->rx_skb)) { int err =3D PTR_ERR(ath->rx_skb); diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c index f96617b85d87..fff845ed44e3 100644 --- a/drivers/bluetooth/hci_bcm.c +++ b/drivers/bluetooth/hci_bcm.c @@ -698,7 +698,7 @@ static int bcm_recv(struct hci_uart *hu, const void *da= ta, int count) if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) return -EUNATCH; =20 - bcm->rx_skb =3D h4_recv_buf(hu->hdev, bcm->rx_skb, data, count, + bcm->rx_skb =3D h4_recv_buf(hu, bcm->rx_skb, data, count, bcm_recv_pkts, ARRAY_SIZE(bcm_recv_pkts)); if (IS_ERR(bcm->rx_skb)) { int err =3D PTR_ERR(bcm->rx_skb); diff --git a/drivers/bluetooth/hci_h4.c b/drivers/bluetooth/hci_h4.c index 9070e31a68bf..ec017df8572c 100644 --- a/drivers/bluetooth/hci_h4.c +++ b/drivers/bluetooth/hci_h4.c @@ -112,7 +112,7 @@ static int h4_recv(struct hci_uart *hu, const void *dat= a, int count) if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) return -EUNATCH; =20 - h4->rx_skb =3D h4_recv_buf(hu->hdev, h4->rx_skb, data, count, + h4->rx_skb =3D h4_recv_buf(hu, h4->rx_skb, data, count, h4_recv_pkts, ARRAY_SIZE(h4_recv_pkts)); if (IS_ERR(h4->rx_skb)) { int err =3D PTR_ERR(h4->rx_skb); @@ -151,12 +151,12 @@ int __exit h4_deinit(void) return hci_uart_unregister_proto(&h4p); } =20 -struct sk_buff *h4_recv_buf(struct hci_dev *hdev, struct sk_buff *skb, +struct sk_buff *h4_recv_buf(struct hci_uart *hu, struct sk_buff *skb, const unsigned char *buffer, int count, const struct h4_recv_pkt *pkts, int pkts_count) { - struct hci_uart *hu =3D hci_get_drvdata(hdev); u8 alignment =3D hu->alignment ? hu->alignment : 1; + struct hci_dev *hdev =3D hu->hdev; =20 /* Check for error from previous call */ if (IS_ERR(skb)) diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c index 9b353c3d6442..1d6e09508f1f 100644 --- a/drivers/bluetooth/hci_intel.c +++ b/drivers/bluetooth/hci_intel.c @@ -972,7 +972,7 @@ static int intel_recv(struct hci_uart *hu, const void *= data, int count) if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) return -EUNATCH; =20 - intel->rx_skb =3D h4_recv_buf(hu->hdev, intel->rx_skb, data, count, + intel->rx_skb =3D h4_recv_buf(hu, intel->rx_skb, data, count, intel_recv_pkts, ARRAY_SIZE(intel_recv_pkts)); if (IS_ERR(intel->rx_skb)) { diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c index 7044c86325ce..6f4e25917b86 100644 --- a/drivers/bluetooth/hci_ll.c +++ b/drivers/bluetooth/hci_ll.c @@ -429,7 +429,7 @@ static int ll_recv(struct hci_uart *hu, const void *dat= a, int count) if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) return -EUNATCH; =20 - ll->rx_skb =3D h4_recv_buf(hu->hdev, ll->rx_skb, data, count, + ll->rx_skb =3D h4_recv_buf(hu, ll->rx_skb, data, count, ll_recv_pkts, ARRAY_SIZE(ll_recv_pkts)); if (IS_ERR(ll->rx_skb)) { int err =3D PTR_ERR(ll->rx_skb); diff --git a/drivers/bluetooth/hci_mrvl.c b/drivers/bluetooth/hci_mrvl.c index e08222395772..8767522ec4c6 100644 --- a/drivers/bluetooth/hci_mrvl.c +++ b/drivers/bluetooth/hci_mrvl.c @@ -264,9 +264,9 @@ static int mrvl_recv(struct hci_uart *hu, const void *d= ata, int count) !test_bit(STATE_FW_LOADED, &mrvl->flags)) return count; =20 - mrvl->rx_skb =3D h4_recv_buf(hu->hdev, mrvl->rx_skb, data, count, - mrvl_recv_pkts, - ARRAY_SIZE(mrvl_recv_pkts)); + mrvl->rx_skb =3D h4_recv_buf(hu, mrvl->rx_skb, data, count, + mrvl_recv_pkts, + ARRAY_SIZE(mrvl_recv_pkts)); if (IS_ERR(mrvl->rx_skb)) { int err =3D PTR_ERR(mrvl->rx_skb); bt_dev_err(hu->hdev, "Frame reassembly failed (%d)", err); diff --git a/drivers/bluetooth/hci_nokia.c b/drivers/bluetooth/hci_nokia.c index cd7575c20f65..1e65b541f8ad 100644 --- a/drivers/bluetooth/hci_nokia.c +++ b/drivers/bluetooth/hci_nokia.c @@ -624,8 +624,8 @@ static int nokia_recv(struct hci_uart *hu, const void *= data, int count) if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) return -EUNATCH; =20 - btdev->rx_skb =3D h4_recv_buf(hu->hdev, btdev->rx_skb, data, count, - nokia_recv_pkts, ARRAY_SIZE(nokia_recv_pkts)); + btdev->rx_skb =3D h4_recv_buf(hu, btdev->rx_skb, data, count, + nokia_recv_pkts, ARRAY_SIZE(nokia_recv_pkts)); if (IS_ERR(btdev->rx_skb)) { err =3D PTR_ERR(btdev->rx_skb); dev_err(dev, "Frame reassembly failed (%d)", err); diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c index 4cff4d9be313..888176b0faa9 100644 --- a/drivers/bluetooth/hci_qca.c +++ b/drivers/bluetooth/hci_qca.c @@ -1277,7 +1277,7 @@ static int qca_recv(struct hci_uart *hu, const void *= data, int count) if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) return -EUNATCH; =20 - qca->rx_skb =3D h4_recv_buf(hu->hdev, qca->rx_skb, data, count, + qca->rx_skb =3D h4_recv_buf(hu, qca->rx_skb, data, count, qca_recv_pkts, ARRAY_SIZE(qca_recv_pkts)); if (IS_ERR(qca->rx_skb)) { int err =3D PTR_ERR(qca->rx_skb); diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h index cbbe79b241ce..48ac7ca9334e 100644 --- a/drivers/bluetooth/hci_uart.h +++ b/drivers/bluetooth/hci_uart.h @@ -162,7 +162,7 @@ struct h4_recv_pkt { int h4_init(void); int h4_deinit(void); =20 -struct sk_buff *h4_recv_buf(struct hci_dev *hdev, struct sk_buff *skb, +struct sk_buff *h4_recv_buf(struct hci_uart *hu, struct sk_buff *skb, const unsigned char *buffer, int count, const struct h4_recv_pkt *pkts, int pkts_count); #endif --=20 2.47.3