Message ID | 20241008154005.595169-2-luiz.dentz@gmail.com |
---|---|
State | Superseded |
Headers | show |
Series | [v1,1/2] Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet | expand |
Hi Luiz, kernel test robot noticed the following build warnings: [auto build test WARNING on bluetooth-next/master] [also build test WARNING on bluetooth/master linus/master v6.12-rc2 next-20241008] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Luiz-Augusto-von-Dentz/Bluetooth-hci_core-Fix-not-checking-skb-length-on-hci_scodata_packet/20241008-234120 base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master patch link: https://lore.kernel.org/r/20241008154005.595169-2-luiz.dentz%40gmail.com patch subject: [PATCH v1 2/2] Bluetooth: hci_core: Fix not checking skb length on hci_scodata_packet config: x86_64-rhel-8.3 (https://download.01.org/0day-ci/archive/20241009/202410091240.Pm3POYhz-lkp@intel.com/config) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241009/202410091240.Pm3POYhz-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410091240.Pm3POYhz-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from include/linux/kernel.h:31, from include/linux/rfkill.h:33, from net/bluetooth/hci_core.c:29: net/bluetooth/hci_core.c: In function 'hci_scodata_packet': >> include/net/bluetooth/bluetooth.h:280:16: warning: format '%s' expects argument of type 'char *', but argument 4 has type 'unsigned int' [-Wformat=] 280 | BT_DBG("%s: " fmt, bt_dev_name(hdev), ##__VA_ARGS__) | ^~~~~~ include/linux/printk.h:355:21: note: in definition of macro 'pr_fmt' 355 | #define pr_fmt(fmt) fmt | ^~~ include/linux/dynamic_debug.h:248:9: note: in expansion of macro '__dynamic_func_call_cls' 248 | __dynamic_func_call_cls(__UNIQUE_ID(ddebug), cls, fmt, func, ##__VA_ARGS__) | ^~~~~~~~~~~~~~~~~~~~~~~ include/linux/dynamic_debug.h:250:9: note: in expansion of macro '_dynamic_func_call_cls' 250 | _dynamic_func_call_cls(_DPRINTK_CLASS_DFLT, fmt, func, ##__VA_ARGS__) | ^~~~~~~~~~~~~~~~~~~~~~ include/linux/dynamic_debug.h:269:9: note: in expansion of macro '_dynamic_func_call' 269 | _dynamic_func_call(fmt, __dynamic_pr_debug, \ | ^~~~~~~~~~~~~~~~~~ include/linux/printk.h:589:9: note: in expansion of macro 'dynamic_pr_debug' 589 | dynamic_pr_debug(fmt, ##__VA_ARGS__) | ^~~~~~~~~~~~~~~~ include/net/bluetooth/bluetooth.h:268:33: note: in expansion of macro 'pr_debug' 268 | #define BT_DBG(fmt, ...) pr_debug(fmt "\n", ##__VA_ARGS__) | ^~~~~~~~ include/net/bluetooth/bluetooth.h:280:9: note: in expansion of macro 'BT_DBG' 280 | BT_DBG("%s: " fmt, bt_dev_name(hdev), ##__VA_ARGS__) | ^~~~~~ net/bluetooth/hci_core.c:3825:9: note: in expansion of macro 'bt_dev_dbg' 3825 | bt_dev_dbg(hdev, "%s len %d handle 0x%4.4x flags 0x%4.4x", skb->len, | ^~~~~~~~~~ >> include/net/bluetooth/bluetooth.h:280:16: warning: format '%x' expects a matching 'unsigned int' argument [-Wformat=] 280 | BT_DBG("%s: " fmt, bt_dev_name(hdev), ##__VA_ARGS__) | ^~~~~~ include/linux/printk.h:355:21: note: in definition of macro 'pr_fmt' 355 | #define pr_fmt(fmt) fmt | ^~~ include/linux/dynamic_debug.h:248:9: note: in expansion of macro '__dynamic_func_call_cls' 248 | __dynamic_func_call_cls(__UNIQUE_ID(ddebug), cls, fmt, func, ##__VA_ARGS__) | ^~~~~~~~~~~~~~~~~~~~~~~ include/linux/dynamic_debug.h:250:9: note: in expansion of macro '_dynamic_func_call_cls' 250 | _dynamic_func_call_cls(_DPRINTK_CLASS_DFLT, fmt, func, ##__VA_ARGS__) | ^~~~~~~~~~~~~~~~~~~~~~ include/linux/dynamic_debug.h:269:9: note: in expansion of macro '_dynamic_func_call' 269 | _dynamic_func_call(fmt, __dynamic_pr_debug, \ | ^~~~~~~~~~~~~~~~~~ include/linux/printk.h:589:9: note: in expansion of macro 'dynamic_pr_debug' 589 | dynamic_pr_debug(fmt, ##__VA_ARGS__) | ^~~~~~~~~~~~~~~~ include/net/bluetooth/bluetooth.h:268:33: note: in expansion of macro 'pr_debug' 268 | #define BT_DBG(fmt, ...) pr_debug(fmt "\n", ##__VA_ARGS__) | ^~~~~~~~ include/net/bluetooth/bluetooth.h:280:9: note: in expansion of macro 'BT_DBG' 280 | BT_DBG("%s: " fmt, bt_dev_name(hdev), ##__VA_ARGS__) | ^~~~~~ net/bluetooth/hci_core.c:3825:9: note: in expansion of macro 'bt_dev_dbg' 3825 | bt_dev_dbg(hdev, "%s len %d handle 0x%4.4x flags 0x%4.4x", skb->len, | ^~~~~~~~~~ vim +280 include/net/bluetooth/bluetooth.h 9b392e0e0b6d02 Luiz Augusto von Dentz 2022-03-03 272 6f558b70fb39fc Loic Poulain 2015-08-30 273 #define bt_dev_info(hdev, fmt, ...) \ 9b392e0e0b6d02 Luiz Augusto von Dentz 2022-03-03 274 BT_INFO("%s: " fmt, bt_dev_name(hdev), ##__VA_ARGS__) 594b31ea7dc610 Frederic Danis 2015-09-23 275 #define bt_dev_warn(hdev, fmt, ...) \ 9b392e0e0b6d02 Luiz Augusto von Dentz 2022-03-03 276 BT_WARN("%s: " fmt, bt_dev_name(hdev), ##__VA_ARGS__) 6f558b70fb39fc Loic Poulain 2015-08-30 277 #define bt_dev_err(hdev, fmt, ...) \ 9b392e0e0b6d02 Luiz Augusto von Dentz 2022-03-03 278 BT_ERR("%s: " fmt, bt_dev_name(hdev), ##__VA_ARGS__) 6f558b70fb39fc Loic Poulain 2015-08-30 279 #define bt_dev_dbg(hdev, fmt, ...) \ 9b392e0e0b6d02 Luiz Augusto von Dentz 2022-03-03 @280 BT_DBG("%s: " fmt, bt_dev_name(hdev), ##__VA_ARGS__) 6f558b70fb39fc Loic Poulain 2015-08-30 281
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index d5f917076e0e..462522098129 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -3808,18 +3808,22 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) /* SCO data packet */ static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb) { - struct hci_sco_hdr *hdr = (void *) skb->data; + struct hci_sco_hdr *hdr; struct hci_conn *conn; __u16 handle, flags; - skb_pull(skb, HCI_SCO_HDR_SIZE); + hdr = skb_pull_data(skb, sizeof(*hdr)); + if (!hdr) { + bt_dev_err(hdev, "SCO packet too small"); + goto drop; + } handle = __le16_to_cpu(hdr->handle); flags = hci_flags(handle); handle = hci_handle(handle); - BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len, - handle, flags); + bt_dev_dbg(hdev, "%s len %d handle 0x%4.4x flags 0x%4.4x", skb->len, + handle, flags); hdev->stat.sco_rx++; @@ -3837,6 +3841,7 @@ static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb) handle); } +drop: kfree_skb(skb); }