drivers/bluetooth/btusb.c | 99 ++++++++++++++++----------------------- 1 file changed, 41 insertions(+), 58 deletions(-)
Use skb_pull() and skb_pull_data() to safely parse QCA dump packets.
This avoids direct pointer math on skb->data, which could lead to
invalid access if the packet is shorter than expected.
Signed-off-by: En-Wei Wu <en-wei.wu@canonical.com>
---
drivers/bluetooth/btusb.c | 99 ++++++++++++++++-----------------------
1 file changed, 41 insertions(+), 58 deletions(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 357b18dae8de..17136924a278 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2979,9 +2979,8 @@ static void btusb_coredump_qca(struct hci_dev *hdev)
static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
{
int ret = 0;
+ int skip = 0;
u8 pkt_type;
- u8 *sk_ptr;
- unsigned int sk_len;
u16 seqno;
u32 dump_size;
@@ -2990,18 +2989,14 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
struct usb_device *udev = btdata->udev;
pkt_type = hci_skb_pkt_type(skb);
- sk_ptr = skb->data;
- sk_len = skb->len;
-
- if (pkt_type == HCI_ACLDATA_PKT) {
- sk_ptr += HCI_ACL_HDR_SIZE;
- sk_len -= HCI_ACL_HDR_SIZE;
- }
+ if (pkt_type == HCI_ACLDATA_PKT)
+ skip = sizeof(struct hci_acl_hdr) + sizeof(struct hci_event_hdr);
+ else
+ skip = sizeof(struct hci_event_hdr);
- sk_ptr += HCI_EVENT_HDR_SIZE;
- sk_len -= HCI_EVENT_HDR_SIZE;
+ skb_pull(skb, skip);
+ dump_hdr = (struct qca_dump_hdr *)skb->data;
- dump_hdr = (struct qca_dump_hdr *)sk_ptr;
seqno = le16_to_cpu(dump_hdr->seqno);
if (seqno == 0) {
set_bit(BTUSB_HW_SSR_ACTIVE, &btdata->flags);
@@ -3021,16 +3016,15 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
btdata->qca_dump.ram_dump_size = dump_size;
btdata->qca_dump.ram_dump_seqno = 0;
- sk_ptr += offsetof(struct qca_dump_hdr, data0);
- sk_len -= offsetof(struct qca_dump_hdr, data0);
+
+ skb_pull(skb, offsetof(struct qca_dump_hdr, data0));
usb_disable_autosuspend(udev);
bt_dev_info(hdev, "%s memdump size(%u)\n",
(pkt_type == HCI_ACLDATA_PKT) ? "ACL" : "event",
dump_size);
} else {
- sk_ptr += offsetof(struct qca_dump_hdr, data);
- sk_len -= offsetof(struct qca_dump_hdr, data);
+ skb_pull(skb, offsetof(struct qca_dump_hdr, data));
}
if (!btdata->qca_dump.ram_dump_size) {
@@ -3050,7 +3044,6 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
return ret;
}
- skb_pull(skb, skb->len - sk_len);
hci_devcd_append(hdev, skb);
btdata->qca_dump.ram_dump_seqno++;
if (seqno == QCA_LAST_SEQUENCE_NUM) {
@@ -3078,68 +3071,58 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
/* Return: true if the ACL packet is a dump packet, false otherwise. */
static bool acl_pkt_is_dump_qca(struct hci_dev *hdev, struct sk_buff *skb)
{
- u8 *sk_ptr;
- unsigned int sk_len;
-
struct hci_event_hdr *event_hdr;
struct hci_acl_hdr *acl_hdr;
struct qca_dump_hdr *dump_hdr;
+ struct sk_buff *clone = skb_clone(skb, GFP_ATOMIC);
+ bool is_dump = false;
- sk_ptr = skb->data;
- sk_len = skb->len;
-
- acl_hdr = hci_acl_hdr(skb);
- if (le16_to_cpu(acl_hdr->handle) != QCA_MEMDUMP_ACL_HANDLE)
+ if (!clone)
return false;
- sk_ptr += HCI_ACL_HDR_SIZE;
- sk_len -= HCI_ACL_HDR_SIZE;
- event_hdr = (struct hci_event_hdr *)sk_ptr;
-
- if ((event_hdr->evt != HCI_VENDOR_PKT) ||
- (event_hdr->plen != (sk_len - HCI_EVENT_HDR_SIZE)))
- return false;
+ acl_hdr = skb_pull_data(clone, sizeof(*acl_hdr));
+ if (!acl_hdr || (le16_to_cpu(acl_hdr->handle) != QCA_MEMDUMP_ACL_HANDLE))
+ goto out;
- sk_ptr += HCI_EVENT_HDR_SIZE;
- sk_len -= HCI_EVENT_HDR_SIZE;
+ event_hdr = skb_pull_data(clone, sizeof(*event_hdr));
+ if (!event_hdr || (event_hdr->evt != HCI_VENDOR_PKT))
+ goto out;
- dump_hdr = (struct qca_dump_hdr *)sk_ptr;
- if ((sk_len < offsetof(struct qca_dump_hdr, data)) ||
- (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
- (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
- return false;
+ dump_hdr = skb_pull_data(clone, sizeof(*dump_hdr));
+ if (!dump_hdr || (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
+ (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
+ goto out;
- return true;
+ is_dump = true;
+out:
+ consume_skb(clone);
+ return is_dump;
}
/* Return: true if the event packet is a dump packet, false otherwise. */
static bool evt_pkt_is_dump_qca(struct hci_dev *hdev, struct sk_buff *skb)
{
- u8 *sk_ptr;
- unsigned int sk_len;
-
struct hci_event_hdr *event_hdr;
struct qca_dump_hdr *dump_hdr;
+ struct sk_buff *clone = skb_clone(skb, GFP_ATOMIC);
+ bool is_dump = false;
- sk_ptr = skb->data;
- sk_len = skb->len;
-
- event_hdr = hci_event_hdr(skb);
-
- if ((event_hdr->evt != HCI_VENDOR_PKT)
- || (event_hdr->plen != (sk_len - HCI_EVENT_HDR_SIZE)))
+ if (!clone)
return false;
- sk_ptr += HCI_EVENT_HDR_SIZE;
- sk_len -= HCI_EVENT_HDR_SIZE;
+ event_hdr = skb_pull_data(clone, sizeof(*event_hdr));
+ if (!event_hdr || (event_hdr->evt != HCI_VENDOR_PKT))
+ goto out;
- dump_hdr = (struct qca_dump_hdr *)sk_ptr;
- if ((sk_len < offsetof(struct qca_dump_hdr, data)) ||
- (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
- (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
- return false;
+ dump_hdr = skb_pull_data(clone, sizeof(*dump_hdr));
+ if (!dump_hdr || (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
+ (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
+ goto out;
- return true;
+ is_dump = true;
+out:
+ consume_skb(clone);
+ return is_dump;
}
static int btusb_recv_acl_qca(struct hci_dev *hdev, struct sk_buff *skb)
--
2.43.0Dear En-Wei,
Thank you for your patch.
Am 06.05.25 um 04:48 schrieb En-Wei Wu:
> Use skb_pull() and skb_pull_data() to safely parse QCA dump packets.
>
> This avoids direct pointer math on skb->data, which could lead to
> invalid access if the packet is shorter than expected.
Please add a Fixes: tag.
Also, how did you test this?
> Signed-off-by: En-Wei Wu <en-wei.wu@canonical.com>
> ---
> drivers/bluetooth/btusb.c | 99 ++++++++++++++++-----------------------
> 1 file changed, 41 insertions(+), 58 deletions(-)
>
> diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
> index 357b18dae8de..17136924a278 100644
> --- a/drivers/bluetooth/btusb.c
> +++ b/drivers/bluetooth/btusb.c
> @@ -2979,9 +2979,8 @@ static void btusb_coredump_qca(struct hci_dev *hdev)
> static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
> {
> int ret = 0;
> + int skip = 0;
`unsigned int`, as the signature is:
include/linux/skbuff.h:void *skb_pull(struct sk_buff *skb, unsigned
int len);
> u8 pkt_type;
> - u8 *sk_ptr;
> - unsigned int sk_len;
> u16 seqno;
> u32 dump_size;
>
> @@ -2990,18 +2989,14 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
> struct usb_device *udev = btdata->udev;
>
> pkt_type = hci_skb_pkt_type(skb);
> - sk_ptr = skb->data;
> - sk_len = skb->len;
> -
> - if (pkt_type == HCI_ACLDATA_PKT) {
> - sk_ptr += HCI_ACL_HDR_SIZE;
> - sk_len -= HCI_ACL_HDR_SIZE;
> - }
> + if (pkt_type == HCI_ACLDATA_PKT)
> + skip = sizeof(struct hci_acl_hdr) + sizeof(struct hci_event_hdr);
> + else
> + skip = sizeof(struct hci_event_hdr);
Maybe write it as below:
skip = sizeof(struct hci_event_hdr);
if (pkt_type == HCI_ACLDATA_PKT)
skip += sizeof(struct hci_acl_hdr);
Kind regards,
Paul
>
> - sk_ptr += HCI_EVENT_HDR_SIZE;
> - sk_len -= HCI_EVENT_HDR_SIZE;
> + skb_pull(skb, skip);
> + dump_hdr = (struct qca_dump_hdr *)skb->data;
>
> - dump_hdr = (struct qca_dump_hdr *)sk_ptr;
> seqno = le16_to_cpu(dump_hdr->seqno);
> if (seqno == 0) {
> set_bit(BTUSB_HW_SSR_ACTIVE, &btdata->flags);
> @@ -3021,16 +3016,15 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
>
> btdata->qca_dump.ram_dump_size = dump_size;
> btdata->qca_dump.ram_dump_seqno = 0;
> - sk_ptr += offsetof(struct qca_dump_hdr, data0);
> - sk_len -= offsetof(struct qca_dump_hdr, data0);
> +
> + skb_pull(skb, offsetof(struct qca_dump_hdr, data0));
>
> usb_disable_autosuspend(udev);
> bt_dev_info(hdev, "%s memdump size(%u)\n",
> (pkt_type == HCI_ACLDATA_PKT) ? "ACL" : "event",
> dump_size);
> } else {
> - sk_ptr += offsetof(struct qca_dump_hdr, data);
> - sk_len -= offsetof(struct qca_dump_hdr, data);
> + skb_pull(skb, offsetof(struct qca_dump_hdr, data));
> }
>
> if (!btdata->qca_dump.ram_dump_size) {
> @@ -3050,7 +3044,6 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
> return ret;
> }
>
> - skb_pull(skb, skb->len - sk_len);
> hci_devcd_append(hdev, skb);
> btdata->qca_dump.ram_dump_seqno++;
> if (seqno == QCA_LAST_SEQUENCE_NUM) {
> @@ -3078,68 +3071,58 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
> /* Return: true if the ACL packet is a dump packet, false otherwise. */
> static bool acl_pkt_is_dump_qca(struct hci_dev *hdev, struct sk_buff *skb)
> {
> - u8 *sk_ptr;
> - unsigned int sk_len;
> -
> struct hci_event_hdr *event_hdr;
> struct hci_acl_hdr *acl_hdr;
> struct qca_dump_hdr *dump_hdr;
> + struct sk_buff *clone = skb_clone(skb, GFP_ATOMIC);
> + bool is_dump = false;
>
> - sk_ptr = skb->data;
> - sk_len = skb->len;
> -
> - acl_hdr = hci_acl_hdr(skb);
> - if (le16_to_cpu(acl_hdr->handle) != QCA_MEMDUMP_ACL_HANDLE)
> + if (!clone)
> return false;
>
> - sk_ptr += HCI_ACL_HDR_SIZE;
> - sk_len -= HCI_ACL_HDR_SIZE;
> - event_hdr = (struct hci_event_hdr *)sk_ptr;
> -
> - if ((event_hdr->evt != HCI_VENDOR_PKT) ||
> - (event_hdr->plen != (sk_len - HCI_EVENT_HDR_SIZE)))
> - return false;
> + acl_hdr = skb_pull_data(clone, sizeof(*acl_hdr));
> + if (!acl_hdr || (le16_to_cpu(acl_hdr->handle) != QCA_MEMDUMP_ACL_HANDLE))
> + goto out;
>
> - sk_ptr += HCI_EVENT_HDR_SIZE;
> - sk_len -= HCI_EVENT_HDR_SIZE;
> + event_hdr = skb_pull_data(clone, sizeof(*event_hdr));
> + if (!event_hdr || (event_hdr->evt != HCI_VENDOR_PKT))
> + goto out;
>
> - dump_hdr = (struct qca_dump_hdr *)sk_ptr;
> - if ((sk_len < offsetof(struct qca_dump_hdr, data)) ||
> - (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
> - (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
> - return false;
> + dump_hdr = skb_pull_data(clone, sizeof(*dump_hdr));
> + if (!dump_hdr || (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
> + (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
> + goto out;
>
> - return true;
> + is_dump = true;
> +out:
> + consume_skb(clone);
> + return is_dump;
> }
>
> /* Return: true if the event packet is a dump packet, false otherwise. */
> static bool evt_pkt_is_dump_qca(struct hci_dev *hdev, struct sk_buff *skb)
> {
> - u8 *sk_ptr;
> - unsigned int sk_len;
> -
> struct hci_event_hdr *event_hdr;
> struct qca_dump_hdr *dump_hdr;
> + struct sk_buff *clone = skb_clone(skb, GFP_ATOMIC);
> + bool is_dump = false;
>
> - sk_ptr = skb->data;
> - sk_len = skb->len;
> -
> - event_hdr = hci_event_hdr(skb);
> -
> - if ((event_hdr->evt != HCI_VENDOR_PKT)
> - || (event_hdr->plen != (sk_len - HCI_EVENT_HDR_SIZE)))
> + if (!clone)
> return false;
>
> - sk_ptr += HCI_EVENT_HDR_SIZE;
> - sk_len -= HCI_EVENT_HDR_SIZE;
> + event_hdr = skb_pull_data(clone, sizeof(*event_hdr));
> + if (!event_hdr || (event_hdr->evt != HCI_VENDOR_PKT))
> + goto out;
>
> - dump_hdr = (struct qca_dump_hdr *)sk_ptr;
> - if ((sk_len < offsetof(struct qca_dump_hdr, data)) ||
> - (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
> - (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
> - return false;
> + dump_hdr = skb_pull_data(clone, sizeof(*dump_hdr));
> + if (!dump_hdr || (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
> + (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
> + goto out;
>
> - return true;
> + is_dump = true;
> +out:
> + consume_skb(clone);
> + return is_dump;
> }
>
> static int btusb_recv_acl_qca(struct hci_dev *hdev, struct sk_buff *skb)
Hi Paul,
> Also, how did you test this?
I triggered the device coredump by `$ echo 1` to the file named
"coredump" in the sysfs device node of the hci device. The symbolic
link of the file can be found at
/sys/class/bluetooth/hci*/device/coredump.
After triggering the coredump, the core dump file can be found at
/sys/class/devcoredump.
Kind regards,
En-Wei
On Tue, 6 May 2025 at 16:46, Paul Menzel <pmenzel@molgen.mpg.de> wrote:
>
> Dear En-Wei,
>
>
> Thank you for your patch.
>
> Am 06.05.25 um 04:48 schrieb En-Wei Wu:
> > Use skb_pull() and skb_pull_data() to safely parse QCA dump packets.
> >
> > This avoids direct pointer math on skb->data, which could lead to
> > invalid access if the packet is shorter than expected.
>
> Please add a Fixes: tag.
>
> Also, how did you test this?
>
> > Signed-off-by: En-Wei Wu <en-wei.wu@canonical.com>
> > ---
> > drivers/bluetooth/btusb.c | 99 ++++++++++++++++-----------------------
> > 1 file changed, 41 insertions(+), 58 deletions(-)
> >
> > diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
> > index 357b18dae8de..17136924a278 100644
> > --- a/drivers/bluetooth/btusb.c
> > +++ b/drivers/bluetooth/btusb.c
> > @@ -2979,9 +2979,8 @@ static void btusb_coredump_qca(struct hci_dev *hdev)
> > static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
> > {
> > int ret = 0;
> > + int skip = 0;
>
> `unsigned int`, as the signature is:
>
> include/linux/skbuff.h:void *skb_pull(struct sk_buff *skb, unsigned
> int len);
>
> > u8 pkt_type;
> > - u8 *sk_ptr;
> > - unsigned int sk_len;
> > u16 seqno;
> > u32 dump_size;
> >
> > @@ -2990,18 +2989,14 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
> > struct usb_device *udev = btdata->udev;
> >
> > pkt_type = hci_skb_pkt_type(skb);
> > - sk_ptr = skb->data;
> > - sk_len = skb->len;
> > -
> > - if (pkt_type == HCI_ACLDATA_PKT) {
> > - sk_ptr += HCI_ACL_HDR_SIZE;
> > - sk_len -= HCI_ACL_HDR_SIZE;
> > - }
> > + if (pkt_type == HCI_ACLDATA_PKT)
> > + skip = sizeof(struct hci_acl_hdr) + sizeof(struct hci_event_hdr);
> > + else
> > + skip = sizeof(struct hci_event_hdr);
>
> Maybe write it as below:
>
> skip = sizeof(struct hci_event_hdr);
>
> if (pkt_type == HCI_ACLDATA_PKT)
> skip += sizeof(struct hci_acl_hdr);
>
>
> Kind regards,
>
> Paul
>
>
> >
> > - sk_ptr += HCI_EVENT_HDR_SIZE;
> > - sk_len -= HCI_EVENT_HDR_SIZE;
> > + skb_pull(skb, skip);
> > + dump_hdr = (struct qca_dump_hdr *)skb->data;
> >
> > - dump_hdr = (struct qca_dump_hdr *)sk_ptr;
> > seqno = le16_to_cpu(dump_hdr->seqno);
> > if (seqno == 0) {
> > set_bit(BTUSB_HW_SSR_ACTIVE, &btdata->flags);
> > @@ -3021,16 +3016,15 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
> >
> > btdata->qca_dump.ram_dump_size = dump_size;
> > btdata->qca_dump.ram_dump_seqno = 0;
> > - sk_ptr += offsetof(struct qca_dump_hdr, data0);
> > - sk_len -= offsetof(struct qca_dump_hdr, data0);
> > +
> > + skb_pull(skb, offsetof(struct qca_dump_hdr, data0));
> >
> > usb_disable_autosuspend(udev);
> > bt_dev_info(hdev, "%s memdump size(%u)\n",
> > (pkt_type == HCI_ACLDATA_PKT) ? "ACL" : "event",
> > dump_size);
> > } else {
> > - sk_ptr += offsetof(struct qca_dump_hdr, data);
> > - sk_len -= offsetof(struct qca_dump_hdr, data);
> > + skb_pull(skb, offsetof(struct qca_dump_hdr, data));
> > }
> >
> > if (!btdata->qca_dump.ram_dump_size) {
> > @@ -3050,7 +3044,6 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
> > return ret;
> > }
> >
> > - skb_pull(skb, skb->len - sk_len);
> > hci_devcd_append(hdev, skb);
> > btdata->qca_dump.ram_dump_seqno++;
> > if (seqno == QCA_LAST_SEQUENCE_NUM) {
> > @@ -3078,68 +3071,58 @@ static int handle_dump_pkt_qca(struct hci_dev *hdev, struct sk_buff *skb)
> > /* Return: true if the ACL packet is a dump packet, false otherwise. */
> > static bool acl_pkt_is_dump_qca(struct hci_dev *hdev, struct sk_buff *skb)
> > {
> > - u8 *sk_ptr;
> > - unsigned int sk_len;
> > -
> > struct hci_event_hdr *event_hdr;
> > struct hci_acl_hdr *acl_hdr;
> > struct qca_dump_hdr *dump_hdr;
> > + struct sk_buff *clone = skb_clone(skb, GFP_ATOMIC);
> > + bool is_dump = false;
> >
> > - sk_ptr = skb->data;
> > - sk_len = skb->len;
> > -
> > - acl_hdr = hci_acl_hdr(skb);
> > - if (le16_to_cpu(acl_hdr->handle) != QCA_MEMDUMP_ACL_HANDLE)
> > + if (!clone)
> > return false;
> >
> > - sk_ptr += HCI_ACL_HDR_SIZE;
> > - sk_len -= HCI_ACL_HDR_SIZE;
> > - event_hdr = (struct hci_event_hdr *)sk_ptr;
> > -
> > - if ((event_hdr->evt != HCI_VENDOR_PKT) ||
> > - (event_hdr->plen != (sk_len - HCI_EVENT_HDR_SIZE)))
> > - return false;
> > + acl_hdr = skb_pull_data(clone, sizeof(*acl_hdr));
> > + if (!acl_hdr || (le16_to_cpu(acl_hdr->handle) != QCA_MEMDUMP_ACL_HANDLE))
> > + goto out;
> >
> > - sk_ptr += HCI_EVENT_HDR_SIZE;
> > - sk_len -= HCI_EVENT_HDR_SIZE;
> > + event_hdr = skb_pull_data(clone, sizeof(*event_hdr));
> > + if (!event_hdr || (event_hdr->evt != HCI_VENDOR_PKT))
> > + goto out;
> >
> > - dump_hdr = (struct qca_dump_hdr *)sk_ptr;
> > - if ((sk_len < offsetof(struct qca_dump_hdr, data)) ||
> > - (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
> > - (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
> > - return false;
> > + dump_hdr = skb_pull_data(clone, sizeof(*dump_hdr));
> > + if (!dump_hdr || (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
> > + (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
> > + goto out;
> >
> > - return true;
> > + is_dump = true;
> > +out:
> > + consume_skb(clone);
> > + return is_dump;
> > }
> >
> > /* Return: true if the event packet is a dump packet, false otherwise. */
> > static bool evt_pkt_is_dump_qca(struct hci_dev *hdev, struct sk_buff *skb)
> > {
> > - u8 *sk_ptr;
> > - unsigned int sk_len;
> > -
> > struct hci_event_hdr *event_hdr;
> > struct qca_dump_hdr *dump_hdr;
> > + struct sk_buff *clone = skb_clone(skb, GFP_ATOMIC);
> > + bool is_dump = false;
> >
> > - sk_ptr = skb->data;
> > - sk_len = skb->len;
> > -
> > - event_hdr = hci_event_hdr(skb);
> > -
> > - if ((event_hdr->evt != HCI_VENDOR_PKT)
> > - || (event_hdr->plen != (sk_len - HCI_EVENT_HDR_SIZE)))
> > + if (!clone)
> > return false;
> >
> > - sk_ptr += HCI_EVENT_HDR_SIZE;
> > - sk_len -= HCI_EVENT_HDR_SIZE;
> > + event_hdr = skb_pull_data(clone, sizeof(*event_hdr));
> > + if (!event_hdr || (event_hdr->evt != HCI_VENDOR_PKT))
> > + goto out;
> >
> > - dump_hdr = (struct qca_dump_hdr *)sk_ptr;
> > - if ((sk_len < offsetof(struct qca_dump_hdr, data)) ||
> > - (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
> > - (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
> > - return false;
> > + dump_hdr = skb_pull_data(clone, sizeof(*dump_hdr));
> > + if (!dump_hdr || (dump_hdr->vse_class != QCA_MEMDUMP_VSE_CLASS) ||
> > + (dump_hdr->msg_type != QCA_MEMDUMP_MSG_TYPE))
> > + goto out;
> >
> > - return true;
> > + is_dump = true;
> > +out:
> > + consume_skb(clone);
> > + return is_dump;
> > }
> >
> > static int btusb_recv_acl_qca(struct hci_dev *hdev, struct sk_buff *skb)
>
© 2016 - 2025 Red Hat, Inc.