All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v1] Bluetooth: Fix crash in mgmt_add_adv_patterns_monitor_complete
@ 2021-02-03  7:09 Howard Chung
  2021-02-03  8:13 ` [v1] " bluez.test.bot
  2021-02-03 13:33 ` [PATCH v1] " Marcel Holtmann
  0 siblings, 2 replies; 3+ messages in thread
From: Howard Chung @ 2021-02-03  7:09 UTC (permalink / raw)
  To: linux-bluetooth, marcel
  Cc: Howard Chung, Miao-chen Chou, Manish Mandlik, Archie Pusaka,
	David S. Miller, Jakub Kicinski, Johan Hedberg,
	Luiz Augusto von Dentz, linux-kernel, netdev

If hci_add_adv_monitor is a pending command(e.g. forward to
msft_add_monitor_pattern), it is possible that
mgmt_add_adv_patterns_monitor_complete gets called before
cmd->user_data gets set, which will cause a crash when we
try to get the moniter handle through cmd->user_data in
mgmt_add_adv_patterns_monitor_complete.

This moves the cmd->user_data assignment earlier than
hci_add_adv_monitor.

RIP: 0010:mgmt_add_adv_patterns_monitor_complete+0x82/0x187 [bluetooth]
Code: 1e bf 03 00 00 00 be 52 00 00 00 4c 89 ea e8 9e
e4 02 00 49 89 c6 48 85 c0 0f 84 06 01 00 00 48 89 5d b8 4c 89 fb 4d 8b
7e 30 <41> 0f b7 47 18 66 89 45 c0 45 84 e4 75 5a 4d 8b 56 28 48 8d 4d
c8
RSP: 0018:ffffae81807dbcb8 EFLAGS: 00010286
RAX: ffff91c4bdf723c0 RBX: 0000000000000000 RCX: ffff91c4e5da5b80
RDX: ffff91c405680000 RSI: 0000000000000052 RDI: ffff91c49d654c00
RBP: ffffae81807dbd00 R08: ffff91c49fb157e0 R09: ffff91c49fb157e0
R10: 000000000002a4f0 R11: ffffffffc0819cfd R12: 0000000000000000
R13: ffff91c405680000 R14: ffff91c4bdf723c0 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff91c4ea300000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000018 CR3: 0000000133612002 CR4:
00000000003606e0
Call Trace:
 ? msft_le_monitor_advertisement_cb+0x111/0x141
[bluetooth]
 hci_event_packet+0x425e/0x631c [bluetooth]
 ? printk+0x59/0x73
 ? __switch_to_asm+0x41/0x70
 ?
msft_le_set_advertisement_filter_enable_cb+0xa6/0xa6 [bluetooth]
 ? bt_dbg+0xb4/0xbb [bluetooth]
 ? __switch_to_asm+0x41/0x70
 hci_rx_work+0x101/0x319 [bluetooth]
 process_one_work+0x257/0x506
 worker_thread+0x10d/0x284
 kthread+0x14c/0x154
 ? process_one_work+0x506/0x506
 ? kthread_blkcg+0x2c/0x2c
 ret_from_fork+0x1f/0x40

Reviewed-by: Miao-chen Chou <mcchou@chromium.org>
Reviewed-by: Manish Mandlik <mmandlik@chromium.org>
Reviewed-by: Archie Pusaka <apusaka@chromium.org>
Signed-off-by: Howard Chung <howardchung@google.com>
---

 net/bluetooth/mgmt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 8ff9c4bb43d11..74971b4bd4570 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -4303,6 +4303,7 @@ static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
 		goto unlock;
 	}
 
+	cmd->user_data = m;
 	pending = hci_add_adv_monitor(hdev, m, &err);
 	if (err) {
 		if (err == -ENOSPC || err == -ENOMEM)
@@ -4330,7 +4331,6 @@ static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
 
 	hci_dev_unlock(hdev);
 
-	cmd->user_data = m;
 	return 0;
 
 unlock:
-- 
2.30.0.365.g02bc693789-goog


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: [v1] Bluetooth: Fix crash in mgmt_add_adv_patterns_monitor_complete
  2021-02-03  7:09 [PATCH v1] Bluetooth: Fix crash in mgmt_add_adv_patterns_monitor_complete Howard Chung
@ 2021-02-03  8:13 ` bluez.test.bot
  2021-02-03 13:33 ` [PATCH v1] " Marcel Holtmann
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2021-02-03  8:13 UTC (permalink / raw)
  To: linux-bluetooth, howardchung

[-- Attachment #1: Type: text/plain, Size: 1599 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=426795

---Test result---

##############################
    Test: CheckPatch - PASS
    

    ##############################
    Test: CheckGitLint - PASS
    

    ##############################
    Test: CheckBuildK - PASS
    

    ##############################
    Test: CheckTestRunner: Setup - PASS
    

    ##############################
    Test: CheckTestRunner: l2cap-tester - PASS
    Total: 40, Passed: 34 (85.0%), Failed: 0, Not Run: 6

    ##############################
    Test: CheckTestRunner: bnep-tester - PASS
    Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0

    ##############################
    Test: CheckTestRunner: mgmt-tester - PASS
    Total: 416, Passed: 402 (96.6%), Failed: 0, Not Run: 14

    ##############################
    Test: CheckTestRunner: rfcomm-tester - PASS
    Total: 9, Passed: 9 (100.0%), Failed: 0, Not Run: 0

    ##############################
    Test: CheckTestRunner: sco-tester - PASS
    Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0

    ##############################
    Test: CheckTestRunner: smp-tester - PASS
    Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0

    ##############################
    Test: CheckTestRunner: userchan-tester - PASS
    Total: 3, Passed: 3 (100.0%), Failed: 0, Not Run: 0

    

---
Regards,
Linux Bluetooth


[-- Attachment #2: l2cap-tester.log --]
[-- Type: application/octet-stream, Size: 43341 bytes --]

[-- Attachment #3: bnep-tester.log --]
[-- Type: application/octet-stream, Size: 3531 bytes --]

[-- Attachment #4: mgmt-tester.log --]
[-- Type: application/octet-stream, Size: 546677 bytes --]

[-- Attachment #5: rfcomm-tester.log --]
[-- Type: application/octet-stream, Size: 11651 bytes --]

[-- Attachment #6: sco-tester.log --]
[-- Type: application/octet-stream, Size: 9887 bytes --]

[-- Attachment #7: smp-tester.log --]
[-- Type: application/octet-stream, Size: 11798 bytes --]

[-- Attachment #8: userchan-tester.log --]
[-- Type: application/octet-stream, Size: 5429 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v1] Bluetooth: Fix crash in mgmt_add_adv_patterns_monitor_complete
  2021-02-03  7:09 [PATCH v1] Bluetooth: Fix crash in mgmt_add_adv_patterns_monitor_complete Howard Chung
  2021-02-03  8:13 ` [v1] " bluez.test.bot
@ 2021-02-03 13:33 ` Marcel Holtmann
  1 sibling, 0 replies; 3+ messages in thread
From: Marcel Holtmann @ 2021-02-03 13:33 UTC (permalink / raw)
  To: Howard Chung
  Cc: Bluetooth Kernel Mailing List, Miao-chen Chou, Manish Mandlik,
	Archie Pusaka, David S. Miller, Jakub Kicinski, Johan Hedberg,
	Luiz Augusto von Dentz, LKML, netdev

Hi Howard,

> If hci_add_adv_monitor is a pending command(e.g. forward to
> msft_add_monitor_pattern), it is possible that
> mgmt_add_adv_patterns_monitor_complete gets called before
> cmd->user_data gets set, which will cause a crash when we
> try to get the moniter handle through cmd->user_data in
> mgmt_add_adv_patterns_monitor_complete.
> 
> This moves the cmd->user_data assignment earlier than
> hci_add_adv_monitor.
> 
> RIP: 0010:mgmt_add_adv_patterns_monitor_complete+0x82/0x187 [bluetooth]
> Code: 1e bf 03 00 00 00 be 52 00 00 00 4c 89 ea e8 9e
> e4 02 00 49 89 c6 48 85 c0 0f 84 06 01 00 00 48 89 5d b8 4c 89 fb 4d 8b
> 7e 30 <41> 0f b7 47 18 66 89 45 c0 45 84 e4 75 5a 4d 8b 56 28 48 8d 4d
> c8
> RSP: 0018:ffffae81807dbcb8 EFLAGS: 00010286
> RAX: ffff91c4bdf723c0 RBX: 0000000000000000 RCX: ffff91c4e5da5b80
> RDX: ffff91c405680000 RSI: 0000000000000052 RDI: ffff91c49d654c00
> RBP: ffffae81807dbd00 R08: ffff91c49fb157e0 R09: ffff91c49fb157e0
> R10: 000000000002a4f0 R11: ffffffffc0819cfd R12: 0000000000000000
> R13: ffff91c405680000 R14: ffff91c4bdf723c0 R15: 0000000000000000
> FS:  0000000000000000(0000) GS:ffff91c4ea300000(0000)
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000018 CR3: 0000000133612002 CR4:
> 00000000003606e0
> Call Trace:
> ? msft_le_monitor_advertisement_cb+0x111/0x141
> [bluetooth]
> hci_event_packet+0x425e/0x631c [bluetooth]
> ? printk+0x59/0x73
> ? __switch_to_asm+0x41/0x70
> ?
> msft_le_set_advertisement_filter_enable_cb+0xa6/0xa6 [bluetooth]
> ? bt_dbg+0xb4/0xbb [bluetooth]
> ? __switch_to_asm+0x41/0x70
> hci_rx_work+0x101/0x319 [bluetooth]
> process_one_work+0x257/0x506
> worker_thread+0x10d/0x284
> kthread+0x14c/0x154
> ? process_one_work+0x506/0x506
> ? kthread_blkcg+0x2c/0x2c
> ret_from_fork+0x1f/0x40
> 
> Reviewed-by: Miao-chen Chou <mcchou@chromium.org>
> Reviewed-by: Manish Mandlik <mmandlik@chromium.org>
> Reviewed-by: Archie Pusaka <apusaka@chromium.org>
> Signed-off-by: Howard Chung <howardchung@google.com>
> ---
> 
> net/bluetooth/mgmt.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

patch has been applied to bluetooth-next tree.

Regards

Marcel


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-02-03 13:38 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-03  7:09 [PATCH v1] Bluetooth: Fix crash in mgmt_add_adv_patterns_monitor_complete Howard Chung
2021-02-03  8:13 ` [v1] " bluez.test.bot
2021-02-03 13:33 ` [PATCH v1] " Marcel Holtmann

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.