korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-14 22:44:27 +08:00
Code Issues Packages Projects Releases Wiki Activity
f70d849b67
linux/include
History
Sungwoo Kim ad3f7986c5 Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() 
commit a5b862c6a2 upstream.

l2cap_le_flowctl_init() can cause both div-by-zero and an integer
overflow since hdev->le_mtu may not fall in the valid range.

Move MTU from hci_dev to hci_conn to validate MTU and stop the connection
process earlier if MTU is invalid.
Also, add a missing validation in read_buffer_size() and make it return
an error value if the validation fails.
Now hci_conn_add() returns ERR_PTR() as it can fail due to the both a
kzalloc failure and invalid MTU value.

divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G        W          6.9.0-rc5+ #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci0 hci_rx_work
RIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547
Code: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c
89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d
b7 88 00 00 00 4c 89 f0 48 c1 e8 03 42
RSP: 0018:ffff88810bc0f858 EFLAGS: 00010246
RAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f
RBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa
R10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084
R13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000
FS:  0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
 <TASK>
 l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]
 l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]
 l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]
 l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809
 l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506
 hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]
 hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176
 process_one_work kernel/workqueue.c:3254 [inline]
 process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335
 worker_thread+0x926/0xe70 kernel/workqueue.c:3416
 kthread+0x2e3/0x380 kernel/kthread.c:388
 ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

Fixes: 6ed58ec520 ("Bluetooth: Use LE buffers for LE traffic")
Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-05-25 16:22:53 +02:00
..
acpi ACPI: x86: Move acpi_quirk_skip_serdev_enumeration() out of CONFIG_X86_ANDROID_TABLETS 2024-04-13 13:07:31 +02:00
asm-generic sched: Add missing memory barrier in switch_mm_cid 2024-04-27 17:11:41 +02:00
clocksource
crypto crypto: af_alg - Disallow multiple in-flight AIO requests 2024-01-25 15:35:16 -08:00
drm mm, treewide: introduce NR_PAGE_ORDERS 2024-05-02 16:32:41 +02:00
dt-bindings clk: renesas: r8a779g0: Correct PFC/GPIO parent clocks 2024-03-26 18:19:47 -04:00
keys
kunit - An extensive rework of kexec and crash Kconfig from Eric DeVolder 2023-08-29 14:53:51 -07:00
kvm KVM: arm64: Fix host-programmed guest events in nVHE 2024-04-10 16:35:48 +02:00
linux VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist 2024-05-17 12:02:38 +02:00
math-emu
media media: mc: Add num_links flag to media_pad 2024-04-03 15:28:17 +02:00
memory
misc
net Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() 2024-05-25 16:22:53 +02:00
pcmcia
ras
rdma RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz 2023-12-13 18:45:16 +01:00
rv rv: Set variable 'da_mon_##name' to static 2023-09-01 21:00:00 -04:00
scsi scsi: sd: Fix TCG OPAL unlock on system resume 2024-04-03 15:28:59 +02:00
soc soc: qcom: socinfo: rename PM2250 to PM4125 2024-03-26 18:19:23 -04:00
sound ALSA: emu10k1: move the whole GPIO event handling to the workqueue 2024-05-17 12:02:03 +02:00
target
trace rxrpc: Fix the names of the fields in the ACK trailer struct 2024-05-17 12:02:23 +02:00
uapi drm/amdkfd: range check cp bad op exception interrupts 2024-05-17 12:02:11 +02:00
ufs Merge branch 'fixes' into misc 2023-09-02 08:25:19 +01:00
vdso
video fbdev: stifb: Make the STI next font pointer a 32-bit signed offset 2023-11-28 17:19:58 +00:00
xen xen/events: reduce externally visible helper functions 2024-03-01 13:34:57 +01:00