[PATCH] drivers/bluetooth: btbcm: Use kmalloc

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] drivers/bluetooth: btbcm: Use kmalloc_array() to prevent overflow
@ 2025-11-11 14:20 Ayaan Mirza Baig
  2025-11-11 15:05 ` bluez.test.bot
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Ayaan Mirza Baig @ 2025-11-11 14:20 UTC (permalink / raw)
  To: marcel, luiz.dentz; +Cc: linux-bluetooth, Ayaan Mirza Baig

Replace the open-coded multiplication in kmalloc() with a call
to kmalloc_array() to prevent potential integer overflows.

This is a mechanical change, replacing BCM_FW_NAME_LEN with
the type-safe sizeof(*fw_name) as the element size

Signed-off-by: Ayaan Mirza Baig <ayaanmirzabaig85@gmail.com>
---
 drivers/bluetooth/btbcm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c
index 3a3a56ddbb06..d33cc70eec66 100644
--- a/drivers/bluetooth/btbcm.c
+++ b/drivers/bluetooth/btbcm.c
@@ -642,7 +642,9 @@ int btbcm_initialize(struct hci_dev *hdev, bool *fw_load_done, bool use_autobaud
 		snprintf(postfix, sizeof(postfix), "-%4.4x-%4.4x", vid, pid);
 	}
 
-	fw_name = kmalloc(BCM_FW_NAME_COUNT_MAX * BCM_FW_NAME_LEN, GFP_KERNEL);
+	fw_name = kmalloc_array(BCM_FW_NAME_COUNT_MAX,
+		sizeof(*fw_name),
+		GFP_KERNEL);
 	if (!fw_name)
 		return -ENOMEM;
 
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* RE: drivers/bluetooth: btbcm: Use kmalloc_array() to prevent overflow
  2025-11-11 14:20 [PATCH] drivers/bluetooth: btbcm: Use kmalloc_array() to prevent overflow Ayaan Mirza Baig
@ 2025-11-11 15:05 ` bluez.test.bot
  2025-11-11 15:20 ` [PATCH] " Paul Menzel
  2025-11-13 16:10 ` patchwork-bot+bluetooth
  2 siblings, 0 replies; 5+ messages in thread
From: bluez.test.bot @ 2025-11-11 15:05 UTC (permalink / raw)
  To: linux-bluetooth, ayaanmirzabaig85

[-- Attachment #1: Type: text/plain, Size: 2465 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1022104

---Test result---

Test Summary:
CheckPatch                    PENDING   0.33 seconds
GitLint                       PENDING   0.32 seconds
SubjectPrefix                 FAIL      0.42 seconds
BuildKernel                   PASS      25.16 seconds
CheckAllWarning               PASS      27.78 seconds
CheckSparse                   PASS      31.76 seconds
BuildKernel32                 PASS      25.01 seconds
TestRunnerSetup               PASS      503.28 seconds
TestRunner_l2cap-tester       PASS      24.14 seconds
TestRunner_iso-tester         PASS      101.52 seconds
TestRunner_bnep-tester        PASS      6.24 seconds
TestRunner_mgmt-tester        FAIL      119.83 seconds
TestRunner_rfcomm-tester      PASS      9.33 seconds
TestRunner_sco-tester         PASS      14.45 seconds
TestRunner_ioctl-tester       PASS      10.09 seconds
TestRunner_mesh-tester        FAIL      11.54 seconds
TestRunner_smp-tester         PASS      8.57 seconds
TestRunner_userchan-tester    PASS      6.59 seconds
IncrementalBuild              PENDING   0.54 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 492, Passed: 487 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.102 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    1.883 seconds
Mesh - Send cancel - 2                               Timed out    1.997 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] drivers/bluetooth: btbcm: Use kmalloc_array() to prevent overflow
  2025-11-11 14:20 [PATCH] drivers/bluetooth: btbcm: Use kmalloc_array() to prevent overflow Ayaan Mirza Baig
  2025-11-11 15:05 ` bluez.test.bot
@ 2025-11-11 15:20 ` Paul Menzel
  2025-11-11 19:24   ` Ayaan Mirza Baig
  2025-11-13 16:10 ` patchwork-bot+bluetooth
  2 siblings, 1 reply; 5+ messages in thread
From: Paul Menzel @ 2025-11-11 15:20 UTC (permalink / raw)
  To: Ayaan Mirza Baig; +Cc: marcel, luiz.dentz, linux-bluetooth

Dear Ayaan,


Thank you for your patch.


Am 11.11.25 um 15:20 schrieb Ayaan Mirza Baig:
> Replace the open-coded multiplication in kmalloc() with a call
> to kmalloc_array() to prevent potential integer overflows.

Excuse my ignorance, how would that overflow happen? How is the 
generated code different?

> This is a mechanical change, replacing BCM_FW_NAME_LEN with
> the type-safe sizeof(*fw_name) as the element size

I’d add a dot/period at the end of the sentence.

> Signed-off-by: Ayaan Mirza Baig <ayaanmirzabaig85@gmail.com>
> ---
>   drivers/bluetooth/btbcm.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c
> index 3a3a56ddbb06..d33cc70eec66 100644
> --- a/drivers/bluetooth/btbcm.c
> +++ b/drivers/bluetooth/btbcm.c
> @@ -642,7 +642,9 @@ int btbcm_initialize(struct hci_dev *hdev, bool *fw_load_done, bool use_autobaud
>   		snprintf(postfix, sizeof(postfix), "-%4.4x-%4.4x", vid, pid);
>   	}
>   
> -	fw_name = kmalloc(BCM_FW_NAME_COUNT_MAX * BCM_FW_NAME_LEN, GFP_KERNEL);
> +	fw_name = kmalloc_array(BCM_FW_NAME_COUNT_MAX,
> +		sizeof(*fw_name),
> +		GFP_KERNEL);
>   	if (!fw_name)
>   		return -ENOMEM;
>   


Kind regards,

Paul

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] drivers/bluetooth: btbcm: Use kmalloc_array() to prevent overflow
  2025-11-11 15:20 ` [PATCH] " Paul Menzel
@ 2025-11-11 19:24   ` Ayaan Mirza Baig
  0 siblings, 0 replies; 5+ messages in thread
From: Ayaan Mirza Baig @ 2025-11-11 19:24 UTC (permalink / raw)
  To: Paul Menzel; +Cc: marcel, luiz.dentz, linux-bluetooth

On Tue, Nov 11, 2025 at 04:20:14PM +0100, Paul Menzel wrote:
> > Replace the open-coded multiplication in kmalloc() with a call
> > to kmalloc_array() to prevent potential integer overflows.
> 
> Excuse my ignorance, how would that overflow happen? How is the generated
> code different?

Hi Paul,

The compiler firstly calculates the size then calles kmalloc().
If BCM_FW_NAME_COUNT_MAX and BCM_FW_NAME_LEN are two large unsigned numbers,
their product can le larget than SIZE_T_MAX, this then leads to it wrapping
to a modulo of SIZE_T_MAX.

kmalloc() then gets called with this tiny, wrapped size.
It allocates a small buffer, and the when the code is executed further,
believing it has a large buffer, writes past the end of the tiny buffer
causing a heap buffer overflow.

> I’d add a dot/period at the end of the sentence.

Thanks! I'll keep that in mind for the future.

Regards,
Ayaan Mirza Baig

---
P.S. By the way, I'm a second year engineering student and
I apologize for any stupid-ish thing I might have done.
Also I would love to learn from my mistakes, any tips and pointers are highly appreciated.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] drivers/bluetooth: btbcm: Use kmalloc_array() to prevent overflow
  2025-11-11 14:20 [PATCH] drivers/bluetooth: btbcm: Use kmalloc_array() to prevent overflow Ayaan Mirza Baig
  2025-11-11 15:05 ` bluez.test.bot
  2025-11-11 15:20 ` [PATCH] " Paul Menzel
@ 2025-11-13 16:10 ` patchwork-bot+bluetooth
  2 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+bluetooth @ 2025-11-13 16:10 UTC (permalink / raw)
  To: Ayaan Mirza Baig; +Cc: marcel, luiz.dentz, linux-bluetooth

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Tue, 11 Nov 2025 19:50:41 +0530 you wrote:
> Replace the open-coded multiplication in kmalloc() with a call
> to kmalloc_array() to prevent potential integer overflows.
> 
> This is a mechanical change, replacing BCM_FW_NAME_LEN with
> the type-safe sizeof(*fw_name) as the element size
> 
> Signed-off-by: Ayaan Mirza Baig <ayaanmirzabaig85@gmail.com>
> 
> [...]

Here is the summary with links:
  - drivers/bluetooth: btbcm: Use kmalloc_array() to prevent overflow
    https://git.kernel.org/bluetooth/bluetooth-next/c/aad8651d0f7e

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-11-13 16:10 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-11 14:20 [PATCH] drivers/bluetooth: btbcm: Use kmalloc_array() to prevent overflow Ayaan Mirza Baig
2025-11-11 15:05 ` bluez.test.bot
2025-11-11 15:20 ` [PATCH] " Paul Menzel
2025-11-11 19:24   ` Ayaan Mirza Baig
2025-11-13 16:10 ` patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox