1. 19 8月, 2021 1 次提交
    • K
      Bluetooth: mgmt: Pessimize compile-time bounds-check · a31e5a41
      Kees Cook 提交于
      After gaining __alloc_size hints, GCC thinks it can reach a memcpy()
      with eir_len == 0 (since it can't see into the rewrite of status).
      Instead, check eir_len == 0, avoiding this future warning:
      
      In function 'eir_append_data',
          inlined from 'read_local_oob_ext_data_complete' at net/bluetooth/mgmt.c:7210:12:
      ./include/linux/fortify-string.h:54:29: warning: '__builtin_memcpy' offset 5 is out of the bounds [0, 3] [-Warray-bounds]
      ...
      net/bluetooth/hci_request.h:133:2: note: in expansion of macro 'memcpy'
        133 |  memcpy(&eir[eir_len], data, data_len);
            |  ^~~~~~
      
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: linux-bluetooth@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      a31e5a41
  2. 29 7月, 2021 1 次提交
  3. 26 6月, 2021 9 次提交
  4. 03 6月, 2021 1 次提交
  5. 08 4月, 2021 1 次提交
  6. 06 4月, 2021 1 次提交
    • D
      Bluetooth: Do not set cur_adv_instance in adv param MGMT request · b6f1b79d
      Daniel Winkler 提交于
      We set hdev->cur_adv_instance in the adv param MGMT request to allow the
      callback to the hci param request to set the tx power to the correct
      instance. Now that the callbacks use the advertising handle from the hci
      request (as they should), this workaround is no longer necessary.
      
      Furthermore, this change resolves a race condition that is more
      prevalent when using the extended advertising MGMT calls - if
      hdev->cur_adv_instance is set in the params request, then when the data
      request is called, we believe our new instance is already active. This
      treats it as an update and immediately schedules the instance with the
      controller, which has a potential race with the software rotation adv
      update. By not setting hdev->cur_adv_instance too early, the new
      instance is queued as it should be, to be used when the rotation comes
      around again.
      
      This change is tested on harrison peak to confirm that it resolves the
      race condition on registration, and that there is no regression in
      single- and multi-advertising automated tests.
      Reviewed-by: NMiao-chen Chou <mcchou@chromium.org>
      Signed-off-by: NDaniel Winkler <danielwinkler@google.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      b6f1b79d
  7. 27 3月, 2021 5 次提交
  8. 04 3月, 2021 1 次提交
    • D
      Bluetooth: Allow scannable adv with extended MGMT APIs · ff02db13
      Daniel Winkler 提交于
      An issue was found, where if a bluetooth client requests a broadcast
      advertisement with scan response data, it will not be properly
      registered with the controller. This is because at the time that the
      hci_cp_le_set_scan_param structure is created, the scan response will
      not yet have been received since it comes in a second MGMT call. With
      empty scan response, the request defaults to a non-scannable PDU type.
      On some controllers, the subsequent scan response request will fail due
      to incorrect PDU type, and others will succeed and not use the scan
      response.
      
      This fix allows the advertising parameters MGMT call to include a flag
      to let the kernel know whether a scan response will be coming, so that
      the correct PDU type is used in the first place. A bluetoothd change is
      also incoming to take advantage of it.
      
      To test this, I created a broadcast advertisement with scan response
      data and registered it on the hatch chromebook. Without this change, the
      request fails, and with it will succeed.
      Reviewed-by: NAlain Michaud <alainm@chromium.org>
      Reviewed-by: NSonny Sasaka <sonnysasaka@chromium.org>
      Reviewed-by: NMiao-chen Chou <mcchou@chromium.org>
      Signed-off-by: NDaniel Winkler <danielwinkler@google.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      ff02db13
  9. 03 2月, 2021 1 次提交
    • H
      Bluetooth: Fix crash in mgmt_add_adv_patterns_monitor_complete · b1810feb
      Howard Chung 提交于
      If hci_add_adv_monitor is a pending command(e.g. forward to
      msft_add_monitor_pattern), it is possible that
      mgmt_add_adv_patterns_monitor_complete gets called before
      cmd->user_data gets set, which will cause a crash when we
      try to get the moniter handle through cmd->user_data in
      mgmt_add_adv_patterns_monitor_complete.
      
      This moves the cmd->user_data assignment earlier than
      hci_add_adv_monitor.
      
      RIP: 0010:mgmt_add_adv_patterns_monitor_complete+0x82/0x187 [bluetooth]
      Code: 1e bf 03 00 00 00 be 52 00 00 00 4c 89 ea e8 9e
      e4 02 00 49 89 c6 48 85 c0 0f 84 06 01 00 00 48 89 5d b8 4c 89 fb 4d 8b
      7e 30 <41> 0f b7 47 18 66 89 45 c0 45 84 e4 75 5a 4d 8b 56 28 48 8d 4d
      c8
      RSP: 0018:ffffae81807dbcb8 EFLAGS: 00010286
      RAX: ffff91c4bdf723c0 RBX: 0000000000000000 RCX: ffff91c4e5da5b80
      RDX: ffff91c405680000 RSI: 0000000000000052 RDI: ffff91c49d654c00
      RBP: ffffae81807dbd00 R08: ffff91c49fb157e0 R09: ffff91c49fb157e0
      R10: 000000000002a4f0 R11: ffffffffc0819cfd R12: 0000000000000000
      R13: ffff91c405680000 R14: ffff91c4bdf723c0 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff91c4ea300000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000018 CR3: 0000000133612002 CR4:
      00000000003606e0
      Call Trace:
       ? msft_le_monitor_advertisement_cb+0x111/0x141
      [bluetooth]
       hci_event_packet+0x425e/0x631c [bluetooth]
       ? printk+0x59/0x73
       ? __switch_to_asm+0x41/0x70
       ?
      msft_le_set_advertisement_filter_enable_cb+0xa6/0xa6 [bluetooth]
       ? bt_dbg+0xb4/0xbb [bluetooth]
       ? __switch_to_asm+0x41/0x70
       hci_rx_work+0x101/0x319 [bluetooth]
       process_one_work+0x257/0x506
       worker_thread+0x10d/0x284
       kthread+0x14c/0x154
       ? process_one_work+0x506/0x506
       ? kthread_blkcg+0x2c/0x2c
       ret_from_fork+0x1f/0x40
      Reviewed-by: NMiao-chen Chou <mcchou@chromium.org>
      Reviewed-by: NManish Mandlik <mmandlik@chromium.org>
      Reviewed-by: NArchie Pusaka <apusaka@chromium.org>
      Signed-off-by: NHoward Chung <howardchung@google.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      b1810feb
  10. 25 1月, 2021 3 次提交
  11. 19 12月, 2020 1 次提交
  12. 07 12月, 2020 5 次提交
  13. 26 9月, 2020 1 次提交
  14. 13 9月, 2020 2 次提交
  15. 11 9月, 2020 3 次提交
  16. 31 7月, 2020 1 次提交
  17. 30 7月, 2020 2 次提交
  18. 15 7月, 2020 1 次提交