From nobody Mon Jun 29 22:12:59 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D412C433FE for ; Tue, 1 Feb 2022 20:04:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236065AbiBAUEE (ORCPT ); Tue, 1 Feb 2022 15:04:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47000 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235729AbiBAUD7 (ORCPT ); Tue, 1 Feb 2022 15:03:59 -0500 Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 400D0C061401 for ; Tue, 1 Feb 2022 12:03:59 -0800 (PST) Received: by mail-wr1-x42d.google.com with SMTP id a13so34173406wrh.9 for ; Tue, 01 Feb 2022 12:03:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=CtvsJlFbqfLsO5yxNiCSW8462wz3NLvD+3LUVcmaRSo=; b=KrAK0LqUBtRK2djoips1g3SIXIZxdEeQxU5BOLYi8h9c1+4j5aZERqXKbceeVUH6Ny lR3vWUcUEm/E/gZ4ITUR2coEL6DbKCe///jeOBWmKF1EFd8Kv4at9t2LwnSd5/1VvIB5 GeKS+xoFAh+iThTUrk20YUKsM6rHRl6a6hlnMOMyKS0AWFibz8rIsh6xfiCEhrFCuWmM 0XefwOvtPo+kBB2/CC14IFcBEpuzyKpjFnlKTEZgiTdlwfXVzBaSyYnSPGa2WabeXgic D8ihwYaFGM1vZcPME0Rts4SbXoV5NIWru1AntJ8hoaJ4yRPVLT5lC/AcASsaZvuQle1J n4jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=CtvsJlFbqfLsO5yxNiCSW8462wz3NLvD+3LUVcmaRSo=; b=T0S8QRMP2YUQVxMrU0XyE/wqIXQ+MNxXpMDaDdt9ffUkm3J1DsXORB9H6xlDggeAVQ LSiXtanOa1ZLM/GMZH4jjc3uCzZRPeXrkDgobH1CbN+VTS438jZIU4FrAWPNlvow3XOy TFnlreNtjGGkumUuzSFb76kjq85Ger2c4gKx5lQ5tDzih/fBoVB9OhtZH7FWLBnEp5Dp wkZpq1yOKOMSWL3UXSaub+FOh4NbyAIXb39Iveo/CgqmccPpAEG8Ck28kf1EV+yptQoF 5tb04VcHogFFc174LIPy02vKBCN1fYkPVV2V4o/liWFSewdIAF2IM3fyLZR/dt7MKOKo AgIA== X-Gm-Message-State: AOAM530YHrWQT2Z2iDclJCvgzc50rWYwUkLnADXHFIqT2bPDTLfi+k37 rFhpAydwdYt+VS5lQHFCst8OvA== X-Google-Smtp-Source: ABdhPJwzesRzh12lHSJ8wijI9YJ4wXIKFHVAn4HZudVDiZ2iWCzrf2nSH3Yq02EJp4VkN9PkZ64y2A== X-Received: by 2002:adf:e4c4:: with SMTP id v4mr22488680wrm.332.1643745837666; Tue, 01 Feb 2022 12:03:57 -0800 (PST) Received: from biernacki.c.googlers.com.com (105.168.195.35.bc.googleusercontent.com. [35.195.168.105]) by smtp.gmail.com with ESMTPSA id m6sm3367280wmq.6.2022.02.01.12.03.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Feb 2022 12:03:56 -0800 (PST) From: Radoslaw Biernacki X-Google-Original-From: Radoslaw Biernacki To: linux-bluetooth , Luiz Augusto von Dentz , Marcel Holtmann Cc: CrosBT Upstreaming , Archie Pusaka , Miao-chen Chou , Jakub Kicinski , Johan Hedberg , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, upstream@semihalf.com, Radoslaw Biernacki , Angela Czubak , Marek Maslanka Subject: [PATCH v2 1/2] Bluetooth: Fix skb allocation in mgmt_remote_name() & mgmt_device_connected() Date: Tue, 1 Feb 2022 20:03:52 +0000 Message-Id: <20220201200353.1331443-2-rad@semihalf.ocm> X-Mailer: git-send-email 2.35.0.rc2.247.g8bbb082509-goog In-Reply-To: <20220201200353.1331443-1-rad@semihalf.ocm> References: <20220201200353.1331443-1-rad@semihalf.ocm> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Radoslaw Biernacki This patch fixes skb allocation, as lack of space for ev might push skb tail beyond its end. Also introduce eir_precalc_len() that can be used instead of magic numbers for similar eir operations on skb. Fixes: cf1bce1de7eeb ("Bluetooth: mgmt: Make use of mgmt_send_event_skb in = MGMT_EV_DEVICE_FOUND") Fixes: e96741437ef0a ("Bluetooth: mgmt: Make use of mgmt_send_event_skb in = MGMT_EV_DEVICE_CONNECTED") Signed-off-by: Angela Czubak Signed-off-by: Marek Maslanka Signed-off-by: Radoslaw Biernacki --- net/bluetooth/eir.h | 5 +++++ net/bluetooth/mgmt.c | 18 ++++++++---------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/net/bluetooth/eir.h b/net/bluetooth/eir.h index 05e2e917fc25..e5876751f07e 100644 --- a/net/bluetooth/eir.h +++ b/net/bluetooth/eir.h @@ -15,6 +15,11 @@ u8 eir_create_scan_rsp(struct hci_dev *hdev, u8 instance= , u8 *ptr); u8 eir_append_local_name(struct hci_dev *hdev, u8 *eir, u8 ad_len); u8 eir_append_appearance(struct hci_dev *hdev, u8 *ptr, u8 ad_len); =20 +static inline u16 eir_precalc_len(u8 data_len) +{ + return sizeof(u8) * 2 + data_len; +} + static inline u16 eir_append_data(u8 *eir, u16 eir_len, u8 type, u8 *data, u8 data_len) { diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 5dd684e0b259..43ca228104ce 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -9061,12 +9061,14 @@ void mgmt_device_connected(struct hci_dev *hdev, st= ruct hci_conn *conn, u16 eir_len =3D 0; u32 flags =3D 0; =20 + /* allocate buff for LE or BR/EDR adv */ if (conn->le_adv_data_len > 0) skb =3D mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED, - conn->le_adv_data_len); + sizeof(*ev) + conn->le_adv_data_len); else skb =3D mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED, - 2 + name_len + 5); + sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0) + + eir_precalc_len(sizeof(conn->dev_class))); =20 ev =3D skb_put(skb, sizeof(*ev)); bacpy(&ev->addr.bdaddr, &conn->dst); @@ -9785,13 +9787,11 @@ void mgmt_remote_name(struct hci_dev *hdev, bdaddr_= t *bdaddr, u8 link_type, { struct sk_buff *skb; struct mgmt_ev_device_found *ev; - u16 eir_len; - u32 flags; + u16 eir_len =3D 0; + u32 flags =3D 0; =20 - if (name_len) - skb =3D mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND, 2 + name_len); - else - skb =3D mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND, 0); + skb =3D mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND, + sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0)); =20 ev =3D skb_put(skb, sizeof(*ev)); bacpy(&ev->addr.bdaddr, bdaddr); @@ -9801,10 +9801,8 @@ void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t= *bdaddr, u8 link_type, if (name) { eir_len =3D eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE, name, name_len); - flags =3D 0; skb_put(skb, eir_len); } else { - eir_len =3D 0; flags =3D MGMT_DEV_FOUND_NAME_REQUEST_FAILED; } =20 --=20 2.35.0.rc2.247.g8bbb082509-goog From nobody Mon Jun 29 22:12:59 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD6F7C4332F for ; Tue, 1 Feb 2022 20:04:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236441AbiBAUEG (ORCPT ); Tue, 1 Feb 2022 15:04:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47004 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235924AbiBAUEA (ORCPT ); Tue, 1 Feb 2022 15:04:00 -0500 Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B7E48C061714 for ; Tue, 1 Feb 2022 12:03:59 -0800 (PST) Received: by mail-wr1-x433.google.com with SMTP id e8so34229519wrc.0 for ; Tue, 01 Feb 2022 12:03:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/QTYMxwWed/jQIivtJaGb3o5ZDyC8gqB+NImkJjoA+M=; b=R2s/WYxqrkrLqzzep4rDEqMSd1N/6u42Y0fF6kR/9+RQCyhZVXbJaJN/ugywk8HMnn NcoM405UM/+ErO67Cclrqd2Lx1QAebg5/WSP+C1S2RslP3RTYbCghiAXZECfuOMxriu6 JwaIOtSQSL+JtYd/FG4MRGbDtX+f0lU7jtRjk679xtxiWKG3zrFAdXLyKjIvvJxnlG/s RxKL6S1HJwJrhIXCghSnn8DciIt22mQXtBX1X8YEztUhR6v93wntQ/2RYqo9xBDqWVqR U3WV+cb/YXe8g0kF2u1s9e2T++GBKgpdo05cVeDztvC1YmEnsYEGUVFztViQ143Nj+mk dUnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/QTYMxwWed/jQIivtJaGb3o5ZDyC8gqB+NImkJjoA+M=; b=cJuIlMvBstN5G71gCo0Aryt5cqIJW/jrd+K0apIeQIbma45jdabCCeTqp+P10fs8Ax GZewR6wJ+Qoo5YqiS1KhMHkybfuMxdZRpV7cnktx/i8QnwWqc4AUjwvJmdX5WriOXhXB bhCQ1C6K+e3X7z+gwK6ffFx/Dlobbnrs1HCXl8v0rC8Kx6iquIq3X7kOaZPiPI3QXwT2 lhWrGKOZPDeV6WHv6JNR/S6uE3vAYXW03fP61im6m3A1+nz8np+n0M8OkweIuDpyBoZ4 L/21ouujiQfSFBwdyYloksF/CAtpxM4Cq1j9fLC3oQhtfbE+vE4OVBZ9LZuyf1pdjARo 1h4g== X-Gm-Message-State: AOAM532GCpVYxuUlYZY/s0FvgucISm8a602j+2aUriNgTqij5BAqaWHY nrWgZ7feSdVYybMYAqwgP/0pDw== X-Google-Smtp-Source: ABdhPJzT3HKHqtPMW9cTL9T3Oucv9FsNyNAOAgRt+aPsXnc9SKS9op/aFyZ8pV1AsXBrsH+bLvd1KQ== X-Received: by 2002:a5d:500c:: with SMTP id e12mr23426786wrt.187.1643745838279; Tue, 01 Feb 2022 12:03:58 -0800 (PST) Received: from biernacki.c.googlers.com.com (105.168.195.35.bc.googleusercontent.com. [35.195.168.105]) by smtp.gmail.com with ESMTPSA id m6sm3367280wmq.6.2022.02.01.12.03.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Feb 2022 12:03:57 -0800 (PST) From: Radoslaw Biernacki X-Google-Original-From: Radoslaw Biernacki To: linux-bluetooth , Luiz Augusto von Dentz , Marcel Holtmann Cc: CrosBT Upstreaming , Archie Pusaka , Miao-chen Chou , Jakub Kicinski , Johan Hedberg , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, upstream@semihalf.com, Radoslaw Biernacki , Angela Czubak , Marek Maslanka , Radoslaw Biernacki Subject: [PATCH v2 2/2] Bluetooth: Improve skb handling in mgmt_device_connected() Date: Tue, 1 Feb 2022 20:03:53 +0000 Message-Id: <20220201200353.1331443-3-rad@semihalf.ocm> X-Mailer: git-send-email 2.35.0.rc2.247.g8bbb082509-goog In-Reply-To: <20220201200353.1331443-1-rad@semihalf.ocm> References: <20220201200353.1331443-1-rad@semihalf.ocm> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" This patch introduce eir_skb_put_data() that can be used to simplify operations on eir in goal of eliminating the necessity of intermediary buffers. eir_skb_put_data() is in pair to what eir_append_data() does with help of eir_len, but without awkwardness when passing return value to skb_put() (as it returns updated offset not size). Signed-off-by: Radoslaw Biernacki --- net/bluetooth/eir.h | 15 +++++++++++++++ net/bluetooth/mgmt.c | 25 ++++++++----------------- 2 files changed, 23 insertions(+), 17 deletions(-) diff --git a/net/bluetooth/eir.h b/net/bluetooth/eir.h index e5876751f07e..43f1945bffc5 100644 --- a/net/bluetooth/eir.h +++ b/net/bluetooth/eir.h @@ -41,6 +41,21 @@ static inline u16 eir_append_le16(u8 *eir, u16 eir_len, = u8 type, u16 data) return eir_len; } =20 +static inline u16 eir_skb_put_data(struct sk_buff *skb, u8 type, u8 *data,= u8 data_len) +{ + u8 *eir; + u16 eir_len; + + eir_len =3D eir_precalc_len(data_len); + eir =3D skb_put(skb, eir_len); + WARN_ON(sizeof(type) + data_len > U8_MAX); + eir[0] =3D sizeof(type) + data_len; + eir[1] =3D type; + memcpy(&eir[2], data, data_len); + + return eir_len; +} + static inline void *eir_get_data(u8 *eir, size_t eir_len, u8 type, size_t *data_len) { diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 43ca228104ce..4a24159f7dd6 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -9087,18 +9087,12 @@ void mgmt_device_connected(struct hci_dev *hdev, st= ruct hci_conn *conn, skb_put_data(skb, conn->le_adv_data, conn->le_adv_data_len); eir_len =3D conn->le_adv_data_len; } else { - if (name_len > 0) { - eir_len =3D eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE, - name, name_len); - skb_put(skb, eir_len); - } + if (name) + eir_len +=3D eir_skb_put_data(skb, EIR_NAME_COMPLETE, name, name_len); =20 - if (memcmp(conn->dev_class, "\0\0\0", 3) !=3D 0) { - eir_len =3D eir_append_data(ev->eir, eir_len, - EIR_CLASS_OF_DEV, - conn->dev_class, 3); - skb_put(skb, 5); - } + if (memcmp(conn->dev_class, "\0\0\0", sizeof(conn->dev_class))) + eir_len +=3D eir_skb_put_data(skb, EIR_CLASS_OF_DEV, + conn->dev_class, sizeof(conn->dev_class)); } =20 ev->eir_len =3D cpu_to_le16(eir_len); @@ -9798,13 +9792,10 @@ void mgmt_remote_name(struct hci_dev *hdev, bdaddr_= t *bdaddr, u8 link_type, ev->addr.type =3D link_to_bdaddr(link_type, addr_type); ev->rssi =3D rssi; =20 - if (name) { - eir_len =3D eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE, name, - name_len); - skb_put(skb, eir_len); - } else { + if (name) + eir_len +=3D eir_skb_put_data(skb, EIR_NAME_COMPLETE, name, name_len); + else flags =3D MGMT_DEV_FOUND_NAME_REQUEST_FAILED; - } =20 ev->eir_len =3D cpu_to_le16(eir_len); ev->flags =3D cpu_to_le32(flags); --=20 2.35.0.rc2.247.g8bbb082509-goog