* [PATCH] Bluetooth: skip invalid hci_sync_conn_complete_evt
@ 2021-07-21 10:17 ` Desmond Cheong Zhi Xi
0 siblings, 0 replies; 7+ messages in thread
From: Desmond Cheong Zhi Xi @ 2021-07-21 10:17 UTC (permalink / raw)
To: marcel, johan.hedberg, luiz.dentz, davem, kuba
Cc: Desmond Cheong Zhi Xi, linux-bluetooth, netdev, linux-kernel,
skhan, gregkh, linux-kernel-mentees, syzbot+66264bf2fd0476be7e6c
Syzbot reported a corrupted list in kobject_add_internal [1]. This
happens when multiple HCI_EV_SYNC_CONN_COMPLETE event packets with
status 0 are sent for the same HCI connection. This causes us to
register the device more than once which corrupts the kset list.
To fix this, in hci_sync_conn_complete_evt, we check whether we're
trying to process the same HCI_EV_SYNC_CONN_COMPLETE event multiple
times for one connection. If that's the case, the event is invalid, so
we skip further processing and exit.
Link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c [1]
Reported-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
Tested-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
---
net/bluetooth/hci_event.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 016b2999f219..091a92338492 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4373,6 +4373,8 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
switch (ev->status) {
case 0x00:
+ if (conn->state == BT_CONNECTED)
+ goto unlock; /* Already connected, event not valid */
conn->handle = __le16_to_cpu(ev->handle);
conn->state = BT_CONNECTED;
conn->type = ev->link_type;
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH] Bluetooth: skip invalid hci_sync_conn_complete_evt
@ 2021-07-21 10:17 ` Desmond Cheong Zhi Xi
0 siblings, 0 replies; 7+ messages in thread
From: Desmond Cheong Zhi Xi @ 2021-07-21 10:17 UTC (permalink / raw)
To: marcel, johan.hedberg, luiz.dentz, davem, kuba
Cc: linux-kernel, linux-bluetooth, netdev, Desmond Cheong Zhi Xi,
linux-kernel-mentees, syzbot+66264bf2fd0476be7e6c
Syzbot reported a corrupted list in kobject_add_internal [1]. This
happens when multiple HCI_EV_SYNC_CONN_COMPLETE event packets with
status 0 are sent for the same HCI connection. This causes us to
register the device more than once which corrupts the kset list.
To fix this, in hci_sync_conn_complete_evt, we check whether we're
trying to process the same HCI_EV_SYNC_CONN_COMPLETE event multiple
times for one connection. If that's the case, the event is invalid, so
we skip further processing and exit.
Link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c [1]
Reported-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
Tested-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
---
net/bluetooth/hci_event.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 016b2999f219..091a92338492 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4373,6 +4373,8 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
switch (ev->status) {
case 0x00:
+ if (conn->state == BT_CONNECTED)
+ goto unlock; /* Already connected, event not valid */
conn->handle = __le16_to_cpu(ev->handle);
conn->state = BT_CONNECTED;
conn->type = ev->link_type;
--
2.25.1
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply related [flat|nested] 7+ messages in thread
* RE: Bluetooth: skip invalid hci_sync_conn_complete_evt
2021-07-21 10:17 ` Desmond Cheong Zhi Xi
(?)
@ 2021-07-21 12:00 ` bluez.test.bot
-1 siblings, 0 replies; 7+ messages in thread
From: bluez.test.bot @ 2021-07-21 12:00 UTC (permalink / raw)
To: linux-bluetooth, desmondcheongzx
[-- Attachment #1: Type: text/plain, Size: 2727 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=518861
---Test result---
Test Summary:
CheckPatch PASS 0.60 seconds
GitLint PASS 0.11 seconds
BuildKernel PASS 600.35 seconds
TestRunner: Setup PASS 404.01 seconds
TestRunner: l2cap-tester PASS 3.07 seconds
TestRunner: bnep-tester PASS 2.17 seconds
TestRunner: mgmt-tester PASS 33.84 seconds
TestRunner: rfcomm-tester PASS 2.35 seconds
TestRunner: sco-tester PASS 2.33 seconds
TestRunner: smp-tester FAIL 2.36 seconds
TestRunner: userchan-tester PASS 2.13 seconds
Details
##############################
Test: CheckPatch - PASS - 0.60 seconds
Run checkpatch.pl script with rule in .checkpatch.conf
##############################
Test: GitLint - PASS - 0.11 seconds
Run gitlint with rule in .gitlint
##############################
Test: BuildKernel - PASS - 600.35 seconds
Build Kernel with minimal configuration supports Bluetooth
##############################
Test: TestRunner: Setup - PASS - 404.01 seconds
Setup environment for running Test Runner
##############################
Test: TestRunner: l2cap-tester - PASS - 3.07 seconds
Run test-runner with l2cap-tester
Total: 40, Passed: 40 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: bnep-tester - PASS - 2.17 seconds
Run test-runner with bnep-tester
Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: mgmt-tester - PASS - 33.84 seconds
Run test-runner with mgmt-tester
Total: 448, Passed: 445 (99.3%), Failed: 0, Not Run: 3
##############################
Test: TestRunner: rfcomm-tester - PASS - 2.35 seconds
Run test-runner with rfcomm-tester
Total: 9, Passed: 9 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: sco-tester - PASS - 2.33 seconds
Run test-runner with sco-tester
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: smp-tester - FAIL - 2.36 seconds
Run test-runner with smp-tester
Total: 8, Passed: 7 (87.5%), Failed: 1, Not Run: 0
Failed Test Cases
SMP Client - SC Request 2 Failed 0.033 seconds
##############################
Test: TestRunner: userchan-tester - PASS - 2.13 seconds
Run test-runner with userchan-tester
Total: 3, Passed: 3 (100.0%), Failed: 0, Not Run: 0
---
Regards,
Linux Bluetooth
[-- Attachment #2: l2cap-tester.log --]
[-- Type: application/octet-stream, Size: 44349 bytes --]
[-- Attachment #3: bnep-tester.log --]
[-- Type: application/octet-stream, Size: 3556 bytes --]
[-- Attachment #4: mgmt-tester.log --]
[-- Type: application/octet-stream, Size: 616825 bytes --]
[-- Attachment #5: rfcomm-tester.log --]
[-- Type: application/octet-stream, Size: 11676 bytes --]
[-- Attachment #6: sco-tester.log --]
[-- Type: application/octet-stream, Size: 9912 bytes --]
[-- Attachment #7: smp-tester.log --]
[-- Type: application/octet-stream, Size: 11705 bytes --]
[-- Attachment #8: userchan-tester.log --]
[-- Type: application/octet-stream, Size: 5453 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Bluetooth: skip invalid hci_sync_conn_complete_evt
2021-07-21 10:17 ` Desmond Cheong Zhi Xi
@ 2021-07-22 14:39 ` Marcel Holtmann
-1 siblings, 0 replies; 7+ messages in thread
From: Marcel Holtmann @ 2021-07-22 14:39 UTC (permalink / raw)
To: Desmond Cheong Zhi Xi
Cc: Johan Hedberg, Luiz Augusto von Dentz, David S. Miller,
Jakub Kicinski, linux-bluetooth, open list:NETWORKING [GENERAL],
open list, skhan, gregkh, linux-kernel-mentees,
syzbot+66264bf2fd0476be7e6c
Hi Desmond,
> Syzbot reported a corrupted list in kobject_add_internal [1]. This
> happens when multiple HCI_EV_SYNC_CONN_COMPLETE event packets with
> status 0 are sent for the same HCI connection. This causes us to
> register the device more than once which corrupts the kset list.
and that is actually forbidden by the spec. So we need to complain loudly that such a device is misbehaving.
> To fix this, in hci_sync_conn_complete_evt, we check whether we're
> trying to process the same HCI_EV_SYNC_CONN_COMPLETE event multiple
> times for one connection. If that's the case, the event is invalid, so
> we skip further processing and exit.
>
> Link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c [1]
> Reported-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
> Tested-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
> ---
> net/bluetooth/hci_event.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 016b2999f219..091a92338492 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -4373,6 +4373,8 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
>
> switch (ev->status) {
> case 0x00:
> + if (conn->state == BT_CONNECTED)
> + goto unlock; /* Already connected, event not valid */
The comment has go above and be a lot more details since this is not expected behavior from valid hardware and we should add a bt_dev_err as well.
> conn->handle = __le16_to_cpu(ev->handle);
> conn->state = BT_CONNECTED;
> conn->type = ev->link_type;
Regards
Marcel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Bluetooth: skip invalid hci_sync_conn_complete_evt
@ 2021-07-22 14:39 ` Marcel Holtmann
0 siblings, 0 replies; 7+ messages in thread
From: Marcel Holtmann @ 2021-07-22 14:39 UTC (permalink / raw)
To: Desmond Cheong Zhi Xi
Cc: Johan Hedberg, open list:NETWORKING [GENERAL],
syzbot+66264bf2fd0476be7e6c, open list, linux-bluetooth,
Luiz Augusto von Dentz, Jakub Kicinski, linux-kernel-mentees,
David S. Miller
Hi Desmond,
> Syzbot reported a corrupted list in kobject_add_internal [1]. This
> happens when multiple HCI_EV_SYNC_CONN_COMPLETE event packets with
> status 0 are sent for the same HCI connection. This causes us to
> register the device more than once which corrupts the kset list.
and that is actually forbidden by the spec. So we need to complain loudly that such a device is misbehaving.
> To fix this, in hci_sync_conn_complete_evt, we check whether we're
> trying to process the same HCI_EV_SYNC_CONN_COMPLETE event multiple
> times for one connection. If that's the case, the event is invalid, so
> we skip further processing and exit.
>
> Link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c [1]
> Reported-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
> Tested-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
> ---
> net/bluetooth/hci_event.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 016b2999f219..091a92338492 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -4373,6 +4373,8 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
>
> switch (ev->status) {
> case 0x00:
> + if (conn->state == BT_CONNECTED)
> + goto unlock; /* Already connected, event not valid */
The comment has go above and be a lot more details since this is not expected behavior from valid hardware and we should add a bt_dev_err as well.
> conn->handle = __le16_to_cpu(ev->handle);
> conn->state = BT_CONNECTED;
> conn->type = ev->link_type;
Regards
Marcel
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Bluetooth: skip invalid hci_sync_conn_complete_evt
2021-07-22 14:39 ` Marcel Holtmann
@ 2021-07-28 6:47 ` Desmond Cheong Zhi Xi
-1 siblings, 0 replies; 7+ messages in thread
From: Desmond Cheong Zhi Xi @ 2021-07-28 6:47 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Johan Hedberg, Luiz Augusto von Dentz, David S. Miller,
Jakub Kicinski, linux-bluetooth, open list:NETWORKING [GENERAL],
open list, skhan, gregkh, linux-kernel-mentees,
syzbot+66264bf2fd0476be7e6c
On 22/7/21 10:39 pm, Marcel Holtmann wrote:
> Hi Desmond,
>
>> Syzbot reported a corrupted list in kobject_add_internal [1]. This
>> happens when multiple HCI_EV_SYNC_CONN_COMPLETE event packets with
>> status 0 are sent for the same HCI connection. This causes us to
>> register the device more than once which corrupts the kset list.
>
> and that is actually forbidden by the spec. So we need to complain loudly that such a device is misbehaving.
>
>> To fix this, in hci_sync_conn_complete_evt, we check whether we're
>> trying to process the same HCI_EV_SYNC_CONN_COMPLETE event multiple
>> times for one connection. If that's the case, the event is invalid, so
>> we skip further processing and exit.
>>
>> Link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c [1]
>> Reported-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
>> Tested-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
>> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
>> ---
>> net/bluetooth/hci_event.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
>> index 016b2999f219..091a92338492 100644
>> --- a/net/bluetooth/hci_event.c
>> +++ b/net/bluetooth/hci_event.c
>> @@ -4373,6 +4373,8 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
>>
>> switch (ev->status) {
>> case 0x00:
>> + if (conn->state == BT_CONNECTED)
>> + goto unlock; /* Already connected, event not valid */
>
> The comment has go above and be a lot more details since this is not expected behavior from valid hardware and we should add a bt_dev_err as well.
>
Hi Marcel,
Apologies for the delayed response.
Thanks for the feedback, I'll add more elaboration for the new check and
add a bt_dev_err in a v2 patch.
>> conn->handle = __le16_to_cpu(ev->handle);
>> conn->state = BT_CONNECTED;
>> conn->type = ev->link_type;
>
> Regards
>
> Marcel
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Bluetooth: skip invalid hci_sync_conn_complete_evt
@ 2021-07-28 6:47 ` Desmond Cheong Zhi Xi
0 siblings, 0 replies; 7+ messages in thread
From: Desmond Cheong Zhi Xi @ 2021-07-28 6:47 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Johan Hedberg, open list:NETWORKING [GENERAL],
syzbot+66264bf2fd0476be7e6c, open list, linux-bluetooth,
Luiz Augusto von Dentz, Jakub Kicinski, linux-kernel-mentees,
David S. Miller
On 22/7/21 10:39 pm, Marcel Holtmann wrote:
> Hi Desmond,
>
>> Syzbot reported a corrupted list in kobject_add_internal [1]. This
>> happens when multiple HCI_EV_SYNC_CONN_COMPLETE event packets with
>> status 0 are sent for the same HCI connection. This causes us to
>> register the device more than once which corrupts the kset list.
>
> and that is actually forbidden by the spec. So we need to complain loudly that such a device is misbehaving.
>
>> To fix this, in hci_sync_conn_complete_evt, we check whether we're
>> trying to process the same HCI_EV_SYNC_CONN_COMPLETE event multiple
>> times for one connection. If that's the case, the event is invalid, so
>> we skip further processing and exit.
>>
>> Link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c [1]
>> Reported-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
>> Tested-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
>> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
>> ---
>> net/bluetooth/hci_event.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
>> index 016b2999f219..091a92338492 100644
>> --- a/net/bluetooth/hci_event.c
>> +++ b/net/bluetooth/hci_event.c
>> @@ -4373,6 +4373,8 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
>>
>> switch (ev->status) {
>> case 0x00:
>> + if (conn->state == BT_CONNECTED)
>> + goto unlock; /* Already connected, event not valid */
>
> The comment has go above and be a lot more details since this is not expected behavior from valid hardware and we should add a bt_dev_err as well.
>
Hi Marcel,
Apologies for the delayed response.
Thanks for the feedback, I'll add more elaboration for the new check and
add a bt_dev_err in a v2 patch.
>> conn->handle = __le16_to_cpu(ev->handle);
>> conn->state = BT_CONNECTED;
>> conn->type = ev->link_type;
>
> Regards
>
> Marcel
>
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-07-28 6:47 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-21 10:17 [PATCH] Bluetooth: skip invalid hci_sync_conn_complete_evt Desmond Cheong Zhi Xi
2021-07-21 10:17 ` Desmond Cheong Zhi Xi
2021-07-21 12:00 ` bluez.test.bot
2021-07-22 14:39 ` [PATCH] " Marcel Holtmann
2021-07-22 14:39 ` Marcel Holtmann
2021-07-28 6:47 ` Desmond Cheong Zhi Xi
2021-07-28 6:47 ` Desmond Cheong Zhi Xi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.