* [PATCH v1 1/2] Bluetooth: Fix NULL pointer deference on eir_get_service_data
@ 2025-06-05 15:23 Luiz Augusto von Dentz
2025-06-05 15:23 ` [PATCH v1 2/2] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance Luiz Augusto von Dentz
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2025-06-05 15:23 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
The len parameter is considered optional so it can be NULL so it cannot
be used for skipping to next entry of EIR_SERVICE_DATA.
Fixes: 8f9ae5b3ae80 ("Bluetooth: eir: Add helpers for managing service data")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/eir.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/eir.c b/net/bluetooth/eir.c
index 1bc51e2b05a3..3e1713673ecc 100644
--- a/net/bluetooth/eir.c
+++ b/net/bluetooth/eir.c
@@ -366,17 +366,19 @@ u8 eir_create_scan_rsp(struct hci_dev *hdev, u8 instance, u8 *ptr)
void *eir_get_service_data(u8 *eir, size_t eir_len, u16 uuid, size_t *len)
{
- while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, len))) {
+ size_t dlen;
+
+ while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, &dlen))) {
u16 value = get_unaligned_le16(eir);
if (uuid == value) {
if (len)
- *len -= 2;
+ *len = dlen - 2;
return &eir[2];
}
- eir += *len;
- eir_len -= *len;
+ eir += dlen;
+ eir_len -= dlen;
}
return NULL;
--
2.49.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v1 2/2] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance
2025-06-05 15:23 [PATCH v1 1/2] Bluetooth: Fix NULL pointer deference on eir_get_service_data Luiz Augusto von Dentz
@ 2025-06-05 15:23 ` Luiz Augusto von Dentz
2025-06-05 16:02 ` [v1,1/2] Bluetooth: Fix NULL pointer deference on eir_get_service_data bluez.test.bot
2025-06-05 19:20 ` [PATCH v1 1/2] " patchwork-bot+bluetooth
2 siblings, 0 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2025-06-05 15:23 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
When using and existing adv_info instance for broadcast source it
needs to be updated to periodic first before it can be reused, also in
case the existing instance already have data hci_set_adv_instance_data
cannot be used directly since it would overwrite the existing data so
this reappend the original data after the Broadcast ID, if one was
generated.
Link: https://github.com/bluez/bluez/issues/1117
Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hci_sync.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 62d1ff951ebe..54140f4acdb0 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -1559,7 +1559,8 @@ static int hci_enable_per_advertising_sync(struct hci_dev *hdev, u8 instance)
static int hci_adv_bcast_annoucement(struct hci_dev *hdev, struct adv_info *adv)
{
u8 bid[3];
- u8 ad[4 + 3];
+ u8 ad[HCI_MAX_EXT_AD_LENGTH];
+ u8 len;
/* Skip if NULL adv as instance 0x00 is used for general purpose
* advertising so it cannot used for the likes of Broadcast Announcement
@@ -1585,7 +1586,8 @@ static int hci_adv_bcast_annoucement(struct hci_dev *hdev, struct adv_info *adv)
/* Generate Broadcast ID */
get_random_bytes(bid, sizeof(bid));
- eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
+ len = eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
+ memcpy(ad + len, adv->adv_data, adv->adv_data_len);
hci_set_adv_instance_data(hdev, adv->instance, sizeof(ad), ad, 0, NULL);
return hci_update_adv_data_sync(hdev, adv->instance);
@@ -1603,8 +1605,15 @@ int hci_start_per_adv_sync(struct hci_dev *hdev, u8 instance, u8 data_len,
if (instance) {
adv = hci_find_adv_instance(hdev, instance);
- /* Create an instance if that could not be found */
- if (!adv) {
+ if (adv) {
+ /* Turn it into periodic advertising */
+ adv->periodic = true;
+ adv->per_adv_data_len = data_len;
+ if (data)
+ memcpy(adv->per_adv_data, data, data_len);
+ adv->flags = flags;
+ } else if (!adv) {
+ /* Create an instance if that could not be found */
adv = hci_add_per_instance(hdev, instance, flags,
data_len, data,
sync_interval,
--
2.49.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: [v1,1/2] Bluetooth: Fix NULL pointer deference on eir_get_service_data
2025-06-05 15:23 [PATCH v1 1/2] Bluetooth: Fix NULL pointer deference on eir_get_service_data Luiz Augusto von Dentz
2025-06-05 15:23 ` [PATCH v1 2/2] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance Luiz Augusto von Dentz
@ 2025-06-05 16:02 ` bluez.test.bot
2025-06-05 19:20 ` [PATCH v1 1/2] " patchwork-bot+bluetooth
2 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2025-06-05 16:02 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 1949 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=968964
---Test result---
Test Summary:
CheckPatch PENDING 0.23 seconds
GitLint PENDING 0.27 seconds
SubjectPrefix PASS 0.23 seconds
BuildKernel PASS 24.37 seconds
CheckAllWarning PASS 26.93 seconds
CheckSparse PASS 30.79 seconds
BuildKernel32 PASS 24.99 seconds
TestRunnerSetup PASS 461.11 seconds
TestRunner_l2cap-tester PASS 25.14 seconds
TestRunner_iso-tester PASS 37.97 seconds
TestRunner_bnep-tester PASS 5.90 seconds
TestRunner_mgmt-tester FAIL 132.98 seconds
TestRunner_rfcomm-tester PASS 9.30 seconds
TestRunner_sco-tester PASS 14.85 seconds
TestRunner_ioctl-tester PASS 9.99 seconds
TestRunner_mesh-tester PASS 7.47 seconds
TestRunner_smp-tester PASS 8.53 seconds
TestRunner_userchan-tester PASS 6.14 seconds
IncrementalBuild PENDING 0.63 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 490, Passed: 485 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
LL Privacy - Set Flags 3 (2 Devices to RL) Failed 0.227 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v1 1/2] Bluetooth: Fix NULL pointer deference on eir_get_service_data
2025-06-05 15:23 [PATCH v1 1/2] Bluetooth: Fix NULL pointer deference on eir_get_service_data Luiz Augusto von Dentz
2025-06-05 15:23 ` [PATCH v1 2/2] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance Luiz Augusto von Dentz
2025-06-05 16:02 ` [v1,1/2] Bluetooth: Fix NULL pointer deference on eir_get_service_data bluez.test.bot
@ 2025-06-05 19:20 ` patchwork-bot+bluetooth
2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+bluetooth @ 2025-06-05 19:20 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hello:
This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 5 Jun 2025 11:23:15 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> The len parameter is considered optional so it can be NULL so it cannot
> be used for skipping to next entry of EIR_SERVICE_DATA.
>
> Fixes: 8f9ae5b3ae80 ("Bluetooth: eir: Add helpers for managing service data")
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> [...]
Here is the summary with links:
- [v1,1/2] Bluetooth: Fix NULL pointer deference on eir_get_service_data
https://git.kernel.org/bluetooth/bluetooth-next/c/8dfaf658a378
- [v1,2/2] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance
https://git.kernel.org/bluetooth/bluetooth-next/c/7615e0c7b24a
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-06-05 19:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-05 15:23 [PATCH v1 1/2] Bluetooth: Fix NULL pointer deference on eir_get_service_data Luiz Augusto von Dentz
2025-06-05 15:23 ` [PATCH v1 2/2] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance Luiz Augusto von Dentz
2025-06-05 16:02 ` [v1,1/2] Bluetooth: Fix NULL pointer deference on eir_get_service_data bluez.test.bot
2025-06-05 19:20 ` [PATCH v1 1/2] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox