* [PATCH v2 1/2] Bluetooth: Fix skb allocation in mgmt_remote_name() & mgmt_device_connected()
2022-02-01 20:03 [PATCH v2 0/2] Bluetooth: Fix skb handling in net/bluetooth/mgmt.c Radoslaw Biernacki
@ 2022-02-01 20:03 ` Radoslaw Biernacki
2022-02-01 20:03 ` [PATCH v2 2/2] Bluetooth: Improve skb handling in mgmt_device_connected() Radoslaw Biernacki
2022-02-01 20:12 ` [PATCH v2 0/2] Bluetooth: Fix skb handling in net/bluetooth/mgmt.c Radosław Biernacki
2 siblings, 0 replies; 4+ messages in thread
From: Radoslaw Biernacki @ 2022-02-01 20:03 UTC (permalink / raw)
To: linux-bluetooth, Luiz Augusto von Dentz, Marcel Holtmann
Cc: CrosBT Upstreaming, Archie Pusaka, Miao-chen Chou, Jakub Kicinski,
Johan Hedberg, linux-kernel, netdev, upstream, Radoslaw Biernacki,
Angela Czubak, Marek Maslanka
From: Radoslaw Biernacki <rad@semihalf.com>
This patch fixes skb allocation, as lack of space for ev might push skb
tail beyond its end.
Also introduce eir_precalc_len() that can be used instead of magic
numbers for similar eir operations on skb.
Fixes: cf1bce1de7eeb ("Bluetooth: mgmt: Make use of mgmt_send_event_skb in MGMT_EV_DEVICE_FOUND")
Fixes: e96741437ef0a ("Bluetooth: mgmt: Make use of mgmt_send_event_skb in MGMT_EV_DEVICE_CONNECTED")
Signed-off-by: Angela Czubak <acz@semihalf.com>
Signed-off-by: Marek Maslanka <mm@semihalf.com>
Signed-off-by: Radoslaw Biernacki <rad@semihalf.com>
---
net/bluetooth/eir.h | 5 +++++
net/bluetooth/mgmt.c | 18 ++++++++----------
2 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/net/bluetooth/eir.h b/net/bluetooth/eir.h
index 05e2e917fc25..e5876751f07e 100644
--- a/net/bluetooth/eir.h
+++ b/net/bluetooth/eir.h
@@ -15,6 +15,11 @@ u8 eir_create_scan_rsp(struct hci_dev *hdev, u8 instance, u8 *ptr);
u8 eir_append_local_name(struct hci_dev *hdev, u8 *eir, u8 ad_len);
u8 eir_append_appearance(struct hci_dev *hdev, u8 *ptr, u8 ad_len);
+static inline u16 eir_precalc_len(u8 data_len)
+{
+ return sizeof(u8) * 2 + data_len;
+}
+
static inline u16 eir_append_data(u8 *eir, u16 eir_len, u8 type,
u8 *data, u8 data_len)
{
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 5dd684e0b259..43ca228104ce 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -9061,12 +9061,14 @@ void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
u16 eir_len = 0;
u32 flags = 0;
+ /* allocate buff for LE or BR/EDR adv */
if (conn->le_adv_data_len > 0)
skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED,
- conn->le_adv_data_len);
+ sizeof(*ev) + conn->le_adv_data_len);
else
skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED,
- 2 + name_len + 5);
+ sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0) +
+ eir_precalc_len(sizeof(conn->dev_class)));
ev = skb_put(skb, sizeof(*ev));
bacpy(&ev->addr.bdaddr, &conn->dst);
@@ -9785,13 +9787,11 @@ void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
{
struct sk_buff *skb;
struct mgmt_ev_device_found *ev;
- u16 eir_len;
- u32 flags;
+ u16 eir_len = 0;
+ u32 flags = 0;
- if (name_len)
- skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND, 2 + name_len);
- else
- skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND, 0);
+ skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
+ sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0));
ev = skb_put(skb, sizeof(*ev));
bacpy(&ev->addr.bdaddr, bdaddr);
@@ -9801,10 +9801,8 @@ void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
if (name) {
eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE, name,
name_len);
- flags = 0;
skb_put(skb, eir_len);
} else {
- eir_len = 0;
flags = MGMT_DEV_FOUND_NAME_REQUEST_FAILED;
}
--
2.35.0.rc2.247.g8bbb082509-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH v2 2/2] Bluetooth: Improve skb handling in mgmt_device_connected()
2022-02-01 20:03 [PATCH v2 0/2] Bluetooth: Fix skb handling in net/bluetooth/mgmt.c Radoslaw Biernacki
2022-02-01 20:03 ` [PATCH v2 1/2] Bluetooth: Fix skb allocation in mgmt_remote_name() & mgmt_device_connected() Radoslaw Biernacki
@ 2022-02-01 20:03 ` Radoslaw Biernacki
2022-02-01 20:12 ` [PATCH v2 0/2] Bluetooth: Fix skb handling in net/bluetooth/mgmt.c Radosław Biernacki
2 siblings, 0 replies; 4+ messages in thread
From: Radoslaw Biernacki @ 2022-02-01 20:03 UTC (permalink / raw)
To: linux-bluetooth, Luiz Augusto von Dentz, Marcel Holtmann
Cc: CrosBT Upstreaming, Archie Pusaka, Miao-chen Chou, Jakub Kicinski,
Johan Hedberg, linux-kernel, netdev, upstream, Radoslaw Biernacki,
Angela Czubak, Marek Maslanka, Radoslaw Biernacki
This patch introduce eir_skb_put_data() that can be used to simplify
operations on eir in goal of eliminating the necessity of intermediary
buffers.
eir_skb_put_data() is in pair to what eir_append_data() does with help of
eir_len, but without awkwardness when passing return value to skb_put() (as
it returns updated offset not size).
Signed-off-by: Radoslaw Biernacki <rad@semihalf.com>
---
net/bluetooth/eir.h | 15 +++++++++++++++
net/bluetooth/mgmt.c | 25 ++++++++-----------------
2 files changed, 23 insertions(+), 17 deletions(-)
diff --git a/net/bluetooth/eir.h b/net/bluetooth/eir.h
index e5876751f07e..43f1945bffc5 100644
--- a/net/bluetooth/eir.h
+++ b/net/bluetooth/eir.h
@@ -41,6 +41,21 @@ static inline u16 eir_append_le16(u8 *eir, u16 eir_len, u8 type, u16 data)
return eir_len;
}
+static inline u16 eir_skb_put_data(struct sk_buff *skb, u8 type, u8 *data, u8 data_len)
+{
+ u8 *eir;
+ u16 eir_len;
+
+ eir_len = eir_precalc_len(data_len);
+ eir = skb_put(skb, eir_len);
+ WARN_ON(sizeof(type) + data_len > U8_MAX);
+ eir[0] = sizeof(type) + data_len;
+ eir[1] = type;
+ memcpy(&eir[2], data, data_len);
+
+ return eir_len;
+}
+
static inline void *eir_get_data(u8 *eir, size_t eir_len, u8 type,
size_t *data_len)
{
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 43ca228104ce..4a24159f7dd6 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -9087,18 +9087,12 @@ void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
skb_put_data(skb, conn->le_adv_data, conn->le_adv_data_len);
eir_len = conn->le_adv_data_len;
} else {
- if (name_len > 0) {
- eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE,
- name, name_len);
- skb_put(skb, eir_len);
- }
+ if (name)
+ eir_len += eir_skb_put_data(skb, EIR_NAME_COMPLETE, name, name_len);
- if (memcmp(conn->dev_class, "\0\0\0", 3) != 0) {
- eir_len = eir_append_data(ev->eir, eir_len,
- EIR_CLASS_OF_DEV,
- conn->dev_class, 3);
- skb_put(skb, 5);
- }
+ if (memcmp(conn->dev_class, "\0\0\0", sizeof(conn->dev_class)))
+ eir_len += eir_skb_put_data(skb, EIR_CLASS_OF_DEV,
+ conn->dev_class, sizeof(conn->dev_class));
}
ev->eir_len = cpu_to_le16(eir_len);
@@ -9798,13 +9792,10 @@ void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
ev->addr.type = link_to_bdaddr(link_type, addr_type);
ev->rssi = rssi;
- if (name) {
- eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE, name,
- name_len);
- skb_put(skb, eir_len);
- } else {
+ if (name)
+ eir_len += eir_skb_put_data(skb, EIR_NAME_COMPLETE, name, name_len);
+ else
flags = MGMT_DEV_FOUND_NAME_REQUEST_FAILED;
- }
ev->eir_len = cpu_to_le16(eir_len);
ev->flags = cpu_to_le32(flags);
--
2.35.0.rc2.247.g8bbb082509-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH v2 0/2] Bluetooth: Fix skb handling in net/bluetooth/mgmt.c
2022-02-01 20:03 [PATCH v2 0/2] Bluetooth: Fix skb handling in net/bluetooth/mgmt.c Radoslaw Biernacki
2022-02-01 20:03 ` [PATCH v2 1/2] Bluetooth: Fix skb allocation in mgmt_remote_name() & mgmt_device_connected() Radoslaw Biernacki
2022-02-01 20:03 ` [PATCH v2 2/2] Bluetooth: Improve skb handling in mgmt_device_connected() Radoslaw Biernacki
@ 2022-02-01 20:12 ` Radosław Biernacki
2 siblings, 0 replies; 4+ messages in thread
From: Radosław Biernacki @ 2022-02-01 20:12 UTC (permalink / raw)
To: linux-bluetooth, Luiz Augusto von Dentz, Marcel Holtmann
Cc: CrosBT Upstreaming, Archie Pusaka, Miao-chen Chou, Jakub Kicinski,
Johan Hedberg, Linux Kernel Mailing List,
open list:NETWORKING [GENERAL], upstream, Angela Czubak,
Marek Maslanka, Radoslaw Biernacki
Hey, please ignore this one as I made a typo in the domain name :|
wt., 1 lut 2022 o 21:03 Radoslaw Biernacki <rad@semihalf.com> napisał(a):
>
> Here is second version of the fix for skb handling in net/bluetooth/mgmt.c
> First patch is fixing the skb allocation which theoretically might push skb
> tail beyond its end.
> Second patch simplifies operations on eir while using skb.
> Patches adds two helper functions to eir.h to align to the goal of
> eliminating the necessity of intermediary buffers, which can be achieved
> with additional changes done in this spirit.
>
> v1->v2:
> - fix mgmt_device_connected()
> - add eir_skb_put_data() - function for skb handing with eir
>
> Radoslaw Biernacki (2):
> Bluetooth: Fix skb allocation in mgmt_remote_name() &
> mgmt_device_connected()
> Bluetooth: Improve skb handling in mgmt_device_connected()
>
> net/bluetooth/eir.h | 20 ++++++++++++++++++++
> net/bluetooth/mgmt.c | 43 ++++++++++++++++---------------------------
> 2 files changed, 36 insertions(+), 27 deletions(-)
>
> --
> 2.35.0.rc2.247.g8bbb082509-goog
>
^ permalink raw reply [flat|nested] 4+ messages in thread