Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp104444iof; Sun, 5 Jun 2022 22:30:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxRSgCSJ74L8/R+VTd1nxgWTAqh5usj/AGAfqmNYr/7jHnZOB4hLlzh2fdhQYTO6/yEBw6M X-Received: by 2002:a17:90a:b703:b0:1dd:1e2f:97d7 with SMTP id l3-20020a17090ab70300b001dd1e2f97d7mr59381503pjr.62.1654493436786; Sun, 05 Jun 2022 22:30:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654493436; cv=none; d=google.com; s=arc-20160816; b=V61lDUVJU8PiKF1e+EXKmREwi7wMPmyPSkpgP9e5jcol7k1fY7fWgtUU5PBx7GvxtA SdjZKVAq/lvXlTJ1RLKhV+R8KAtJC4DjPt+rDjXdkHuoXyU/MRNhtvLUgDrNeO+UDRj+ ovXPXjoVutraVze/tDhhEurOMS+sbBkY+KJ0VXoxLsJrWDYbEqBBYthbr3A5ySn3xqD7 TIiSeNO9it+PXacjWOgNsLMyqdVkkX8odSPd4dWk67w9GZLYAANUFjAW8gDvjW3N2ajw AlgSOJ4ekObUXkJVfpxeQ3S7bQR6gbVwE2nDStP0l83RHSXh09nE64Yj5LjUn28ehKNo ayNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=jzeOZTwN2f/J/OJcQ9lpgGCRe+zk8pQI2TCaiI73TRE=; b=F5qZAmyKCZDJU22k3xOsZ0yuUY/9ZBV1hnoMvt2S6stjm3ifA1+1srSMSRS5pqET7g pzJYnEMphZyUCLPXYqVrepwuT8SpSpBAm2m5MiReAbiQlHE6Y7mdVSWClKKJ7O2u4FDH 52iDuwy4uywxA9D8HN5nDeOLPID+ez9iI4f65Tlmw986UGcKyeEjatpi2Ghwo1XUJVZG LOmK8YqjThdcw6wHqLiX9AGTqeZwQ/PLmhGrsGlOmokUWJmHPkFIRHWOYIrAWM81xtcx s1owQxnm5kWusDdYh2n94u4yy9MQTUt1oTquW1DATL8TETch4ENAllHmTIWl/mADwwYP nYgA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=VESAxWS8; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id t20-20020a62d154000000b0050d80e4935fsi16847006pfl.256.2022.06.05.22.30.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Jun 2022 22:30:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=VESAxWS8; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id F1D411FE8E3; Sun, 5 Jun 2022 21:30:49 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244720AbiFEQZp (ORCPT + 99 others); Sun, 5 Jun 2022 12:25:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40744 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243238AbiFEQZo (ORCPT ); Sun, 5 Jun 2022 12:25:44 -0400 Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 526614B1D7; Sun, 5 Jun 2022 09:25:41 -0700 (PDT) Received: by mail-qk1-x72e.google.com with SMTP id x75so6040407qkb.12; Sun, 05 Jun 2022 09:25:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=jzeOZTwN2f/J/OJcQ9lpgGCRe+zk8pQI2TCaiI73TRE=; b=VESAxWS8qarvWfNFu+/pNRu1oyDb4QAYE20AGmuwGmmwtvgDBIRdINCzScuCqhrQEP nbSG/eWvfIV5IwD2Q6ELfgUbJ/QwBpMevOuJcrn2Tngbym4mYmsGCZTLJ3LY57euVqhz BNV/sUJ3z6FfgMKAUKKs6Zve6jpr7mwQZ/1faxmZN7hTQBmvONTBwrpz0r2l/DwQF5kL eSg4WAvBUJ8smR1gnsbOLCG0J2qQ2XNlhflL1x6qhXBeaCyDbq0JO4fPIpUEpg64L13Q VQc9SsexygxMUL6+inGUiJlHsPRdMR3VouzVHHG1VZJqh0y/2yySFMlDkxK8bSjos+N8 mCVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=jzeOZTwN2f/J/OJcQ9lpgGCRe+zk8pQI2TCaiI73TRE=; b=HMRH90a9gBVoXPEAMB47m5ZpZeDS/R/t7nE1uEYTCUojDlEr8nEQAVaTLjtQObV6Ub nbnV2arqv5q709H9O1Np+5+Y9osZ+v0rezP0KdLzWvjyJp0XDkW0XskD7XnDOYeDh0kX /oaBAJaESkFQVlJu9a/9k/lLfahpWjMVTBOza2KIZz4JTaQDt2qX8gLBnS6lm7YUrfGc fTq9w4y/897OhgkqRTgG8qnNmq+0ABniob1mdUU6wfs13SiIMOM6Us5CNOn+76vghh4u WjJJ8wjkzkzfkjrJ17zggjaH/57rGVdvnXl+mX4MeKNXX4sseh06fLK7QVXxC89GYiou Reug== X-Gm-Message-State: AOAM530Dvgh5iXzwH+k59wbYVoV+UhhaeISGrcAaadFcbwAnCUDNzC9V mnQ0M+xHSzfsez3onox3WjE= X-Received: by 2002:a37:742:0:b0:6a6:9ed5:14ee with SMTP id 63-20020a370742000000b006a69ed514eemr8450287qkh.124.1654446340313; Sun, 05 Jun 2022 09:25:40 -0700 (PDT) Received: from localhost (c-69-254-185-160.hsd1.fl.comcast.net. [69.254.185.160]) by smtp.gmail.com with ESMTPSA id 21-20020ac84e95000000b002f90a33c78csm9341222qtp.67.2022.06.05.09.25.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Jun 2022 09:25:39 -0700 (PDT) From: Yury Norov To: Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Guo Ren , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-csky@vger.kernel.org Cc: Yury Norov , Sudip Mukherjee , Alexander Gordeev , Andy Shevchenko , Christian Borntraeger , Claudio Imbrenda , David Hildenbrand , Heiko Carstens , Janosch Frank , Rasmus Villemoes , Sven Schnelle , Vasily Gorbik , torvalds@linux-foundation.org Subject: [PATCH] net/bluetooth: fix erroneous use of bitmap_from_u64() Date: Sun, 5 Jun 2022 09:25:37 -0700 Message-Id: <20220605162537.1604762-1-yury.norov@gmail.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org The commit 0a97953fd221 ("lib: add bitmap_{from,to}_arr64") changed implementation of bitmap_from_u64(), so that it doesn't typecast argument to u64, and actually dereferences memory. With that change, compiler spotted few places in bluetooth code where bitmap_from_u64 is called for 32-bit variable. As reported by Sudip Mukherjee: "arm allmodconfig" fails with the error: In file included from ./include/linux/string.h:253, from ./include/linux/bitmap.h:11, from ./include/linux/cpumask.h:12, from ./include/linux/smp.h:13, from ./include/linux/lockdep.h:14, from ./include/linux/mutex.h:17, from ./include/linux/rfkill.h:35, from net/bluetooth/hci_core.c:29: In function 'fortify_memcpy_chk', inlined from 'bitmap_copy' at ./include/linux/bitmap.h:254:2, inlined from 'bitmap_copy_clear_tail' at ./include/linux/bitmap.h:263:2, inlined from 'bitmap_from_u64' at ./include/linux/bitmap.h:540:2, inlined from 'hci_bdaddr_list_add_with_flags' at net/bluetooth/hci_core.c:2156:2: ./include/linux/fortify-string.h:344:25: error: call to '__write_overflow_field' declared with attribute warning: +detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] 344 | __write_overflow_field(p_size_field, size); And, "csky allmodconfig" fails with the error: In file included from ./include/linux/cpumask.h:12, from ./include/linux/mm_types_task.h:14, from ./include/linux/mm_types.h:5, from ./include/linux/buildid.h:5, from ./include/linux/module.h:14, from net/bluetooth/mgmt.c:27: In function 'bitmap_copy', inlined from 'bitmap_copy_clear_tail' at ./include/linux/bitmap.h:263:2, inlined from 'bitmap_from_u64' at ./include/linux/bitmap.h:540:2, inlined from 'set_device_flags' at net/bluetooth/mgmt.c:4534:4: ./include/linux/bitmap.h:254:9: error: 'memcpy' forming offset [4, 7] is out of the bounds [0, 4] of object 'flags' +with type 'long unsigned int[1]' [-Werror=array-bounds] 254 | memcpy(dst, src, len); | ^~~~~~~~~~~~~~~~~~~~~ In file included from ./include/linux/kasan-checks.h:5, from ./include/asm-generic/rwonce.h:26, from ./arch/csky/include/generated/asm/rwonce.h:1, from ./include/linux/compiler.h:248, from ./include/linux/build_bug.h:5, from ./include/linux/container_of.h:5, from ./include/linux/list.h:5, from ./include/linux/module.h:12, from net/bluetooth/mgmt.c:27: net/bluetooth/mgmt.c: In function 'set_device_flags': net/bluetooth/mgmt.c:4532:40: note: 'flags' declared here 4532 | DECLARE_BITMAP(flags, __HCI_CONN_NUM_FLAGS); | ^~~~~ ./include/linux/types.h:11:23: note: in definition of macro 'DECLARE_BITMAP' 11 | unsigned long name[BITS_TO_LONGS(bits)] Fix it by replacing bitmap_from_u64 with bitmap_from_arr32. Reported-by: Sudip Mukherjee Signed-off-by: Yury Norov --- net/bluetooth/hci_core.c | 2 +- net/bluetooth/mgmt.c | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 5abb2ca5b129..2de7e1ec4035 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -2153,7 +2153,7 @@ int hci_bdaddr_list_add_with_flags(struct list_head *list, bdaddr_t *bdaddr, bacpy(&entry->bdaddr, bdaddr); entry->bdaddr_type = type; - bitmap_from_u64(entry->flags, flags); + bitmap_from_arr32(entry->flags, &flags, 32); list_add(&entry->list, list); diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 74937a834648..b63025c70c2c 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -4519,7 +4519,8 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, cp->addr.type); if (br_params) { - bitmap_from_u64(br_params->flags, current_flags); + bitmap_from_arr32(br_params->flags, ¤t_flags, + __HCI_CONN_NUM_FLAGS); status = MGMT_STATUS_SUCCESS; } else { bt_dev_warn(hdev, "No such BR/EDR device %pMR (0x%x)", @@ -4531,7 +4532,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, if (params) { DECLARE_BITMAP(flags, __HCI_CONN_NUM_FLAGS); - bitmap_from_u64(flags, current_flags); + bitmap_from_arr32(flags, ¤t_flags, __HCI_CONN_NUM_FLAGS); /* Devices using RPAs can only be programmed in the * acceptlist LL Privacy has been enable otherwise they @@ -4546,7 +4547,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, goto unlock; } - bitmap_from_u64(params->flags, current_flags); + bitmap_from_arr32(params->flags, ¤t_flags, __HCI_CONN_NUM_FLAGS); status = MGMT_STATUS_SUCCESS; /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY -- 2.32.0