[PATCH] Bluetooth: vhci: validate devcoredump state before side effects

Next message: Besar Wicaksono: "RE: [PATCH v4] perf/arm_pmu: Skip PMCCNTR_EL0 on NVIDIA Olympus"
Previous message: Timur Tabi: "Re: [PATCH] gpu: nova-core: don't declare booter firmware for FSP chipsets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Samuel Moelius

Date: Mon Jun 08 2026 - 20:01:17 EST

The VHCI force_devcoredump debugfs hook accepts a small test record from
userspace. It validates the requested terminal state only after
registering, initializing and appending a Bluetooth devcoredump.

As a result, an invalid state returns -EINVAL but still leaves queued
devcoredump work behind. With a non-zero timeout field, the rejected
write can still emit a devcoredump after the timeout expires.

Reject unsupported states before allocating the skb or changing the HCI
devcoredump state machine.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@xxxxxxxxxxxxxxx>
---
drivers/bluetooth/hci_vhci.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 2762eacf7f20..3401e3b22f04 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -338,6 +338,14 @@ static ssize_t force_devcd_write(struct file *file, const char __user *user_buf,
return -EFAULT;

data_size = count - offsetof(struct devcoredump_test_data, data);
+ switch (dump_data.state) {
+ case HCI_DEVCOREDUMP_DONE:
+ case HCI_DEVCOREDUMP_ABORT:
+ case HCI_DEVCOREDUMP_TIMEOUT:
+ break;
+ default:
+ return -EINVAL;
+ }
skb = alloc_skb(data_size, GFP_ATOMIC);
if (!skb)
return -ENOMEM;
--
2.43.0