releases/4.19.152/bluetooth-l2cap-fix-calling-sk_filter-on-non-socket-based-channel.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From f19425641cb2572a33cb074d5e30283720bd4d22 Mon Sep 17 00:00:00 2001
 From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
 Date: Thu, 6 Aug 2020 11:17:12 -0700
 Subject: Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel

 From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

 commit f19425641cb2572a33cb074d5e30283720bd4d22 upstream.

 Only sockets will have the chan->data set to an actual sk, channels
 like A2MP would have its own data which would likely cause a crash when
 calling sk_filter, in order to fix this a new callback has been
 introduced so channels can implement their own filtering if necessary.

 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
 Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  include/net/bluetooth/l2cap.h |    2 ++
  net/bluetooth/l2cap_core.c    |    7 ++++---
  net/bluetooth/l2cap_sock.c    |   14 ++++++++++++++
  3 files changed, 20 insertions(+), 3 deletions(-)

 --- a/include/net/bluetooth/l2cap.h
 +++ b/include/net/bluetooth/l2cap.h
 @@ -619,6 +619,8 @@ struct l2cap_ops {
  	struct sk_buff		*(*alloc_skb) (struct l2cap_chan *chan,
  					       unsigned long hdr_len,
  					       unsigned long len, int nb);
 +	int			(*filter) (struct l2cap_chan * chan,
 +					   struct sk_buff *skb);
  };

  struct l2cap_conn {
 --- a/net/bluetooth/l2cap_core.c
 +++ b/net/bluetooth/l2cap_core.c
 @@ -6683,9 +6683,10 @@ static int l2cap_data_rcv(struct l2cap_c
  		goto drop;
  	}

 -	if ((chan->mode == L2CAP_MODE_ERTM ||
 -	     chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
 -		goto drop;
 +	if (chan->ops->filter) {
 +		if (chan->ops->filter(chan, skb))
 +			goto drop;
 +	}

  	if (!control->sframe) {
  		int err;
 --- a/net/bluetooth/l2cap_sock.c
 +++ b/net/bluetooth/l2cap_sock.c
 @@ -1476,6 +1476,19 @@ static void l2cap_sock_suspend_cb(struct
  	sk->sk_state_change(sk);
  }

 +static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
 +{
 +	struct sock *sk = chan->data;
 +
 +	switch (chan->mode) {
 +	case L2CAP_MODE_ERTM:
 +	case L2CAP_MODE_STREAMING:
 +		return sk_filter(sk, skb);
 +	}
 +
 +	return 0;
 +}
 +
  static const struct l2cap_ops l2cap_chan_ops = {
  	.name			= "L2CAP Socket Interface",
  	.new_connection		= l2cap_sock_new_connection_cb,
 @@ -1490,6 +1503,7 @@ static const struct l2cap_ops l2cap_chan
  	.set_shutdown		= l2cap_sock_set_shutdown_cb,
  	.get_sndtimeo		= l2cap_sock_get_sndtimeo_cb,
  	.alloc_skb		= l2cap_sock_alloc_skb_cb,
 +	.filter			= l2cap_sock_filter,
  };

  static void l2cap_sock_destruct(struct sock *sk)
	From f19425641cb2572a33cb074d5e30283720bd4d22 Mon Sep 17 00:00:00 2001
	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Date: Thu, 6 Aug 2020 11:17:12 -0700
	Subject: Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel

	From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

	commit f19425641cb2572a33cb074d5e30283720bd4d22 upstream.

	Only sockets will have the chan->data set to an actual sk, channels
	like A2MP would have its own data which would likely cause a crash when
	calling sk_filter, in order to fix this a new callback has been
	introduced so channels can implement their own filtering if necessary.

	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	include/net/bluetooth/l2cap.h \| 2 ++
	net/bluetooth/l2cap_core.c \| 7 ++++---
	net/bluetooth/l2cap_sock.c \| 14 ++++++++++++++
	3 files changed, 20 insertions(+), 3 deletions(-)

	--- a/include/net/bluetooth/l2cap.h
	+++ b/include/net/bluetooth/l2cap.h
	@@ -619,6 +619,8 @@ struct l2cap_ops {
	struct sk_buff (alloc_skb) (struct l2cap_chan *chan,
	unsigned long hdr_len,
	unsigned long len, int nb);
	+ int (filter) (struct l2cap_chan chan,
	+ struct sk_buff *skb);
	};

	struct l2cap_conn {
	--- a/net/bluetooth/l2cap_core.c
	+++ b/net/bluetooth/l2cap_core.c
	@@ -6683,9 +6683,10 @@ static int l2cap_data_rcv(struct l2cap_c
	goto drop;
	}

	- if ((chan->mode == L2CAP_MODE_ERTM \|\|
	- chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
	- goto drop;
	+ if (chan->ops->filter) {
	+ if (chan->ops->filter(chan, skb))
	+ goto drop;
	+ }

	if (!control->sframe) {
	int err;
	--- a/net/bluetooth/l2cap_sock.c
	+++ b/net/bluetooth/l2cap_sock.c
	@@ -1476,6 +1476,19 @@ static void l2cap_sock_suspend_cb(struct
	sk->sk_state_change(sk);
	}

	+static int l2cap_sock_filter(struct l2cap_chan chan, struct sk_buff skb)
	+{
	+ struct sock *sk = chan->data;
	+
	+ switch (chan->mode) {
	+ case L2CAP_MODE_ERTM:
	+ case L2CAP_MODE_STREAMING:
	+ return sk_filter(sk, skb);
	+ }
	+
	+ return 0;
	+}
	+
	static const struct l2cap_ops l2cap_chan_ops = {
	.name = "L2CAP Socket Interface",
	.new_connection = l2cap_sock_new_connection_cb,
	@@ -1490,6 +1503,7 @@ static const struct l2cap_ops l2cap_chan
	.set_shutdown = l2cap_sock_set_shutdown_cb,
	.get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
	.alloc_skb = l2cap_sock_alloc_skb_cb,
	+ .filter = l2cap_sock_filter,
	};

	static void l2cap_sock_destruct(struct sock *sk)