From: Mark Brown <broonie@kernel•org>
To: Marcel Holtmann <marcel@holtmann•org>,
Johan Hedberg <johan.hedberg@gmail•com>
Cc: Dudu Lu <phx0fer@gmail•com>, Jann Horn <jannh@google•com>,
Linux Kernel Mailing List <linux-kernel@vger•kernel.org>,
Linux Next Mailing List <linux-next@vger•kernel.org>,
Luiz Augusto von Dentz <luiz.von.dentz@intel•com>
Subject: linux-next: manual merge of the bluetooth tree with the origin tree
Date: Mon, 1 Jun 2026 15:48:44 +0100 [thread overview]
Message-ID: <ah2bzMouvFUsFZK8@sirena.org.uk> (raw)
[-- Attachment #1: Type: text/plain, Size: 3951 bytes --]
Hi all,
Today's linux-next merge of the bluetooth tree got a conflict in:
net/bluetooth/bnep/core.c
between commits:
59e932ded949f ("Bluetooth: bnep: Fix UAF read of dev->name")
72b8deccff17a ("Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling")
from the origin tree and commits:
feaef2aa27201 ("Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling")
ffeee619a13bf ("Bluetooth: bnep: Fix UAF read of dev->name")
from the bluetooth tree.
I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging. You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.
diff --combined net/bluetooth/bnep/core.c
index 0de5df690bd0b,5c5f53ff30e8e..0000000000000
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@@ -206,14 -206,11 +206,11 @@@ static int bnep_ctrl_set_mcfilter(struc
return 0;
}
- static int bnep_rx_control(struct bnep_session *s, void *data, int len)
+ static int bnep_rx_control_cmd(struct bnep_session *s, u8 cmd, void *data,
+ int len)
{
- u8 cmd = *(u8 *)data;
int err = 0;
- data++;
- len--;
-
switch (cmd) {
case BNEP_CMD_NOT_UNDERSTOOD:
case BNEP_SETUP_CONN_RSP:
@@@ -254,6 -251,14 +251,14 @@@
return err;
}
+ static int bnep_rx_control(struct bnep_session *s, void *data, int len)
+ {
+ if (len < 1)
+ return -EILSEQ;
+
+ return bnep_rx_control_cmd(s, *(u8 *)data, data + 1, len - 1);
+ }
+
static int bnep_rx_extension(struct bnep_session *s, struct sk_buff *skb)
{
struct bnep_ext_hdr *h;
@@@ -299,19 -304,26 +304,26 @@@ static int bnep_rx_frame(struct bnep_se
{
struct net_device *dev = s->dev;
struct sk_buff *nskb;
+ u8 *data;
u8 type, ctrl_type;
dev->stats.rx_bytes += skb->len;
- type = *(u8 *) skb->data;
- skb_pull(skb, 1);
- ctrl_type = *(u8 *)skb->data;
+ data = skb_pull_data(skb, sizeof(type));
+ if (!data)
+ goto badframe;
+ type = *data;
if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
goto badframe;
if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
- if (bnep_rx_control(s, skb->data, skb->len) < 0) {
+ data = skb_pull_data(skb, sizeof(ctrl_type));
+ if (!data)
+ goto badframe;
+ ctrl_type = *data;
+
+ if (bnep_rx_control_cmd(s, ctrl_type, skb->data, skb->len) < 0) {
dev->stats.tx_errors++;
kfree_skb(skb);
return 0;
@@@ -324,24 -336,27 +336,31 @@@
/* Verify and pull ctrl message since it's already processed */
switch (ctrl_type) {
- case BNEP_SETUP_CONN_REQ:
- /* Pull: ctrl type (1 b), len (1 b), data (len bytes) */
- if (!skb_pull(skb, 2 + *(u8 *)(skb->data + 1) * 2))
+ case BNEP_SETUP_CONN_REQ: {
+ u8 uuid_size;
+
+ /* Pull uuid_size and the dst/src service UUIDs. */
+ data = skb_pull_data(skb, sizeof(uuid_size));
+ if (!data)
+ goto badframe;
+ uuid_size = *data;
+ if (!skb_pull(skb, uuid_size + uuid_size))
goto badframe;
break;
+ }
case BNEP_FILTER_MULTI_ADDR_SET:
- case BNEP_FILTER_NET_TYPE_SET:
- /* Pull: len (2 b), data (len bytes) */
- data = skb_pull_data(skb, sizeof(u16));
- if (!data)
+ case BNEP_FILTER_NET_TYPE_SET: {
+ u8 *hdr;
+
+ /* Pull ctrl type (1 b) + len (2 b) */
+ hdr = skb_pull_data(skb, 3);
+ if (!hdr)
goto badframe;
- if (!skb_pull(skb, get_unaligned_be16(data)))
+ /* Pull data (len bytes); length is big-endian */
+ if (!skb_pull(skb, get_unaligned_be16(&hdr[1])))
goto badframe;
break;
+ }
default:
kfree_skb(skb);
return 0;
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next reply other threads:[~2026-06-01 14:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 14:48 Mark Brown [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-05-18 12:47 linux-next: manual merge of the bluetooth tree with the origin tree Mark Brown
2026-03-12 13:14 Mark Brown
2025-09-22 9:23 Mark Brown
2025-09-17 11:34 Mark Brown
2023-04-17 14:36 broonie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ah2bzMouvFUsFZK8@sirena.org.uk \
--to=broonie@kernel$(echo .)org \
--cc=jannh@google$(echo .)com \
--cc=johan.hedberg@gmail$(echo .)com \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-next@vger$(echo .)kernel.org \
--cc=luiz.von.dentz@intel$(echo .)com \
--cc=marcel@holtmann$(echo .)org \
--cc=phx0fer@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox