Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced

[ Upstream commit 15bf2c6391bafb14a3020d06ec0761bce0803463 ]

This attempts to detect if HCI_EV_NUM_COMP_PKTS contain an unbalanced
(more than currently considered outstanding) number of packets otherwise
it could cause the hcon->sent to underflow and loop around breaking the
tracking of the outstanding packets pending acknowledgment.

Fixes: f42809185896 ("Bluetooth: Simplify num_comp_pkts_evt function")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 33b025a52b83ac25801d23ae3fcbfa2fabdd8e5a..4e8911501255d25a43ee2c1707d719b3dd2373cc 100644 (file)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3681,7 +3681,17 @@ static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
                if (!conn)
                        continue;
 
-               conn->sent -= count;
+               /* Check if there is really enough packets outstanding before
+                * attempting to decrease the sent counter otherwise it could
+                * underflow..
+                */
+               if (conn->sent >= count) {
+                       conn->sent -= count;
+               } else {
+                       bt_dev_warn(hdev, "hcon %p sent %u < count %u",
+                                   conn, conn->sent, count);
+                       conn->sent = 0;
+               }
 
                switch (conn->type) {
                case ACL_LINK: