* [v5.4.y] Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS
@ 2021-05-19 17:55 Zubin Mithra
2021-05-24 12:48 ` Greg KH
0 siblings, 1 reply; 3+ messages in thread
From: Zubin Mithra @ 2021-05-19 17:55 UTC (permalink / raw)
To: stable; +Cc: gregkh, groeck, apusaka, luiz.von.dentz, marcel
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
L2CAP_OPTIONS shall only be used with BR/EDR modes.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
(cherry picked from commit b86b0b150fed840c376145383ef5105116c81b0c)
Signed-off-by: Zubin Mithra <zsm@chromium.org>
---
* Syzkaller triggered a GPF with the following stacktrace:
l2cap_chan_send+0xa6e/0x1c30 net/bluetooth/l2cap_core.c:2532
l2cap_sock_sendmsg+0x1da/0x1fd net/bluetooth/l2cap_sock.c:985
sock_sendmsg_nosec+0x88/0xb4 net/socket.c:638
sock_sendmsg+0x5e/0x6f net/socket.c:658
____sys_sendmsg+0x45c/0x5a5 net/socket.c:2298
___sys_sendmsg+0x13e/0x19f net/socket.c:2352
__sys_sendmmsg+0x298/0x38c net/socket.c:2455
__do_sys_sendmmsg net/socket.c:2484 [inline]
__se_sys_sendmmsg net/socket.c:2481 [inline]
__x64_sys_sendmmsg+0xad/0xb6 net/socket.c:2481
do_syscall_64+0x10b/0x144 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
* This commit is present in 5.10.y and newer. 4.19.y
and older do not need this fix.
* This patch resolves conflicts that arise due to a BT_DBG()
introduced in the following commit not being present in linux-5.4.y:
- 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
* Tests run: syzkaller reproducer, Chrome OS tryjobs
net/bluetooth/l2cap_sock.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 8648c5211ebe..e43da778c993 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -418,6 +418,20 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
break;
}
+ /* Only BR/EDR modes are supported here */
+ switch (chan->mode) {
+ case L2CAP_MODE_BASIC:
+ case L2CAP_MODE_ERTM:
+ case L2CAP_MODE_STREAMING:
+ break;
+ default:
+ err = -EINVAL;
+ break;
+ }
+
+ if (err < 0)
+ break;
+
memset(&opts, 0, sizeof(opts));
opts.imtu = chan->imtu;
opts.omtu = chan->omtu;
@@ -677,10 +691,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
break;
}
- chan->mode = opts.mode;
- switch (chan->mode) {
- case L2CAP_MODE_LE_FLOWCTL:
- break;
+ /* Only BR/EDR modes are supported here */
+ switch (opts.mode) {
case L2CAP_MODE_BASIC:
clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
break;
@@ -694,6 +706,10 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
break;
}
+ if (err < 0)
+ break;
+
+ chan->mode = opts.mode;
chan->imtu = opts.imtu;
chan->omtu = opts.omtu;
chan->fcs = opts.fcs;
--
2.20.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [v5.4.y] Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS
2021-05-19 17:55 [v5.4.y] Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS Zubin Mithra
@ 2021-05-24 12:48 ` Greg KH
0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2021-05-24 12:48 UTC (permalink / raw)
To: Zubin Mithra; +Cc: stable, groeck, apusaka, luiz.von.dentz, marcel
On Wed, May 19, 2021 at 10:55:02AM -0700, Zubin Mithra wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> L2CAP_OPTIONS shall only be used with BR/EDR modes.
>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
> (cherry picked from commit b86b0b150fed840c376145383ef5105116c81b0c)
> Signed-off-by: Zubin Mithra <zsm@chromium.org>
> ---
> * Syzkaller triggered a GPF with the following stacktrace:
> l2cap_chan_send+0xa6e/0x1c30 net/bluetooth/l2cap_core.c:2532
> l2cap_sock_sendmsg+0x1da/0x1fd net/bluetooth/l2cap_sock.c:985
> sock_sendmsg_nosec+0x88/0xb4 net/socket.c:638
> sock_sendmsg+0x5e/0x6f net/socket.c:658
> ____sys_sendmsg+0x45c/0x5a5 net/socket.c:2298
> ___sys_sendmsg+0x13e/0x19f net/socket.c:2352
> __sys_sendmmsg+0x298/0x38c net/socket.c:2455
> __do_sys_sendmmsg net/socket.c:2484 [inline]
> __se_sys_sendmmsg net/socket.c:2481 [inline]
> __x64_sys_sendmmsg+0xad/0xb6 net/socket.c:2481
> do_syscall_64+0x10b/0x144 arch/x86/entry/common.c:299
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> * This commit is present in 5.10.y and newer. 4.19.y
> and older do not need this fix.
Now queued up, thanks.
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
* [v5.4.y] Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS
@ 2021-05-19 17:52 Zubin Mithra
0 siblings, 0 replies; 3+ messages in thread
From: Zubin Mithra @ 2021-05-19 17:52 UTC (permalink / raw)
To: stable; +Cc: zsm, zsm
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
L2CAP_OPTIONS shall only be used with BR/EDR modes.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
(cherry picked from commit b86b0b150fed840c376145383ef5105116c81b0c)
Signed-off-by: Zubin Mithra <zsm@chromium.org>
---
* Syzkaller triggered a GPF with the following stacktrace:
l2cap_chan_send+0xa6e/0x1c30 net/bluetooth/l2cap_core.c:2532
l2cap_sock_sendmsg+0x1da/0x1fd net/bluetooth/l2cap_sock.c:985
sock_sendmsg_nosec+0x88/0xb4 net/socket.c:638
sock_sendmsg+0x5e/0x6f net/socket.c:658
____sys_sendmsg+0x45c/0x5a5 net/socket.c:2298
___sys_sendmsg+0x13e/0x19f net/socket.c:2352
__sys_sendmmsg+0x298/0x38c net/socket.c:2455
__do_sys_sendmmsg net/socket.c:2484 [inline]
__se_sys_sendmmsg net/socket.c:2481 [inline]
__x64_sys_sendmmsg+0xad/0xb6 net/socket.c:2481
do_syscall_64+0x10b/0x144 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
* This commit is present in 5.10.y and newer. 4.19.y
and older do not need this fix.
* This patch resolves conflicts that arise due to a BT_DBG()
introduced in the following commit not being present in linux-5.4.y:
- 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
* Tests run: syzkaller reproducer, Chrome OS tryjobs
net/bluetooth/l2cap_sock.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 8648c5211ebe..e43da778c993 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -418,6 +418,20 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
break;
}
+ /* Only BR/EDR modes are supported here */
+ switch (chan->mode) {
+ case L2CAP_MODE_BASIC:
+ case L2CAP_MODE_ERTM:
+ case L2CAP_MODE_STREAMING:
+ break;
+ default:
+ err = -EINVAL;
+ break;
+ }
+
+ if (err < 0)
+ break;
+
memset(&opts, 0, sizeof(opts));
opts.imtu = chan->imtu;
opts.omtu = chan->omtu;
@@ -677,10 +691,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
break;
}
- chan->mode = opts.mode;
- switch (chan->mode) {
- case L2CAP_MODE_LE_FLOWCTL:
- break;
+ /* Only BR/EDR modes are supported here */
+ switch (opts.mode) {
case L2CAP_MODE_BASIC:
clear_bit(CONF_STATE2_DEVICE, &chan->conf_state);
break;
@@ -694,6 +706,10 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
break;
}
+ if (err < 0)
+ break;
+
+ chan->mode = opts.mode;
chan->imtu = opts.imtu;
chan->omtu = opts.omtu;
chan->fcs = opts.fcs;
--
2.20.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-24 12:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-19 17:55 [v5.4.y] Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS Zubin Mithra
2021-05-24 12:48 ` Greg KH
-- strict thread matches above, loose matches on Subject: below --
2021-05-19 17:52 Zubin Mithra
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.