INFO: task hung in hci_req_sync

On 8/16/21 6:56 PM, Marcel Holtmann wrote: > Hi Pavel, > [snip] > I agree. Feel free to send a patch. > Thank you, Marcel! I will send a patch if it will pass syzbot testing. I believe, 60 seconds will be more than enough for inquiry request. I've searched for examples on the internet and maximum ir.length I found was 8. Maybe, we have users, which need more than 60 seconds, idk... #syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master With regards, Pavel Skripkin From c868a2f2533bb05873fedcde6bc4ca174f8908ea Mon Sep 17 00:00:00 2001 From: Pavel Skripkin <paskripkin@gmail.com> Date: Mon, 16 Aug 2021 22:52:29 +0300 Subject: [PATCH] Bluetooth: add timeout sanity check to hci_inquiry /* ... */ Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
0day-ci · Aug 16, 2021 · cb175bf2ea0de6152c66ce30cd1d3d665fda338b · cb175bf
1 parent 995fca1
commit cb175bf2ea0de6152c66ce30cd1d3d665fda338b
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/include/net/bluetooth/hci_sock.h b/include/net/bluetooth/hci_sock.h
@@ -168,6 +168,7 @@ struct hci_inquiry_req {
 	__u16 dev_id;
 	__u16 flags;
 	__u8  lap[3];
+#define HCI_INQUIRY_MAX_TIMEOUT		30
 	__u8  length;
 	__u8  num_rsp;
 };

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
@@ -1343,6 +1343,11 @@ int hci_inquiry(void __user *arg)
 		goto done;
 	}
 
+	if (ir.length > HCI_MAX_TIMEOUT) {
+		err = -EINVAL;
+		goto done;
+	}
+
 	hci_dev_lock(hdev);
 	if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
 	    inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {