From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Matias Karhumaa <matias.karhumaa@gmail.com>,
Matti Kamunen <matti.kamunen@synopsys.com>,
Ari Timonen <ari.timonen@synopsys.com>,
Marcel Holtmann <marcel@holtmann.org>,
Sasha Levin <sashal@kernel.org>,
linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 52/53] Bluetooth: Check state in l2cap_disconnect_rsp
Date: Mon, 15 Jul 2019 10:45:34 -0400 [thread overview]
Message-ID: <20190715144535.11636-52-sashal@kernel.org> (raw)
In-Reply-To: <20190715144535.11636-1-sashal@kernel.org>
From: Matias Karhumaa <matias.karhumaa@gmail.com>
[ Upstream commit 28261da8a26f4915aa257d12d506c6ba179d961f ]
Because of both sides doing L2CAP disconnection at the same time, it
was possible to receive L2CAP Disconnection Response with CID that was
already freed. That caused problems if CID was already reused and L2CAP
Connection Request with same CID was sent out. Before this patch kernel
deleted channel context regardless of the state of the channel.
Example where leftover Disconnection Response (frame #402) causes local
device to delete L2CAP channel which was not yet connected. This in
turn confuses remote device's stack because same CID is re-used without
properly disconnecting.
Btmon capture before patch:
** snip **
> ACL Data RX: Handle 43 flags 0x02 dlen 8 #394 [hci1] 10.748949
Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
RFCOMM: Disconnect (DISC) (0x43)
Address: 0x03 cr 1 dlci 0x00
Control: 0x53 poll/final 1
Length: 0
FCS: 0xfd
< ACL Data TX: Handle 43 flags 0x00 dlen 8 #395 [hci1] 10.749062
Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
RFCOMM: Unnumbered Ack (UA) (0x63)
Address: 0x03 cr 1 dlci 0x00
Control: 0x73 poll/final 1
Length: 0
FCS: 0xd7
< ACL Data TX: Handle 43 flags 0x00 dlen 12 #396 [hci1] 10.749073
L2CAP: Disconnection Request (0x06) ident 17 len 4
Destination CID: 65
Source CID: 65
> HCI Event: Number of Completed Packets (0x13) plen 5 #397 [hci1] 10.752391
Num handles: 1
Handle: 43
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 #398 [hci1] 10.753394
Num handles: 1
Handle: 43
Count: 1
> ACL Data RX: Handle 43 flags 0x02 dlen 12 #399 [hci1] 10.756499
L2CAP: Disconnection Request (0x06) ident 26 len 4
Destination CID: 65
Source CID: 65
< ACL Data TX: Handle 43 flags 0x00 dlen 12 #400 [hci1] 10.756548
L2CAP: Disconnection Response (0x07) ident 26 len 4
Destination CID: 65
Source CID: 65
< ACL Data TX: Handle 43 flags 0x00 dlen 12 #401 [hci1] 10.757459
L2CAP: Connection Request (0x02) ident 18 len 4
PSM: 1 (0x0001)
Source CID: 65
> ACL Data RX: Handle 43 flags 0x02 dlen 12 #402 [hci1] 10.759148
L2CAP: Disconnection Response (0x07) ident 17 len 4
Destination CID: 65
Source CID: 65
= bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o.. 10.759447
> HCI Event: Number of Completed Packets (0x13) plen 5 #403 [hci1] 10.759386
Num handles: 1
Handle: 43
Count: 1
> ACL Data RX: Handle 43 flags 0x02 dlen 12 #404 [hci1] 10.760397
L2CAP: Connection Request (0x02) ident 27 len 4
PSM: 3 (0x0003)
Source CID: 65
< ACL Data TX: Handle 43 flags 0x00 dlen 16 #405 [hci1] 10.760441
L2CAP: Connection Response (0x03) ident 27 len 8
Destination CID: 65
Source CID: 65
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
< ACL Data TX: Handle 43 flags 0x00 dlen 27 #406 [hci1] 10.760449
L2CAP: Configure Request (0x04) ident 19 len 19
Destination CID: 65
Flags: 0x0000
Option: Maximum Transmission Unit (0x01) [mandatory]
MTU: 1013
Option: Retransmission and Flow Control (0x04) [mandatory]
Mode: Basic (0x00)
TX window size: 0
Max transmit: 0
Retransmission timeout: 0
Monitor timeout: 0
Maximum PDU size: 0
> HCI Event: Number of Completed Packets (0x13) plen 5 #407 [hci1] 10.761399
Num handles: 1
Handle: 43
Count: 1
> ACL Data RX: Handle 43 flags 0x02 dlen 16 #408 [hci1] 10.762942
L2CAP: Connection Response (0x03) ident 18 len 8
Destination CID: 66
Source CID: 65
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
*snip*
Similar case after the patch:
*snip*
> ACL Data RX: Handle 43 flags 0x02 dlen 8 #22702 [hci0] 1664.411056
Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
RFCOMM: Disconnect (DISC) (0x43)
Address: 0x03 cr 1 dlci 0x00
Control: 0x53 poll/final 1
Length: 0
FCS: 0xfd
< ACL Data TX: Handle 43 flags 0x00 dlen 8 #22703 [hci0] 1664.411136
Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
RFCOMM: Unnumbered Ack (UA) (0x63)
Address: 0x03 cr 1 dlci 0x00
Control: 0x73 poll/final 1
Length: 0
FCS: 0xd7
< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22704 [hci0] 1664.411143
L2CAP: Disconnection Request (0x06) ident 11 len 4
Destination CID: 65
Source CID: 65
> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22705 [hci0] 1664.414009
Num handles: 1
Handle: 43
Count: 1
> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22706 [hci0] 1664.415007
Num handles: 1
Handle: 43
Count: 1
> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22707 [hci0] 1664.418674
L2CAP: Disconnection Request (0x06) ident 17 len 4
Destination CID: 65
Source CID: 65
< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22708 [hci0] 1664.418762
L2CAP: Disconnection Response (0x07) ident 17 len 4
Destination CID: 65
Source CID: 65
< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22709 [hci0] 1664.421073
L2CAP: Connection Request (0x02) ident 12 len 4
PSM: 1 (0x0001)
Source CID: 65
> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22710 [hci0] 1664.421371
L2CAP: Disconnection Response (0x07) ident 11 len 4
Destination CID: 65
Source CID: 65
> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22711 [hci0] 1664.424082
Num handles: 1
Handle: 43
Count: 1
> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22712 [hci0] 1664.425040
Num handles: 1
Handle: 43
Count: 1
> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22713 [hci0] 1664.426103
L2CAP: Connection Request (0x02) ident 18 len 4
PSM: 3 (0x0003)
Source CID: 65
< ACL Data TX: Handle 43 flags 0x00 dlen 16 #22714 [hci0] 1664.426186
L2CAP: Connection Response (0x03) ident 18 len 8
Destination CID: 66
Source CID: 65
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
< ACL Data TX: Handle 43 flags 0x00 dlen 27 #22715 [hci0] 1664.426196
L2CAP: Configure Request (0x04) ident 13 len 19
Destination CID: 65
Flags: 0x0000
Option: Maximum Transmission Unit (0x01) [mandatory]
MTU: 1013
Option: Retransmission and Flow Control (0x04) [mandatory]
Mode: Basic (0x00)
TX window size: 0
Max transmit: 0
Retransmission timeout: 0
Monitor timeout: 0
Maximum PDU size: 0
> ACL Data RX: Handle 43 flags 0x02 dlen 16 #22716 [hci0] 1664.428804
L2CAP: Connection Response (0x03) ident 12 len 8
Destination CID: 66
Source CID: 65
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
*snip*
Fix is to check that channel is in state BT_DISCONN before deleting the
channel.
This bug was found while fuzzing Bluez's OBEX implementation using
Synopsys Defensics.
Reported-by: Matti Kamunen <matti.kamunen@synopsys.com>
Reported-by: Ari Timonen <ari.timonen@synopsys.com>
Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 46afd560f242..c25f1e4846cd 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4363,6 +4363,12 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
l2cap_chan_lock(chan);
+ if (chan->state != BT_DISCONN) {
+ l2cap_chan_unlock(chan);
+ mutex_unlock(&conn->chan_lock);
+ return 0;
+ }
+
l2cap_chan_hold(chan);
l2cap_chan_del(chan, 0);
--
2.20.1
next prev parent reply other threads:[~2019-07-15 14:48 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-15 14:44 [PATCH AUTOSEL 4.4 01/53] ath10k: Do not send probe response template for mesh Sasha Levin
2019-07-15 14:44 ` Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 02/53] ath9k: Check for errors when reading SREV register Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 03/53] ath6kl: add some bounds checking Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 04/53] ath: DFS JP domain W56 fixed pulse type 3 RADAR detection Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 05/53] batman-adv: fix for leaked TVLV handler Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 06/53] media: dvb: usb: fix use after free in dvb_usb_device_exit Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 07/53] crypto: talitos - fix skcipher failure due to wrong output IV Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 08/53] media: marvell-ccic: fix DMA s/g desc number calculation Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 09/53] media: vpss: fix a potential NULL pointer dereference Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 10/53] net: stmmac: dwmac1000: Clear unused address entries Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 11/53] signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 12/53] signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 13/53] af_key: fix leaks in key_pol_get_resp and dump_sp Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 14/53] xfrm: Fix xfrm sel prefix length validation Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 15/53] e1000e: start network tx queue only when link is up Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 16/53] media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails Sasha Levin
2019-07-15 14:44 ` Sasha Levin
2019-07-15 14:44 ` [PATCH AUTOSEL 4.4 17/53] net: phy: Check against net_device being NULL Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 18/53] tua6100: Avoid build warnings Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 19/53] locking/lockdep: Fix merging of hlocks with non-zero references Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 20/53] media: wl128x: Fix some error handling in fm_v4l2_init_video_device() Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 21/53] cpupower : frequency-set -r option misses the last cpu in related cpu list Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 22/53] net: fec: Do not use netdev messages too early Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 23/53] net: axienet: Fix race condition causing TX hang Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 24/53] s390/qdio: handle PENDING state for QEBSM devices Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 25/53] perf test 6: Fix missing kvm module load for s390 Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 26/53] gpio: omap: fix lack of irqstatus_raw0 for OMAP4 Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 27/53] gpio: omap: ensure irq is enabled before wakeup Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 28/53] regmap: fix bulk writes on paged registers Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 29/53] bpf: silence warning messages in core Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 30/53] rcu: Force inlining of rcu_read_lock() Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 31/53] xfrm: fix sa selector validation Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 32/53] perf evsel: Make perf_evsel__name() accept a NULL argument Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 33/53] vhost_net: disable zerocopy by default Sasha Levin
2019-07-15 14:45 ` Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 34/53] EDAC/sysfs: Fix memory leak when creating a csrow object Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 35/53] media: i2c: fix warning same module names Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 36/53] ntp: Limit TAI-UTC offset Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 37/53] timer_list: Guard procfs specific code Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 38/53] acpi/arm64: ignore 5.1 FADTs that are reported as 5.0 Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 39/53] media: coda: fix mpeg2 sequence number handling Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 40/53] media: coda: increment sequence offset for the last returned frame Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 41/53] mt7601u: do not schedule rx_tasklet when the device has been disconnected Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 42/53] x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 43/53] mt7601u: fix possible memory leak when the device is disconnected Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 44/53] ath10k: fix PCIE device wake up failed Sasha Levin
2019-07-15 14:45 ` Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 45/53] rslib: Fix decoding of shortened codes Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 46/53] rslib: Fix handling of of caller provided syndrome Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 47/53] ixgbe: Check DDM existence in transceiver before access Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 48/53] EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 49/53] bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush() Sasha Levin
2019-07-15 14:45 ` Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 50/53] Bluetooth: hci_bcsp: Fix memory leak in rx_skb Sasha Levin
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 51/53] Bluetooth: 6lowpan: search for destination address in all peers Sasha Levin
2019-07-15 14:45 ` Sasha Levin [this message]
2019-07-15 14:45 ` [PATCH AUTOSEL 4.4 53/53] Bluetooth: validate BLE connection interval updates Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190715144535.11636-52-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ari.timonen@synopsys.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=matias.karhumaa@gmail.com \
--cc=matti.kamunen@synopsys.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.