From: Coiby Xu <coiby.xu@gmail.com>
To: linux-bluetooth@vger.kernel.org
Cc: linux-kernel-mentees@lists.linuxfoundation.org,
gregkh@linuxfoundation.org, syzkaller-bugs@googlegroups.com,
syzbot+dd768a260f7358adbaf9@syzkaller.appspotmail.com,
Marcel Holtmann <marcel@holtmann.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
netdev@vger.kernel.org (open list:NETWORKING [GENERAL]),
linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] Bluetooth: fix "list_add double add" in hci_conn_complete_evt
Date: Sun, 23 Aug 2020 09:00:22 +0800 [thread overview]
Message-ID: <20200823010022.938532-1-coiby.xu@gmail.com> (raw)
In-Reply-To: <000000000000c57f2d05ac4c5b8e@google.com>
When two HCI_EV_CONN_COMPLETE event packets with status=0 of the same
HCI connection are received, device_add would be called twice which
leads to kobject_add being called twice. Thus duplicate
(struct hci_conn *conn)->dev.kobj.entry would be inserted into
(struct hci_conn *conn)->dev.kobj.kset->list.
This issue can be fixed by checking (struct hci_conn *conn)->debugfs.
If it's not NULL, it means the HCI connection has been completed and we
won't duplicate the work as for processing the first
HCI_EV_CONN_COMPLETE event.
Reported-and-tested-by: syzbot+dd768a260f7358adbaf9@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=dd768a260f7358adbaf9
Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
---
net/bluetooth/hci_event.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4b7fc430793c..1233739ce760 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2605,6 +2605,11 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
}
if (!ev->status) {
+ if (conn->debugfs) {
+ bt_dev_err(hdev, "The connection has been completed");
+ goto unlock;
+ }
+
conn->handle = __le16_to_cpu(ev->handle);
if (conn->type == ACL_LINK) {
--
2.28.0
WARNING: multiple messages have this Message-ID (diff)
From: Coiby Xu <coiby.xu@gmail.com>
To: linux-bluetooth@vger.kernel.org
Cc: syzbot+dd768a260f7358adbaf9@syzkaller.appspotmail.com,
Johan Hedberg <johan.hedberg@gmail.com>,
Marcel Holtmann <marcel@holtmann.org>,
syzkaller-bugs@googlegroups.com,
open list <linux-kernel@vger.kernel.org>,
"open list:NETWORKING \[GENERAL\]" <netdev@vger.kernel.org>,
Jakub Kicinski <kuba@kernel.org>,
linux-kernel-mentees@lists.linuxfoundation.org,
"David S. Miller" <davem@davemloft.net>
Subject: [Linux-kernel-mentees] [PATCH] Bluetooth: fix "list_add double add" in hci_conn_complete_evt
Date: Sun, 23 Aug 2020 09:00:22 +0800 [thread overview]
Message-ID: <20200823010022.938532-1-coiby.xu@gmail.com> (raw)
In-Reply-To: <000000000000c57f2d05ac4c5b8e@google.com>
When two HCI_EV_CONN_COMPLETE event packets with status=0 of the same
HCI connection are received, device_add would be called twice which
leads to kobject_add being called twice. Thus duplicate
(struct hci_conn *conn)->dev.kobj.entry would be inserted into
(struct hci_conn *conn)->dev.kobj.kset->list.
This issue can be fixed by checking (struct hci_conn *conn)->debugfs.
If it's not NULL, it means the HCI connection has been completed and we
won't duplicate the work as for processing the first
HCI_EV_CONN_COMPLETE event.
Reported-and-tested-by: syzbot+dd768a260f7358adbaf9@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=dd768a260f7358adbaf9
Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
---
net/bluetooth/hci_event.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4b7fc430793c..1233739ce760 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2605,6 +2605,11 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
}
if (!ev->status) {
+ if (conn->debugfs) {
+ bt_dev_err(hdev, "The connection has been completed");
+ goto unlock;
+ }
+
conn->handle = __le16_to_cpu(ev->handle);
if (conn->type == ACL_LINK) {
--
2.28.0
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next prev parent reply other threads:[~2020-08-23 1:00 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-07 16:47 BUG: corrupted list in kobject_add_internal syzbot
2020-08-20 6:07 ` Coiby Xu
2020-08-20 6:07 ` [Linux-kernel-mentees] " Coiby Xu
2020-08-20 6:13 ` Dmitry Vyukov
2020-08-20 6:13 ` [Linux-kernel-mentees] " Dmitry Vyukov via Linux-kernel-mentees
2020-08-22 16:16 ` Coiby Xu
2020-08-22 16:16 ` [Linux-kernel-mentees] " Coiby Xu
2020-08-23 1:00 ` Coiby Xu [this message]
2020-08-23 1:00 ` [Linux-kernel-mentees] [PATCH] Bluetooth: fix "list_add double add" in hci_conn_complete_evt Coiby Xu
2020-08-31 16:06 ` Marcel Holtmann
2020-08-31 16:06 ` [Linux-kernel-mentees] " Marcel Holtmann
2020-09-02 12:31 ` Coiby Xu
2020-09-02 12:31 ` [Linux-kernel-mentees] " Coiby Xu
2020-11-08 22:55 ` BUG: corrupted list in kobject_add_internal syzbot
2020-11-08 22:55 ` [Linux-kernel-mentees] " syzbot
2020-11-11 11:22 ` Dmitry Vyukov
2020-11-11 11:22 ` [Linux-kernel-mentees] " Dmitry Vyukov via Linux-kernel-mentees
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200823010022.938532-1-coiby.xu@gmail.com \
--to=coiby.xu@gmail.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=johan.hedberg@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+dd768a260f7358adbaf9@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.