Patch "Bluetooth: ISO: fix timestamped HCI ISO data packet parsing" has been added to the 6.2-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 26 Mar 2023 19:08:38 -0400

This is a note to let you know that I've just added the patch titled

    Bluetooth: ISO: fix timestamped HCI ISO data packet parsing

to the 6.2-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-iso-fix-timestamped-hci-iso-data-packet-pa.patch
and it can be found in the queue-6.2 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 0357522bad9edfd7d76f081f6ed40f1af126598e
Author: Pauli Virtanen <pav@xxxxxx>
Date:   Mon Feb 20 19:38:24 2023 +0000

    Bluetooth: ISO: fix timestamped HCI ISO data packet parsing
    
    [ Upstream commit 2f10e40a948e8a2abe7f983df3959a333ca8955f ]
    
    Use correct HCI ISO data packet header struct when the packet has
    timestamp. The timestamp, when present, goes before the other fields
    (Core v5.3 4E 5.4.5), so the structs are not compatible.
    
    Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
    Signed-off-by: Pauli Virtanen <pav@xxxxxx>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 24444b502e586..8d136a7301630 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -1620,7 +1620,6 @@ static void iso_disconn_cfm(struct hci_conn *hcon, __u8 reason)
 void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
 {
 	struct iso_conn *conn = hcon->iso_data;
-	struct hci_iso_data_hdr *hdr;
 	__u16 pb, ts, len;
 
 	if (!conn)
@@ -1642,6 +1641,8 @@ void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
 		}
 
 		if (ts) {
+			struct hci_iso_ts_data_hdr *hdr;
+
 			/* TODO: add timestamp to the packet? */
 			hdr = skb_pull_data(skb, HCI_ISO_TS_DATA_HDR_SIZE);
 			if (!hdr) {
@@ -1649,15 +1650,19 @@ void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
 				goto drop;
 			}
 
+			len = __le16_to_cpu(hdr->slen);
 		} else {
+			struct hci_iso_data_hdr *hdr;
+
 			hdr = skb_pull_data(skb, HCI_ISO_DATA_HDR_SIZE);
 			if (!hdr) {
 				BT_ERR("Frame is too short (len %d)", skb->len);
 				goto drop;
 			}
+
+			len = __le16_to_cpu(hdr->slen);
 		}
 
-		len    = __le16_to_cpu(hdr->slen);
 		flags  = hci_iso_data_flags(len);
 		len    = hci_iso_data_len(len);
 






