* [PATCH] Bluetooth: handle value is too large should not be used in BIG [not found] <666ec579.050a0220.39ff8.d4a2@mx.google.com> @ 2024-06-16 13:21 ` Edward Adam Davis 2024-06-16 20:44 ` Paul Menzel 0 siblings, 1 reply; 4+ messages in thread From: Edward Adam Davis @ 2024-06-16 13:21 UTC (permalink / raw) To: bluez.test.bot Cc: davem, edumazet, johan.hedberg, kuba, linux-bluetooth, linux-kernel, luiz.dentz, luiz.von.dentz, marcel, netdev, pabeni, syzkaller-bugs, william.xuanziyang hci_le_big_sync_established_evt is necessary to filter out cases where the handle value is belone to ida id range, otherwise ida will be erroneously released in hci_conn_cleanup. Fixes: 181a42edddf5 ("Bluetooth: Make handle of hci_conn be unique") Reported-by: syzbot+b2545b087a01a7319474@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=b2545b087a01a7319474 Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- net/bluetooth/hci_event.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index a487f9df8145..eb1d5a2c48ee 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -6893,6 +6893,9 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data, bis = hci_conn_hash_lookup_handle(hdev, handle); if (!bis) { + if (handle > HCI_CONN_HANDLE_MAX) + continue; + bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY, HCI_ROLE_SLAVE, handle); if (IS_ERR(bis)) -- 2.43.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] Bluetooth: handle value is too large should not be used in BIG 2024-06-16 13:21 ` [PATCH] Bluetooth: handle value is too large should not be used in BIG Edward Adam Davis @ 2024-06-16 20:44 ` Paul Menzel 2024-06-17 11:09 ` [PATCH v2] Bluetooth: Ignore too large handle values " Edward Adam Davis 0 siblings, 1 reply; 4+ messages in thread From: Paul Menzel @ 2024-06-16 20:44 UTC (permalink / raw) To: Edward Adam Davis Cc: davem, edumazet, johan.hedberg, kuba, linux-bluetooth, linux-kernel, luiz.dentz, luiz.von.dentz, marcel, netdev, pabeni, syzkaller-bugs, william.xuanziyang Dear Edward, Thank you for your patch. It’d be nice if you made the commit message about the action, like: Bluetooth: Ignore too large handle values in BIG Am 16.06.24 um 15:21 schrieb Edward Adam Davis: > hci_le_big_sync_established_evt is necessary to filter out cases where the > handle value is belone to ida id range, otherwise ida will be erroneously belone? Is it belonging? > released in hci_conn_cleanup. > > Fixes: 181a42edddf5 ("Bluetooth: Make handle of hci_conn be unique") > Reported-by: syzbot+b2545b087a01a7319474@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=b2545b087a01a7319474 > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > --- > net/bluetooth/hci_event.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index a487f9df8145..eb1d5a2c48ee 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -6893,6 +6893,9 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data, > > bis = hci_conn_hash_lookup_handle(hdev, handle); > if (!bis) { > + if (handle > HCI_CONN_HANDLE_MAX) > + continue; > + Should some debug message be printed? > bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY, > HCI_ROLE_SLAVE, handle); > if (IS_ERR(bis)) Kind regards, Paul ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2] Bluetooth: Ignore too large handle values in BIG 2024-06-16 20:44 ` Paul Menzel @ 2024-06-17 11:09 ` Edward Adam Davis 2024-06-17 14:10 ` patchwork-bot+bluetooth 0 siblings, 1 reply; 4+ messages in thread From: Edward Adam Davis @ 2024-06-17 11:09 UTC (permalink / raw) To: pmenzel Cc: davem, eadavis, edumazet, johan.hedberg, kuba, linux-bluetooth, linux-kernel, luiz.dentz, luiz.von.dentz, marcel, netdev, pabeni, syzkaller-bugs, william.xuanziyang hci_le_big_sync_established_evt is necessary to filter out cases where the handle value is belonging to ida id range, otherwise ida will be erroneously released in hci_conn_cleanup. Fixes: 181a42edddf5 ("Bluetooth: Make handle of hci_conn be unique") Reported-by: syzbot+b2545b087a01a7319474@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=b2545b087a01a7319474 Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- net/bluetooth/hci_event.c | 4 +++ 1 file changed, 4 insertions(+) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index a487f9df8145..3966fbc38df9 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -6893,6 +6893,10 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data, bis = hci_conn_hash_lookup_handle(hdev, handle); if (!bis) { + if (handle > HCI_CONN_HANDLE_MAX) { + bt_dev_dbg(hdev, "ignore too large handle %u", handle); + continue; + } bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY, HCI_ROLE_SLAVE, handle); if (IS_ERR(bis)) -- 2.43.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] Bluetooth: Ignore too large handle values in BIG 2024-06-17 11:09 ` [PATCH v2] Bluetooth: Ignore too large handle values " Edward Adam Davis @ 2024-06-17 14:10 ` patchwork-bot+bluetooth 0 siblings, 0 replies; 4+ messages in thread From: patchwork-bot+bluetooth @ 2024-06-17 14:10 UTC (permalink / raw) To: Edward Adam Davis Cc: pmenzel, davem, edumazet, johan.hedberg, kuba, linux-bluetooth, linux-kernel, luiz.dentz, luiz.von.dentz, marcel, netdev, pabeni, syzkaller-bugs, william.xuanziyang Hello: This patch was applied to bluetooth/bluetooth-next.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Mon, 17 Jun 2024 19:09:37 +0800 you wrote: > hci_le_big_sync_established_evt is necessary to filter out cases where the > handle value is belonging to ida id range, otherwise ida will be erroneously > released in hci_conn_cleanup. > > Fixes: 181a42edddf5 ("Bluetooth: Make handle of hci_conn be unique") > Reported-by: syzbot+b2545b087a01a7319474@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=b2545b087a01a7319474 > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > [...] Here is the summary with links: - [v2] Bluetooth: Ignore too large handle values in BIG https://git.kernel.org/bluetooth/bluetooth-next/c/401ad9b792e1 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-06-17 14:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <666ec579.050a0220.39ff8.d4a2@mx.google.com>
2024-06-16 13:21 ` [PATCH] Bluetooth: handle value is too large should not be used in BIG Edward Adam Davis
2024-06-16 20:44 ` Paul Menzel
2024-06-17 11:09 ` [PATCH v2] Bluetooth: Ignore too large handle values " Edward Adam Davis
2024-06-17 14:10 ` patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox