[PW_SID:1076292] [v2] Bluetooth: btintel_pcie: validate RX packet length against buffer size

[BluezTestBot]

btintel_pcie_submit_rx_work() reads packet_len from an rfh_hdr in
DMA-coherent memory and uses it as the length for skb_put_data() without
upper bound validation. Since packet_len is a 16-bit field (0-65535) but
each RX DMA buffer is only BTINTEL_PCIE_BUFFER_SIZE (4096) bytes, a
malicious or malfunctioning firmware could set a large packet_len,
causing an out-of-bounds read beyond the buffer into adjacent kernel
heap memory.

Add a check that packet_len does not exceed the available payload space
alongside the existing zero-length check.

Fixes: c2b636b ("Bluetooth: btintel_pcie: Add support for PCIe transport")
Reported-by: Yuhao Jiang danisjiang@gmail.com
Cc: stable@vger.kernel.org
Cc: Paul Menzel pmenzel@molgen.mpg.de
Signed-off-by: Junrui Luo moonafterrain@outlook.com

Changes in v2:

• Add bt_dev_warn() to log error suggested by Paul Menzel
• Link to v1: https://lore.kernel.org/all/SYBPR01MB7881DD95CE054BC53AED4A21AF41A@SYBPR01MB7881.ausprd01.prod.outlook.com/

---

drivers/bluetooth/btintel_pcie.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

---

base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260402-fixes-979e727e99f1

Best regards,

[github-actions]

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.33 seconds
Result: PENDING

[github-actions]

GitLint
Desc: Run gitlint
Duration: 0.29 seconds
Result: PENDING

[github-actions]

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.12 seconds
Result: PASS

[github-actions]

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 26.66 seconds
Result: PASS

[github-actions]

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 28.85 seconds
Result: PASS

[github-actions]

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 27.81 seconds
Result: PASS

[github-actions]

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 25.22 seconds
Result: PASS

[github-actions]

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 569.08 seconds
Result: PASS

[github-actions]

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 27.95 seconds
Result: PASS

[github-actions]

TestRunner_iso-tester
Desc: Run iso-tester with test-runner
Duration: 41.82 seconds
Result: PASS

[github-actions]

TestRunner_bnep-tester
Desc: Run bnep-tester with test-runner
Duration: 6.37 seconds
Result: PASS

[github-actions]

TestRunner_mgmt-tester
Desc: Run mgmt-tester with test-runner
Duration: 114.20 seconds
Result: FAIL
Output:

Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.104 seconds

[github-actions]

TestRunner_rfcomm-tester
Desc: Run rfcomm-tester with test-runner
Duration: 9.57 seconds
Result: PASS

[github-actions]

TestRunner_sco-tester
Desc: Run sco-tester with test-runner
Duration: 14.52 seconds
Result: FAIL
Output:

WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0

[github-actions]

TestRunner_ioctl-tester
Desc: Run ioctl-tester with test-runner
Duration: 10.34 seconds
Result: PASS

[github-actions]

TestRunner_mesh-tester
Desc: Run mesh-tester with test-runner
Duration: 11.56 seconds
Result: FAIL
Output:

Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    1.834 seconds
Mesh - Send cancel - 2                               Timed out    1.995 seconds

[github-actions]

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 8.62 seconds
Result: PASS

[github-actions]

TestRunner_userchan-tester
Desc: Run userchan-tester with test-runner
Duration: 6.71 seconds
Result: PASS

[github-actions]

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 0.72 seconds
Result: PENDING