* [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add
[not found] <20260208081559.44983-1-maiquelpaiva@gmail.com>
@ 2026-02-08 8:15 ` Maiquel Paiva
2026-02-08 8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
1 sibling, 0 replies; 5+ messages in thread
From: Maiquel Paiva @ 2026-02-08 8:15 UTC (permalink / raw)
To: linux-bluetooth; +Cc: luiz.dentz, gregkh, marcel, Maiquel Paiva, stable
Add a check for the user-provided length in mgmt_mesh_add() against
the size of the param buffer. This prevents a heap buffer overflow
if the user provides a length larger than the destination buffer.
Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Cc: stable@vger.kernel.org
Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
---
net/bluetooth/mgmt_util.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index aa7b5585cb26..bdce52363332 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -413,6 +413,9 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
{
struct mgmt_mesh_tx *mesh_tx;
+ if (len > sizeof(mesh_tx->param))
+ return NULL;
+
mesh_tx = kzalloc(sizeof(*mesh_tx), GFP_KERNEL);
if (!mesh_tx)
return NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
[not found] <20260208081559.44983-1-maiquelpaiva@gmail.com>
2026-02-08 8:15 ` [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
@ 2026-02-08 8:15 ` Maiquel Paiva
2026-02-08 12:57 ` kernel test robot
` (2 more replies)
1 sibling, 3 replies; 5+ messages in thread
From: Maiquel Paiva @ 2026-02-08 8:15 UTC (permalink / raw)
To: linux-bluetooth; +Cc: luiz.dentz, gregkh, marcel, Maiquel Paiva, stable
The functions mgmt_mesh_add and mgmt_mesh_find modify or traverse the
mesh_pending list without locking, leading to potential race conditions
and list corruption.
Use guard(spinlock) with hdev->lock to protect the critical sections.
This ensures atomic access to the list and reference counter, preventing
race conditions and avoiding sleeping in atomic context (which fixes CI
failures).
Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Cc: stable@vger.kernel.org
Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
---
net/bluetooth/mgmt_util.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index bdce52363332..af9194e44943 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -397,8 +397,7 @@ struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
{
struct mgmt_mesh_tx *mesh_tx;
- if (list_empty(&hdev->mesh_pending))
- return NULL;
+ guard(spinlock)(&hdev->lock);
list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
if (mesh_tx->handle == handle)
@@ -420,6 +419,8 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
if (!mesh_tx)
return NULL;
+ guard(spinlock)(&hdev->lock);
+
hdev->mesh_send_ref++;
if (!hdev->mesh_send_ref)
hdev->mesh_send_ref++;
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
2026-02-08 8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
@ 2026-02-08 12:57 ` kernel test robot
2026-02-08 12:57 ` kernel test robot
2026-02-09 19:44 ` Luiz Augusto von Dentz
2 siblings, 0 replies; 5+ messages in thread
From: kernel test robot @ 2026-02-08 12:57 UTC (permalink / raw)
To: Maiquel Paiva, linux-bluetooth
Cc: oe-kbuild-all, luiz.dentz, gregkh, marcel, Maiquel Paiva, stable
Hi Maiquel,
kernel test robot noticed the following build errors:
[auto build test ERROR on bluetooth/master]
[also build test ERROR on bluetooth-next/master linus/master v6.19-rc8 next-20260205]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Maiquel-Paiva/Bluetooth-mgmt-Fix-heap-overflow-in-mgmt_mesh_add/20260208-161842
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link: https://lore.kernel.org/r/20260208081559.44983-3-maiquelpaiva%40gmail.com
patch subject: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
config: sparc-randconfig-002-20260208 (https://download.01.org/0day-ci/archive/20260208/202602082014.LJf0O75Y-lkp@intel.com/config)
compiler: sparc-linux-gcc (GCC) 11.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260208/202602082014.LJf0O75Y-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202602082014.LJf0O75Y-lkp@intel.com/
All errors (new ones prefixed by >>):
net/bluetooth/mgmt_util.c: In function 'mgmt_mesh_find':
>> net/bluetooth/mgmt_util.c:400:25: error: passing argument 1 of 'class_spinlock_constructor' from incompatible pointer type [-Werror=incompatible-pointer-types]
400 | guard(spinlock)(&hdev->lock);
| ^~~~~~~~~~~
| |
| struct mutex *
In file included from include/linux/irqflags.h:17,
from include/asm-generic/cmpxchg-local.h:6,
from arch/sparc/include/asm/cmpxchg_32.h:67,
from arch/sparc/include/asm/cmpxchg.h:7,
from arch/sparc/include/asm/atomic_32.h:17,
from arch/sparc/include/asm/atomic.h:7,
from include/linux/atomic.h:7,
from include/asm-generic/bitops/lock.h:5,
from arch/sparc/include/asm/bitops_32.h:102,
from arch/sparc/include/asm/bitops.h:7,
from include/linux/bitops.h:67,
from include/linux/log2.h:12,
from include/asm-generic/div64.h:55,
from ./arch/sparc/include/generated/asm/div64.h:1,
from include/linux/math.h:6,
from include/linux/math64.h:6,
from include/linux/jiffies.h:7,
from include/linux/ktime.h:25,
from include/linux/poll.h:7,
from include/net/bluetooth/bluetooth.h:29,
from net/bluetooth/mgmt_util.c:26:
include/linux/cleanup.h:490:77: note: expected 'spinlock_t *' {aka 'struct spinlock *'} but argument is of type 'struct mutex *'
490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
include/linux/cleanup.h:509:1: note: in expansion of macro '__DEFINE_LOCK_GUARD_1'
509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
| ^~~~~~~~~~~~~~~~~~~~~
include/linux/spinlock.h:565:1: note: in expansion of macro 'DEFINE_LOCK_GUARD_1'
565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
| ^~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt_util.c: In function 'mgmt_mesh_add':
net/bluetooth/mgmt_util.c:422:25: error: passing argument 1 of 'class_spinlock_constructor' from incompatible pointer type [-Werror=incompatible-pointer-types]
422 | guard(spinlock)(&hdev->lock);
| ^~~~~~~~~~~
| |
| struct mutex *
In file included from include/linux/irqflags.h:17,
from include/asm-generic/cmpxchg-local.h:6,
from arch/sparc/include/asm/cmpxchg_32.h:67,
from arch/sparc/include/asm/cmpxchg.h:7,
from arch/sparc/include/asm/atomic_32.h:17,
from arch/sparc/include/asm/atomic.h:7,
from include/linux/atomic.h:7,
from include/asm-generic/bitops/lock.h:5,
from arch/sparc/include/asm/bitops_32.h:102,
from arch/sparc/include/asm/bitops.h:7,
from include/linux/bitops.h:67,
from include/linux/log2.h:12,
from include/asm-generic/div64.h:55,
from ./arch/sparc/include/generated/asm/div64.h:1,
from include/linux/math.h:6,
from include/linux/math64.h:6,
from include/linux/jiffies.h:7,
from include/linux/ktime.h:25,
from include/linux/poll.h:7,
from include/net/bluetooth/bluetooth.h:29,
from net/bluetooth/mgmt_util.c:26:
include/linux/cleanup.h:490:77: note: expected 'spinlock_t *' {aka 'struct spinlock *'} but argument is of type 'struct mutex *'
490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
include/linux/cleanup.h:509:1: note: in expansion of macro '__DEFINE_LOCK_GUARD_1'
509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
| ^~~~~~~~~~~~~~~~~~~~~
include/linux/spinlock.h:565:1: note: in expansion of macro 'DEFINE_LOCK_GUARD_1'
565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
| ^~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/class_spinlock_constructor +400 net/bluetooth/mgmt_util.c
395
396 struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
397 {
398 struct mgmt_mesh_tx *mesh_tx;
399
> 400 guard(spinlock)(&hdev->lock);
401
402 list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
403 if (mesh_tx->handle == handle)
404 return mesh_tx;
405 }
406
407 return NULL;
408 }
409
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
2026-02-08 8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
2026-02-08 12:57 ` kernel test robot
@ 2026-02-08 12:57 ` kernel test robot
2026-02-09 19:44 ` Luiz Augusto von Dentz
2 siblings, 0 replies; 5+ messages in thread
From: kernel test robot @ 2026-02-08 12:57 UTC (permalink / raw)
To: Maiquel Paiva, linux-bluetooth
Cc: oe-kbuild-all, luiz.dentz, gregkh, marcel, Maiquel Paiva, stable
Hi Maiquel,
kernel test robot noticed the following build errors:
[auto build test ERROR on bluetooth/master]
[also build test ERROR on bluetooth-next/master linus/master v6.19-rc8 next-20260205]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Maiquel-Paiva/Bluetooth-mgmt-Fix-heap-overflow-in-mgmt_mesh_add/20260208-161842
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link: https://lore.kernel.org/r/20260208081559.44983-3-maiquelpaiva%40gmail.com
patch subject: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
config: i386-randconfig-r071-20260208 (https://download.01.org/0day-ci/archive/20260208/202602082055.pF9xO7lP-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
smatch version: v0.5.0-8994-gd50c5a4c
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260208/202602082055.pF9xO7lP-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202602082055.pF9xO7lP-lkp@intel.com/
All errors (new ones prefixed by >>):
>> net/bluetooth/mgmt_util.c:400:18: error: incompatible pointer types passing 'struct mutex *' to parameter of type 'spinlock_t *' (aka 'struct spinlock *') [-Werror,-Wincompatible-pointer-types]
400 | guard(spinlock)(&hdev->lock);
| ^~~~~~~~~~~
include/linux/spinlock.h:565:1: note: passing argument to parameter 'l' here
565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
| ^
include/linux/cleanup.h:508:60: note: expanded from macro 'DEFINE_LOCK_GUARD_1'
508 | __DEFINE_UNLOCK_GUARD(_name, _type, _unlock, __VA_ARGS__) \
| ^
include/linux/cleanup.h:490:77: note: expanded from macro '\
__DEFINE_LOCK_GUARD_1'
490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
| ^
net/bluetooth/mgmt_util.c:422:18: error: incompatible pointer types passing 'struct mutex *' to parameter of type 'spinlock_t *' (aka 'struct spinlock *') [-Werror,-Wincompatible-pointer-types]
422 | guard(spinlock)(&hdev->lock);
| ^~~~~~~~~~~
include/linux/spinlock.h:565:1: note: passing argument to parameter 'l' here
565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
| ^
include/linux/cleanup.h:508:60: note: expanded from macro 'DEFINE_LOCK_GUARD_1'
508 | __DEFINE_UNLOCK_GUARD(_name, _type, _unlock, __VA_ARGS__) \
| ^
include/linux/cleanup.h:490:77: note: expanded from macro '\
__DEFINE_LOCK_GUARD_1'
490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
| ^
2 errors generated.
vim +400 net/bluetooth/mgmt_util.c
395
396 struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
397 {
398 struct mgmt_mesh_tx *mesh_tx;
399
> 400 guard(spinlock)(&hdev->lock);
401
402 list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
403 if (mesh_tx->handle == handle)
404 return mesh_tx;
405 }
406
407 return NULL;
408 }
409
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
2026-02-08 8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
2026-02-08 12:57 ` kernel test robot
2026-02-08 12:57 ` kernel test robot
@ 2026-02-09 19:44 ` Luiz Augusto von Dentz
2 siblings, 0 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2026-02-09 19:44 UTC (permalink / raw)
To: Maiquel Paiva; +Cc: linux-bluetooth, gregkh, marcel, stable
Hi Maiquel,
On Sun, Feb 8, 2026 at 3:17 AM Maiquel Paiva <maiquelpaiva@gmail.com> wrote:
>
> The functions mgmt_mesh_add and mgmt_mesh_find modify or traverse the
> mesh_pending list without locking, leading to potential race conditions
> and list corruption.
>
> Use guard(spinlock) with hdev->lock to protect the critical sections.
> This ensures atomic access to the list and reference counter, preventing
> race conditions and avoiding sleeping in atomic context (which fixes CI
> failures).
>
> Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
> Cc: stable@vger.kernel.org
> Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
> ---
> net/bluetooth/mgmt_util.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
> index bdce52363332..af9194e44943 100644
> --- a/net/bluetooth/mgmt_util.c
> +++ b/net/bluetooth/mgmt_util.c
> @@ -397,8 +397,7 @@ struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
> {
> struct mgmt_mesh_tx *mesh_tx;
>
> - if (list_empty(&hdev->mesh_pending))
> - return NULL;
> + guard(spinlock)(&hdev->lock);
Not sure why you switched to use hdev->lock and not mgmt_pending_lock?
And that is a mutex still, not a spinlock.
>
> list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
> if (mesh_tx->handle == handle)
> @@ -420,6 +419,8 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
> if (!mesh_tx)
> return NULL;
>
> + guard(spinlock)(&hdev->lock);
> +
> hdev->mesh_send_ref++;
> if (!hdev->mesh_send_ref)
> hdev->mesh_send_ref++;
> --
> 2.43.0
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-02-09 19:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20260208081559.44983-1-maiquelpaiva@gmail.com>
2026-02-08 8:15 ` [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
2026-02-08 8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
2026-02-08 12:57 ` kernel test robot
2026-02-08 12:57 ` kernel test robot
2026-02-09 19:44 ` Luiz Augusto von Dentz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox