From f1a56edd09a888381f6006b701ab446c357f14ec Mon Sep 17 00:00:00 2001
From: Piotr Dymacz <pepe2k@gmail.com>
Date: Sat, 4 Feb 2023 18:22:03 +0100
Subject: [PATCH] ipq807x: backport some additional fixes for Bluetooth

This backports more fixes for the Bluetooth subsystem from 4.9.
They were found missing during some initial Bluetooth LE testing.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
---
 ...e-HCI-to-MGMT-status-conversion-tabl.patch | 37 +++++++++++++
 ...p-invalid-hci_sync_conn_complete_evt.patch | 52 +++++++++++++++++++
 ...bugfs-entry-leak-in-hci_register_dev.patch | 33 ++++++++++++
 3 files changed, 122 insertions(+)
 create mode 100644 feeds/ipq807x/ipq807x/patches/802-v4.9-Bluetooth-Fix-the-HCI-to-MGMT-status-conversion-tabl.patch
 create mode 100644 feeds/ipq807x/ipq807x/patches/803-v4.9-Bluetooth-skip-invalid-hci_sync_conn_complete_evt.patch
 create mode 100644 feeds/ipq807x/ipq807x/patches/804-v4.9-Bluetooth-Fix-debugfs-entry-leak-in-hci_register_dev.patch

diff --git a/feeds/ipq807x/ipq807x/patches/802-v4.9-Bluetooth-Fix-the-HCI-to-MGMT-status-conversion-tabl.patch b/feeds/ipq807x/ipq807x/patches/802-v4.9-Bluetooth-Fix-the-HCI-to-MGMT-status-conversion-tabl.patch
new file mode 100644
index 000000000..11b392e9d
--- /dev/null
+++ b/feeds/ipq807x/ipq807x/patches/802-v4.9-Bluetooth-Fix-the-HCI-to-MGMT-status-conversion-tabl.patch
@@ -0,0 +1,37 @@
+From 345bafc04fa2dea44dbdc8bda5633de256a74262 Mon Sep 17 00:00:00 2001
+From: Yu Liu <yudiliu@google.com>
+Date: Mon, 19 Apr 2021 16:53:30 -0700
+Subject: [PATCH] Bluetooth: Fix the HCI to MGMT status conversion table
+
+[ Upstream commit 4ef36a52b0e47c80bbfd69c0cce61c7ae9f541ed ]
+
+0x2B, 0x31 and 0x33 are reserved for future use but were not present in
+the HCI to MGMT conversion table, this caused the conversion to be
+incorrect for the HCI status code greater than 0x2A.
+
+Reviewed-by: Miao-chen Chou <mcchou@chromium.org>
+Signed-off-by: Yu Liu <yudiliu@google.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -212,12 +212,15 @@ static u8 mgmt_status_table[] = {
+ 	MGMT_STATUS_TIMEOUT,		/* Instant Passed */
+ 	MGMT_STATUS_NOT_SUPPORTED,	/* Pairing Not Supported */
+ 	MGMT_STATUS_FAILED,		/* Transaction Collision */
++	MGMT_STATUS_FAILED,		/* Reserved for future use */
+ 	MGMT_STATUS_INVALID_PARAMS,	/* Unacceptable Parameter */
+ 	MGMT_STATUS_REJECTED,		/* QoS Rejected */
+ 	MGMT_STATUS_NOT_SUPPORTED,	/* Classification Not Supported */
+ 	MGMT_STATUS_REJECTED,		/* Insufficient Security */
+ 	MGMT_STATUS_INVALID_PARAMS,	/* Parameter Out Of Range */
++	MGMT_STATUS_FAILED,		/* Reserved for future use */
+ 	MGMT_STATUS_BUSY,		/* Role Switch Pending */
++	MGMT_STATUS_FAILED,		/* Reserved for future use */
+ 	MGMT_STATUS_FAILED,		/* Slot Violation */
+ 	MGMT_STATUS_FAILED,		/* Role Switch Failed */
+ 	MGMT_STATUS_INVALID_PARAMS,	/* EIR Too Large */
diff --git a/feeds/ipq807x/ipq807x/patches/803-v4.9-Bluetooth-skip-invalid-hci_sync_conn_complete_evt.patch b/feeds/ipq807x/ipq807x/patches/803-v4.9-Bluetooth-skip-invalid-hci_sync_conn_complete_evt.patch
new file mode 100644
index 000000000..a6099e468
--- /dev/null
+++ b/feeds/ipq807x/ipq807x/patches/803-v4.9-Bluetooth-skip-invalid-hci_sync_conn_complete_evt.patch
@@ -0,0 +1,52 @@
+From 433c3febcb837cf8f2758660c6a89e1d734c55dc Mon Sep 17 00:00:00 2001
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Date: Wed, 28 Jul 2021 15:51:04 +0800
+Subject: [PATCH] Bluetooth: skip invalid hci_sync_conn_complete_evt
+
+[ Upstream commit 92fe24a7db751b80925214ede43f8d2be792ea7b ]
+
+Syzbot reported a corrupted list in kobject_add_internal [1]. This
+happens when multiple HCI_EV_SYNC_CONN_COMPLETE event packets with
+status 0 are sent for the same HCI connection. This causes us to
+register the device more than once which corrupts the kset list.
+
+As this is forbidden behavior, we add a check for whether we're
+trying to process the same HCI_EV_SYNC_CONN_COMPLETE event multiple
+times for one connection. If that's the case, the event is invalid, so
+we report an error that the device is misbehaving, and ignore the
+packet.
+
+Link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c [1]
+Reported-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
+Tested-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3748,6 +3748,21 @@ static void hci_sync_conn_complete_evt(s
+ 
+ 	switch (ev->status) {
+ 	case 0x00:
++		/* The synchronous connection complete event should only be
++		 * sent once per new connection. Receiving a successful
++		 * complete event when the connection status is already
++		 * BT_CONNECTED means that the device is misbehaving and sent
++		 * multiple complete event packets for the same new connection.
++		 *
++		 * Registering the device more than once can corrupt kernel
++		 * memory, hence upon detecting this invalid event, we report
++		 * an error and ignore the packet.
++		 */
++		if (conn->state == BT_CONNECTED) {
++			bt_dev_err(hdev, "Ignoring connect complete event for existing connection");
++			goto unlock;
++		}
++
+ 		conn->handle = __le16_to_cpu(ev->handle);
+ 		conn->state  = BT_CONNECTED;
+ 		conn->type   = ev->link_type;
diff --git a/feeds/ipq807x/ipq807x/patches/804-v4.9-Bluetooth-Fix-debugfs-entry-leak-in-hci_register_dev.patch b/feeds/ipq807x/ipq807x/patches/804-v4.9-Bluetooth-Fix-debugfs-entry-leak-in-hci_register_dev.patch
new file mode 100644
index 000000000..794aac5b1
--- /dev/null
+++ b/feeds/ipq807x/ipq807x/patches/804-v4.9-Bluetooth-Fix-debugfs-entry-leak-in-hci_register_dev.patch
@@ -0,0 +1,33 @@
+From 69f728dac41d13fc3e8d4514684e476ebd0d61f5 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Wed, 13 Oct 2021 16:55:46 +0800
+Subject: [PATCH] Bluetooth: Fix debugfs entry leak in hci_register_dev()
+
+[ Upstream commit 5a4bb6a8e981d3d0d492aa38412ee80b21033177 ]
+
+Fault injection test report debugfs entry leak as follows:
+
+debugfs: Directory 'hci0' with parent 'bluetooth' already present!
+
+When register_pm_notifier() failed in hci_register_dev(), the debugfs
+create by debugfs_create_dir() do not removed in the error handing path.
+
+Add the remove debugfs code to fix it.
+
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -3420,6 +3420,7 @@ int hci_register_dev(struct hci_dev *hde
+ 	return id;
+ 
+ err_wqueue:
++	debugfs_remove_recursive(hdev->debugfs);
+ 	destroy_workqueue(hdev->workqueue);
+ 	destroy_workqueue(hdev->req_workqueue);
+ err: