linux/net/bluetooth
Alain Michaud a2ec905d1e Bluetooth: fix kernel oops in store_pending_adv_report
Fix kernel oops observed when an ext adv data is larger than 31 bytes.

This can be reproduced by setting up an advertiser with advertisement
larger than 31 bytes.  The issue is not sensitive to the advertisement
content.  In particular, this was reproduced with an advertisement of
229 bytes filled with 'A'.  See stack trace below.

This is fixed by not catching ext_adv as legacy adv are only cached to
be able to concatenate a scanable adv with its scan response before
sending it up through mgmt.

With ext_adv, this is no longer necessary.

  general protection fault: 0000 [#1] SMP PTI
  CPU: 6 PID: 205 Comm: kworker/u17:0 Not tainted 5.4.0-37-generic #41-Ubuntu
  Hardware name: Dell Inc. XPS 15 7590/0CF6RR, BIOS 1.7.0 05/11/2020
  Workqueue: hci0 hci_rx_work [bluetooth]
  RIP: 0010:hci_bdaddr_list_lookup+0x1e/0x40 [bluetooth]
  Code: ff ff e9 26 ff ff ff 0f 1f 44 00 00 0f 1f 44 00 00 55 48 8b 07 48 89 e5 48 39 c7 75 0a eb 24 48 8b 00 48 39 f8 74 1c 44 8b 06 <44> 39 40 10 75 ef 44 0f b7 4e 04 66 44 39 48 14 75 e3 38 50 16 75
  RSP: 0018:ffffbc6a40493c70 EFLAGS: 00010286
  RAX: 4141414141414141 RBX: 000000000000001b RCX: 0000000000000000
  RDX: 0000000000000000 RSI: ffff9903e76c100f RDI: ffff9904289d4b28
  RBP: ffffbc6a40493c70 R08: 0000000093570362 R09: 0000000000000000
  R10: 0000000000000000 R11: ffff9904344eae38 R12: ffff9904289d4000
  R13: 0000000000000000 R14: 00000000ffffffa3 R15: ffff9903e76c100f
  FS: 0000000000000000(0000) GS:ffff990434580000(0000) knlGS:0000000000000000
  CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007feed125a000 CR3: 00000001b860a003 CR4: 00000000003606e0
  Call Trace:
    process_adv_report+0x12e/0x560 [bluetooth]
    hci_le_meta_evt+0x7b2/0xba0 [bluetooth]
    hci_event_packet+0x1c29/0x2a90 [bluetooth]
    hci_rx_work+0x19b/0x360 [bluetooth]
    process_one_work+0x1eb/0x3b0
    worker_thread+0x4d/0x400
    kthread+0x104/0x140

Fixes: c215e9397b ("Bluetooth: Process extended ADV report event")
Reported-by: Andy Nguyen <theflow@google.com>
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Reported-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
Signed-off-by: Alain Michaud <alainm@chromium.org>
Tested-by: Sonny Sasaka <sonnysasaka@chromium.org>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-07-30 13:54:04 -07:00
..
bnep Bluetooth: Replace zero-length array with flexible-array member 2020-02-28 08:30:02 +01:00
cmtp treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
hidp Bluetooth: optimize barrier usage for Rmw atomics 2020-01-29 19:50:44 +01:00
rfcomm Bluetooth: Acquire sk_lock.slock without disabling interrupts 2020-05-29 13:48:46 +02:00
6lowpan.c net: partially revert dynamic lockdep key changes 2020-05-04 12:05:56 -07:00
Kconfig Bluetooth: Introduce debug feature when dynamic debug is disabled 2020-05-11 12:16:27 +02:00
Makefile Bluetooth: Add framework for Microsoft vendor extension 2020-04-05 14:53:05 +03:00
a2mp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
a2mp.h Bluetooth: Replace zero-length array with flexible-array member 2020-02-28 08:30:02 +01:00
af_bluetooth.c net: use helpers to change sk_ack_backlog 2019-11-06 16:14:48 -08:00
amp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
amp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
ecdh_helper.c Bluetooth: let the crypto subsystem generate the ecc privkey 2017-10-06 20:35:47 +02:00
ecdh_helper.h Bluetooth: let the crypto subsystem generate the ecc privkey 2017-10-06 20:35:47 +02:00
hci_conn.c Bluetooth: Fix assuming EIR flags can result in SSP authentication 2020-05-20 16:33:43 +02:00
hci_core.c Bluetooth: Add hook for driver to prevent wake from suspend 2020-05-13 09:12:04 +02:00
hci_debugfs.c Bluetooth: debugfs option to unset MITM flag 2020-04-07 18:32:21 +02:00
hci_debugfs.h Bluetooth: Provide option to enable/disable debugfs information 2015-02-15 18:54:13 +02:00
hci_event.c Bluetooth: fix kernel oops in store_pending_adv_report 2020-07-30 13:54:04 -07:00
hci_request.c Bluetooth: Rename BT_SUSPEND_COMPLETE 2020-05-13 09:12:04 +02:00
hci_request.h Bluetooth: Handle PM_SUSPEND_PREPARE and PM_POST_SUSPEND 2020-03-11 18:00:48 +01:00
hci_sock.c Bluetooth: Introduce HCI_MGMT_HDEV_OPTIONAL option 2020-05-11 12:13:38 +02:00
hci_sysfs.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
l2cap_core.c Bluetooth: L2CAP: Fix errors during L2CAP_CREDIT_BASED_CONNECTION_REQ (0x17) 2020-05-11 12:13:38 +02:00
l2cap_sock.c Bluetooth: L2CAP: add support for waiting disconnection resp 2020-05-13 10:03:51 +02:00
leds.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
leds.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
lib.c Bluetooth: Introduce debug feature when dynamic debug is disabled 2020-05-11 12:16:27 +02:00
mgmt.c Bluetooth: Introduce debug feature when dynamic debug is disabled 2020-05-11 12:16:27 +02:00
mgmt_util.c networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
mgmt_util.h Bluetooth: Add generic mgmt helper API 2015-03-17 18:03:08 +01:00
msft.c Bluetooth: Add framework for Microsoft vendor extension 2020-04-05 14:53:05 +03:00
msft.h Bluetooth: Add framework for Microsoft vendor extension 2020-04-05 14:53:05 +03:00
sco.c Bluetooth: Fix crash when using new BT_PHY option 2020-02-18 22:02:15 +01:00
selftest.c Bluetooth: Fix compiler warning with selftest duration calculation 2017-10-06 21:49:13 +03:00
selftest.h Bluetooth: Add support for self testing framework 2014-12-30 08:53:55 +02:00
smp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
smp.h Bluetooth: SMP: fix crash in unpairing 2018-09-26 12:39:32 +03:00