[PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add
       [not found] <20260208081559.44983-1-maiquelpaiva@gmail.com>
@ 2026-02-08  8:15 ` Maiquel Paiva
  2026-02-08  8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
  1 sibling, 0 replies; 5+ messages in thread
From: Maiquel Paiva @ 2026-02-08  8:15 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: luiz.dentz, gregkh, marcel, Maiquel Paiva, stable

Add a check for the user-provided length in mgmt_mesh_add() against
the size of the param buffer. This prevents a heap buffer overflow
if the user provides a length larger than the destination buffer.

Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Cc: stable@vger.kernel.org
Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
---
 net/bluetooth/mgmt_util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index aa7b5585cb26..bdce52363332 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -413,6 +413,9 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
 {
 	struct mgmt_mesh_tx *mesh_tx;
 
+	if (len > sizeof(mesh_tx->param))
+			return NULL;
+
 	mesh_tx = kzalloc(sizeof(*mesh_tx), GFP_KERNEL);
 	if (!mesh_tx)
 		return NULL;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
       [not found] <20260208081559.44983-1-maiquelpaiva@gmail.com>
  2026-02-08  8:15 ` [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
@ 2026-02-08  8:15 ` Maiquel Paiva
  2026-02-08 12:57   ` kernel test robot
                     ` (2 more replies)
  1 sibling, 3 replies; 5+ messages in thread
From: Maiquel Paiva @ 2026-02-08  8:15 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: luiz.dentz, gregkh, marcel, Maiquel Paiva, stable

The functions mgmt_mesh_add and mgmt_mesh_find modify or traverse the
mesh_pending list without locking, leading to potential race conditions
and list corruption.

Use guard(spinlock) with hdev->lock to protect the critical sections.
This ensures atomic access to the list and reference counter, preventing
race conditions and avoiding sleeping in atomic context (which fixes CI
failures).

Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Cc: stable@vger.kernel.org
Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
---
 net/bluetooth/mgmt_util.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index bdce52363332..af9194e44943 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -397,8 +397,7 @@ struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
 {
 	struct mgmt_mesh_tx *mesh_tx;
 
-	if (list_empty(&hdev->mesh_pending))
-		return NULL;
+	guard(spinlock)(&hdev->lock);
 
 	list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
 		if (mesh_tx->handle == handle)
@@ -420,6 +419,8 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
 	if (!mesh_tx)
 		return NULL;
 
+	guard(spinlock)(&hdev->lock);
+
 	hdev->mesh_send_ref++;
 	if (!hdev->mesh_send_ref)
 		hdev->mesh_send_ref++;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
  2026-02-08  8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
@ 2026-02-08 12:57   ` kernel test robot
  2026-02-08 12:57   ` kernel test robot
  2026-02-09 19:44   ` Luiz Augusto von Dentz
  2 siblings, 0 replies; 5+ messages in thread
From: kernel test robot @ 2026-02-08 12:57 UTC (permalink / raw)
  To: Maiquel Paiva, linux-bluetooth
  Cc: oe-kbuild-all, luiz.dentz, gregkh, marcel, Maiquel Paiva, stable

Hi Maiquel,

kernel test robot noticed the following build errors:

[auto build test ERROR on bluetooth/master]
[also build test ERROR on bluetooth-next/master linus/master v6.19-rc8 next-20260205]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Maiquel-Paiva/Bluetooth-mgmt-Fix-heap-overflow-in-mgmt_mesh_add/20260208-161842
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link:    https://lore.kernel.org/r/20260208081559.44983-3-maiquelpaiva%40gmail.com
patch subject: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
config: sparc-randconfig-002-20260208 (https://download.01.org/0day-ci/archive/20260208/202602082014.LJf0O75Y-lkp@intel.com/config)
compiler: sparc-linux-gcc (GCC) 11.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260208/202602082014.LJf0O75Y-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202602082014.LJf0O75Y-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/bluetooth/mgmt_util.c: In function 'mgmt_mesh_find':
>> net/bluetooth/mgmt_util.c:400:25: error: passing argument 1 of 'class_spinlock_constructor' from incompatible pointer type [-Werror=incompatible-pointer-types]
     400 |         guard(spinlock)(&hdev->lock);
         |                         ^~~~~~~~~~~
         |                         |
         |                         struct mutex *
   In file included from include/linux/irqflags.h:17,
                    from include/asm-generic/cmpxchg-local.h:6,
                    from arch/sparc/include/asm/cmpxchg_32.h:67,
                    from arch/sparc/include/asm/cmpxchg.h:7,
                    from arch/sparc/include/asm/atomic_32.h:17,
                    from arch/sparc/include/asm/atomic.h:7,
                    from include/linux/atomic.h:7,
                    from include/asm-generic/bitops/lock.h:5,
                    from arch/sparc/include/asm/bitops_32.h:102,
                    from arch/sparc/include/asm/bitops.h:7,
                    from include/linux/bitops.h:67,
                    from include/linux/log2.h:12,
                    from include/asm-generic/div64.h:55,
                    from ./arch/sparc/include/generated/asm/div64.h:1,
                    from include/linux/math.h:6,
                    from include/linux/math64.h:6,
                    from include/linux/jiffies.h:7,
                    from include/linux/ktime.h:25,
                    from include/linux/poll.h:7,
                    from include/net/bluetooth/bluetooth.h:29,
                    from net/bluetooth/mgmt_util.c:26:
   include/linux/cleanup.h:490:77: note: expected 'spinlock_t *' {aka 'struct spinlock *'} but argument is of type 'struct mutex *'
     490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
   include/linux/cleanup.h:509:1: note: in expansion of macro '__DEFINE_LOCK_GUARD_1'
     509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
         | ^~~~~~~~~~~~~~~~~~~~~
   include/linux/spinlock.h:565:1: note: in expansion of macro 'DEFINE_LOCK_GUARD_1'
     565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
         | ^~~~~~~~~~~~~~~~~~~
   net/bluetooth/mgmt_util.c: In function 'mgmt_mesh_add':
   net/bluetooth/mgmt_util.c:422:25: error: passing argument 1 of 'class_spinlock_constructor' from incompatible pointer type [-Werror=incompatible-pointer-types]
     422 |         guard(spinlock)(&hdev->lock);
         |                         ^~~~~~~~~~~
         |                         |
         |                         struct mutex *
   In file included from include/linux/irqflags.h:17,
                    from include/asm-generic/cmpxchg-local.h:6,
                    from arch/sparc/include/asm/cmpxchg_32.h:67,
                    from arch/sparc/include/asm/cmpxchg.h:7,
                    from arch/sparc/include/asm/atomic_32.h:17,
                    from arch/sparc/include/asm/atomic.h:7,
                    from include/linux/atomic.h:7,
                    from include/asm-generic/bitops/lock.h:5,
                    from arch/sparc/include/asm/bitops_32.h:102,
                    from arch/sparc/include/asm/bitops.h:7,
                    from include/linux/bitops.h:67,
                    from include/linux/log2.h:12,
                    from include/asm-generic/div64.h:55,
                    from ./arch/sparc/include/generated/asm/div64.h:1,
                    from include/linux/math.h:6,
                    from include/linux/math64.h:6,
                    from include/linux/jiffies.h:7,
                    from include/linux/ktime.h:25,
                    from include/linux/poll.h:7,
                    from include/net/bluetooth/bluetooth.h:29,
                    from net/bluetooth/mgmt_util.c:26:
   include/linux/cleanup.h:490:77: note: expected 'spinlock_t *' {aka 'struct spinlock *'} but argument is of type 'struct mutex *'
     490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
   include/linux/cleanup.h:509:1: note: in expansion of macro '__DEFINE_LOCK_GUARD_1'
     509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
         | ^~~~~~~~~~~~~~~~~~~~~
   include/linux/spinlock.h:565:1: note: in expansion of macro 'DEFINE_LOCK_GUARD_1'
     565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
         | ^~~~~~~~~~~~~~~~~~~
   cc1: some warnings being treated as errors


vim +/class_spinlock_constructor +400 net/bluetooth/mgmt_util.c

   395	
   396	struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
   397	{
   398		struct mgmt_mesh_tx *mesh_tx;
   399	
 > 400		guard(spinlock)(&hdev->lock);
   401	
   402		list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
   403			if (mesh_tx->handle == handle)
   404				return mesh_tx;
   405		}
   406	
   407		return NULL;
   408	}
   409	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
  2026-02-08  8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
  2026-02-08 12:57   ` kernel test robot
@ 2026-02-08 12:57   ` kernel test robot
  2026-02-09 19:44   ` Luiz Augusto von Dentz
  2 siblings, 0 replies; 5+ messages in thread
From: kernel test robot @ 2026-02-08 12:57 UTC (permalink / raw)
  To: Maiquel Paiva, linux-bluetooth
  Cc: oe-kbuild-all, luiz.dentz, gregkh, marcel, Maiquel Paiva, stable

Hi Maiquel,

kernel test robot noticed the following build errors:

[auto build test ERROR on bluetooth/master]
[also build test ERROR on bluetooth-next/master linus/master v6.19-rc8 next-20260205]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Maiquel-Paiva/Bluetooth-mgmt-Fix-heap-overflow-in-mgmt_mesh_add/20260208-161842
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link:    https://lore.kernel.org/r/20260208081559.44983-3-maiquelpaiva%40gmail.com
patch subject: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
config: i386-randconfig-r071-20260208 (https://download.01.org/0day-ci/archive/20260208/202602082055.pF9xO7lP-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
smatch version: v0.5.0-8994-gd50c5a4c
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260208/202602082055.pF9xO7lP-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202602082055.pF9xO7lP-lkp@intel.com/

All errors (new ones prefixed by >>):

>> net/bluetooth/mgmt_util.c:400:18: error: incompatible pointer types passing 'struct mutex *' to parameter of type 'spinlock_t *' (aka 'struct spinlock *') [-Werror,-Wincompatible-pointer-types]
     400 |         guard(spinlock)(&hdev->lock);
         |                         ^~~~~~~~~~~
   include/linux/spinlock.h:565:1: note: passing argument to parameter 'l' here
     565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
         | ^
   include/linux/cleanup.h:508:60: note: expanded from macro 'DEFINE_LOCK_GUARD_1'
     508 | __DEFINE_UNLOCK_GUARD(_name, _type, _unlock, __VA_ARGS__)               \
         |                                                                         ^
   include/linux/cleanup.h:490:77: note: expanded from macro '\
   __DEFINE_LOCK_GUARD_1'
     490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
         |                                                                             ^
   net/bluetooth/mgmt_util.c:422:18: error: incompatible pointer types passing 'struct mutex *' to parameter of type 'spinlock_t *' (aka 'struct spinlock *') [-Werror,-Wincompatible-pointer-types]
     422 |         guard(spinlock)(&hdev->lock);
         |                         ^~~~~~~~~~~
   include/linux/spinlock.h:565:1: note: passing argument to parameter 'l' here
     565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
         | ^
   include/linux/cleanup.h:508:60: note: expanded from macro 'DEFINE_LOCK_GUARD_1'
     508 | __DEFINE_UNLOCK_GUARD(_name, _type, _unlock, __VA_ARGS__)               \
         |                                                                         ^
   include/linux/cleanup.h:490:77: note: expanded from macro '\
   __DEFINE_LOCK_GUARD_1'
     490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
         |                                                                             ^
   2 errors generated.


vim +400 net/bluetooth/mgmt_util.c

   395	
   396	struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
   397	{
   398		struct mgmt_mesh_tx *mesh_tx;
   399	
 > 400		guard(spinlock)(&hdev->lock);
   401	
   402		list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
   403			if (mesh_tx->handle == handle)
   404				return mesh_tx;
   405		}
   406	
   407		return NULL;
   408	}
   409	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
  2026-02-08  8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
  2026-02-08 12:57   ` kernel test robot
  2026-02-08 12:57   ` kernel test robot
@ 2026-02-09 19:44   ` Luiz Augusto von Dentz
  2 siblings, 0 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2026-02-09 19:44 UTC (permalink / raw)
  To: Maiquel Paiva; +Cc: linux-bluetooth, gregkh, marcel, stable

Hi Maiquel,

On Sun, Feb 8, 2026 at 3:17 AM Maiquel Paiva <maiquelpaiva@gmail.com> wrote:
>
> The functions mgmt_mesh_add and mgmt_mesh_find modify or traverse the
> mesh_pending list without locking, leading to potential race conditions
> and list corruption.
>
> Use guard(spinlock) with hdev->lock to protect the critical sections.
> This ensures atomic access to the list and reference counter, preventing
> race conditions and avoiding sleeping in atomic context (which fixes CI
> failures).
>
> Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
> Cc: stable@vger.kernel.org
> Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
> ---
>  net/bluetooth/mgmt_util.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
> index bdce52363332..af9194e44943 100644
> --- a/net/bluetooth/mgmt_util.c
> +++ b/net/bluetooth/mgmt_util.c
> @@ -397,8 +397,7 @@ struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
>  {
>         struct mgmt_mesh_tx *mesh_tx;
>
> -       if (list_empty(&hdev->mesh_pending))
> -               return NULL;
> +       guard(spinlock)(&hdev->lock);

Not sure why you switched to use hdev->lock and not mgmt_pending_lock?
And that is a mutex still, not a spinlock.

>
>         list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
>                 if (mesh_tx->handle == handle)
> @@ -420,6 +419,8 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
>         if (!mesh_tx)
>                 return NULL;
>
> +       guard(spinlock)(&hdev->lock);
> +
>         hdev->mesh_send_ref++;
>         if (!hdev->mesh_send_ref)
>                 hdev->mesh_send_ref++;
> --
> 2.43.0
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-02-09 19:44 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20260208081559.44983-1-maiquelpaiva@gmail.com>
2026-02-08  8:15 ` [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
2026-02-08  8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
2026-02-08 12:57   ` kernel test robot
2026-02-08 12:57   ` kernel test robot
2026-02-09 19:44   ` Luiz Augusto von Dentz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox