[PATCH 4.14/4.19/5.4/5.10/5.15 0/1] Bluetooth: hci_sock: purge socket queues in the destruct() callback

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 4.14/4.19/5.4/5.10/5.15 0/1] Bluetooth: hci_sock: purge socket queues in the destruct() callback
@ 2023-03-09 18:12 Fedor Pchelkin
  2023-03-09 18:12 ` [PATCH 4.14/4.19/5.4/5.10/5.15 1/1] " Fedor Pchelkin
  0 siblings, 1 reply; 4+ messages in thread
From: Fedor Pchelkin @ 2023-03-09 18:12 UTC (permalink / raw)
  To: Greg Kroah-Hartman, stable
  Cc: Fedor Pchelkin, Marcel Holtmann, Nguyen Dinh Phi,
	linux-bluetooth, netdev, linux-kernel, Alexey Khoroshilov,
	lvc-project

Syzkaller reports a memory leak in mgmt_cmd_complete(). The issue can be
triggered on 4.14/4.19/5.4/5.10/5.15 stable branches. The following fixing
patch can be cleanly applied to them.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 4.14/4.19/5.4/5.10/5.15 1/1] Bluetooth: hci_sock: purge socket queues in the destruct() callback
  2023-03-09 18:12 [PATCH 4.14/4.19/5.4/5.10/5.15 0/1] Bluetooth: hci_sock: purge socket queues in the destruct() callback Fedor Pchelkin
@ 2023-03-09 18:12 ` Fedor Pchelkin
  2023-03-09 18:42   ` bluez.test.bot
  2023-03-10 11:50   ` [PATCH 4.14/4.19/5.4/5.10/5.15 1/1] " Greg Kroah-Hartman
  0 siblings, 2 replies; 4+ messages in thread
From: Fedor Pchelkin @ 2023-03-09 18:12 UTC (permalink / raw)
  To: Greg Kroah-Hartman, stable
  Cc: Fedor Pchelkin, Marcel Holtmann, Nguyen Dinh Phi,
	linux-bluetooth, netdev, linux-kernel, Alexey Khoroshilov,
	lvc-project, syzbot+4c4ffd1e1094dae61035

From: Nguyen Dinh Phi <phind.uet@gmail.com>

commit 709fca500067524381e28a5f481882930eebac88 upstream.

The receive path may take the socket right before hci_sock_release(),
but it may enqueue the packets to the socket queues after the call to
skb_queue_purge(), therefore the socket can be destroyed without clear
its queues completely.

Moving these skb_queue_purge() to the hci_sock_destruct() will fix this
issue, because nothing is referencing the socket at this point.

Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
Reported-by: syzbot+4c4ffd1e1094dae61035@syzkaller.appspotmail.com
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
---
 net/bluetooth/hci_sock.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index f1128c2134f0..3f92a21cabe8 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -888,10 +888,6 @@ static int hci_sock_release(struct socket *sock)
 	}
 
 	sock_orphan(sk);
-
-	skb_queue_purge(&sk->sk_receive_queue);
-	skb_queue_purge(&sk->sk_write_queue);
-
 	release_sock(sk);
 	sock_put(sk);
 	return 0;
@@ -2012,6 +2008,12 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
 	return err;
 }
 
+static void hci_sock_destruct(struct sock *sk)
+{
+	skb_queue_purge(&sk->sk_receive_queue);
+	skb_queue_purge(&sk->sk_write_queue);
+}
+
 static const struct proto_ops hci_sock_ops = {
 	.family		= PF_BLUETOOTH,
 	.owner		= THIS_MODULE,
@@ -2065,6 +2067,7 @@ static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
 
 	sock->state = SS_UNCONNECTED;
 	sk->sk_state = BT_OPEN;
+	sk->sk_destruct = hci_sock_destruct;
 
 	bt_sock_link(&hci_sk_list, sk);
 	return 0;
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* RE: Bluetooth: hci_sock: purge socket queues in the destruct() callback
  2023-03-09 18:12 ` [PATCH 4.14/4.19/5.4/5.10/5.15 1/1] " Fedor Pchelkin
@ 2023-03-09 18:42   ` bluez.test.bot
  2023-03-10 11:50   ` [PATCH 4.14/4.19/5.4/5.10/5.15 1/1] " Greg Kroah-Hartman
  1 sibling, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2023-03-09 18:42 UTC (permalink / raw)
  To: linux-bluetooth, pchelkin

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_sock.c:888
error: net/bluetooth/hci_sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 4.14/4.19/5.4/5.10/5.15 1/1] Bluetooth: hci_sock: purge socket queues in the destruct() callback
  2023-03-09 18:12 ` [PATCH 4.14/4.19/5.4/5.10/5.15 1/1] " Fedor Pchelkin
  2023-03-09 18:42   ` bluez.test.bot
@ 2023-03-10 11:50   ` Greg Kroah-Hartman
  1 sibling, 0 replies; 4+ messages in thread
From: Greg Kroah-Hartman @ 2023-03-10 11:50 UTC (permalink / raw)
  To: Fedor Pchelkin
  Cc: stable, Marcel Holtmann, Nguyen Dinh Phi, linux-bluetooth,
	netdev, linux-kernel, Alexey Khoroshilov, lvc-project,
	syzbot+4c4ffd1e1094dae61035

On Thu, Mar 09, 2023 at 09:12:51PM +0300, Fedor Pchelkin wrote:
> From: Nguyen Dinh Phi <phind.uet@gmail.com>
> 
> commit 709fca500067524381e28a5f481882930eebac88 upstream.
> 
> The receive path may take the socket right before hci_sock_release(),
> but it may enqueue the packets to the socket queues after the call to
> skb_queue_purge(), therefore the socket can be destroyed without clear
> its queues completely.
> 
> Moving these skb_queue_purge() to the hci_sock_destruct() will fix this
> issue, because nothing is referencing the socket at this point.
> 
> Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
> Reported-by: syzbot+4c4ffd1e1094dae61035@syzkaller.appspotmail.com
> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
> ---
>  net/bluetooth/hci_sock.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
> index f1128c2134f0..3f92a21cabe8 100644
> --- a/net/bluetooth/hci_sock.c
> +++ b/net/bluetooth/hci_sock.c
> @@ -888,10 +888,6 @@ static int hci_sock_release(struct socket *sock)
>  	}
>  
>  	sock_orphan(sk);
> -
> -	skb_queue_purge(&sk->sk_receive_queue);
> -	skb_queue_purge(&sk->sk_write_queue);
> -
>  	release_sock(sk);
>  	sock_put(sk);
>  	return 0;
> @@ -2012,6 +2008,12 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
>  	return err;
>  }
>  
> +static void hci_sock_destruct(struct sock *sk)
> +{
> +	skb_queue_purge(&sk->sk_receive_queue);
> +	skb_queue_purge(&sk->sk_write_queue);
> +}
> +
>  static const struct proto_ops hci_sock_ops = {
>  	.family		= PF_BLUETOOTH,
>  	.owner		= THIS_MODULE,
> @@ -2065,6 +2067,7 @@ static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
>  
>  	sock->state = SS_UNCONNECTED;
>  	sk->sk_state = BT_OPEN;
> +	sk->sk_destruct = hci_sock_destruct;
>  
>  	bt_sock_link(&hci_sk_list, sk);
>  	return 0;
> -- 
> 2.34.1
> 

Now queued up, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-03-10 11:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-09 18:12 [PATCH 4.14/4.19/5.4/5.10/5.15 0/1] Bluetooth: hci_sock: purge socket queues in the destruct() callback Fedor Pchelkin
2023-03-09 18:12 ` [PATCH 4.14/4.19/5.4/5.10/5.15 1/1] " Fedor Pchelkin
2023-03-09 18:42   ` bluez.test.bot
2023-03-10 11:50   ` [PATCH 4.14/4.19/5.4/5.10/5.15 1/1] " Greg Kroah-Hartman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.