From: Greg Kroah-Hartman Date: Wed, 17 Jun 2026 04:17:44 +0000 (+0530) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8ec628953afb03fa365536720feff8a230f4cb24;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bluetooth-mgmt-fix-backward-compatibility-with-userspace.patch --- diff --git a/queue-5.15/bluetooth-mgmt-fix-backward-compatibility-with-userspace.patch b/queue-5.15/bluetooth-mgmt-fix-backward-compatibility-with-userspace.patch new file mode 100644 index 0000000000..01992a60b5 --- /dev/null +++ b/queue-5.15/bluetooth-mgmt-fix-backward-compatibility-with-userspace.patch @@ -0,0 +1,38 @@ +From 149324fc762c2a7acef9c26790566f81f475e51f Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Tue, 2 Jun 2026 16:48:34 -0400 +Subject: Bluetooth: MGMT: Fix backward compatibility with userspace + +From: Luiz Augusto von Dentz + +commit 149324fc762c2a7acef9c26790566f81f475e51f upstream. + +bluetoothd has a bug with makes it send extra bytes as part of +MGMT_OP_ADD_EXT_ADV_DATA which are now being checked to be the +exact the expected length, relax this so only when the expected +length is greater than the data length to cause an error since +that would result in accessing invalid memory, otherwise just +ignore the extra bytes. + +Link: https://lore.kernel.org/linux-bluetooth/20260602204749.210857-1-luiz.dentz@gmail.com/T/#u +Fixes: d3f7d17960ed ("Bluetooth: MGMT: validate Add Extended Advertising Data length") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/mgmt.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -8088,8 +8088,9 @@ static int add_ext_adv_data(struct sock + + BT_DBG("%s", hdev->name); + +- expected_len = struct_size(cp, data, cp->adv_data_len + cp->scan_rsp_len); +- if (expected_len != data_len) ++ expected_len = struct_size(cp, data, cp->adv_data_len + ++ cp->scan_rsp_len); ++ if (expected_len > data_len) + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA, + MGMT_STATUS_INVALID_PARAMS); + diff --git a/queue-5.15/series b/queue-5.15/series index a1bb8aa261..012482f817 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -407,3 +407,4 @@ crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch media-rc-ttusbir-fix-inverted-error-logic.patch batman-adv-tp_meter-fix-tp_vars-reference-leak-in-receiver-shutdown.patch media-rc-igorplugusb-fix-control-request-setup-packet.patch +bluetooth-mgmt-fix-backward-compatibility-with-userspace.patch