[PATCH v1] Bluetooth: Fix race condition in handling NOP command

[PATCH v1] Bluetooth: Fix race condition in handling NOP command

[Kiran K]

For NOP command, need to cancel work scheduled on cmd_timer,
on receiving command status or commmand complete event.

Below use case might lead to race condition multiple when NOP
commands are queued sequentially:

hci_cmd_work() {
   if (atomic_read(&hdev->cmd_cnt) {
            .
            .
            .
      atomic_dec(&hdev->cmd_cnt);
      hci_send_frame(hdev,...);
      schedule_delayed_work(&hdev->cmd_timer,...);
   }
}

On receiving event for first NOP, the work scheduled on hdev->cmd_timer
is not cancelled and  second NOP is dequeued and sent to controller.

While waiting for an event for second NOP command, work scheduled on
cmd_timer for first NOP can get scheduled, resulting in sending third
NOP command not waiting for an event for second NOP. This might cause
issues at controller side (like memory overrun, controller going
unresponsive) resulting in hci tx timeouts, hardware errors etc.

Signed-off-by: Kiran K <kiran.k@intel.com>
Reviewed-by: Chethan T N <chethan.tumkur.narayan@intel.com>
Reviewed-by: Srivatsa Ravishankar <ravishankar.srivatsa@intel.com>
---
 net/bluetooth/hci_event.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index ea7fc09478be..14dfbdc8b81b 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3271,8 +3271,7 @@ static void hci_remote_features_evt(struct hci_dev *hdev,
 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev,
 					    u16 opcode, u8 ncmd)
 {
-	if (opcode != HCI_OP_NOP)
-		cancel_delayed_work(&hdev->cmd_timer);
+	cancel_delayed_work(&hdev->cmd_timer);
 
 	if (!test_bit(HCI_RESET, &hdev->flags)) {
 		if (ncmd) {
-- 
2.17.1

RE: [v1] Bluetooth: Fix race condition in handling NOP command

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 2727 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=526461

---Test result---

Test Summary:
CheckPatch                    PASS      0.48 seconds
GitLint                       PASS      0.11 seconds
BuildKernel                   PASS      573.83 seconds
TestRunner: Setup             PASS      379.63 seconds
TestRunner: l2cap-tester      PASS      2.70 seconds
TestRunner: bnep-tester       PASS      2.03 seconds
TestRunner: mgmt-tester       PASS      30.92 seconds
TestRunner: rfcomm-tester     PASS      2.40 seconds
TestRunner: sco-tester        PASS      2.23 seconds
TestRunner: smp-tester        FAIL      2.27 seconds
TestRunner: userchan-tester   PASS      2.18 seconds

Details
##############################
Test: CheckPatch - PASS - 0.48 seconds
Run checkpatch.pl script with rule in .checkpatch.conf


##############################
Test: GitLint - PASS - 0.11 seconds
Run gitlint with rule in .gitlint


##############################
Test: BuildKernel - PASS - 573.83 seconds
Build Kernel with minimal configuration supports Bluetooth


##############################
Test: TestRunner: Setup - PASS - 379.63 seconds
Setup environment for running Test Runner


##############################
Test: TestRunner: l2cap-tester - PASS - 2.70 seconds
Run test-runner with l2cap-tester
Total: 40, Passed: 40 (100.0%), Failed: 0, Not Run: 0

##############################
Test: TestRunner: bnep-tester - PASS - 2.03 seconds
Run test-runner with bnep-tester
Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0

##############################
Test: TestRunner: mgmt-tester - PASS - 30.92 seconds
Run test-runner with mgmt-tester
Total: 448, Passed: 445 (99.3%), Failed: 0, Not Run: 3

##############################
Test: TestRunner: rfcomm-tester - PASS - 2.40 seconds
Run test-runner with rfcomm-tester
Total: 9, Passed: 9 (100.0%), Failed: 0, Not Run: 0

##############################
Test: TestRunner: sco-tester - PASS - 2.23 seconds
Run test-runner with sco-tester
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0

##############################
Test: TestRunner: smp-tester - FAIL - 2.27 seconds
Run test-runner with smp-tester
Total: 8, Passed: 7 (87.5%), Failed: 1, Not Run: 0

Failed Test Cases
SMP Client - SC Request 2                            Failed       0.027 seconds

##############################
Test: TestRunner: userchan-tester - PASS - 2.18 seconds
Run test-runner with userchan-tester
Total: 3, Passed: 3 (100.0%), Failed: 0, Not Run: 0



---
Regards,
Linux Bluetooth


[-- Attachment #2: l2cap-tester.log --]
[-- Type: application/octet-stream, Size: 44384 bytes --]

[-- Attachment #3: bnep-tester.log --]
[-- Type: application/octet-stream, Size: 3592 bytes --]

[-- Attachment #4: mgmt-tester.log --]
[-- Type: application/octet-stream, Size: 616862 bytes --]

[-- Attachment #5: rfcomm-tester.log --]
[-- Type: application/octet-stream, Size: 11712 bytes --]

[-- Attachment #6: sco-tester.log --]
[-- Type: application/octet-stream, Size: 9947 bytes --]

[-- Attachment #7: smp-tester.log --]
[-- Type: application/octet-stream, Size: 11740 bytes --]

[-- Attachment #8: userchan-tester.log --]
[-- Type: application/octet-stream, Size: 5488 bytes --]

Re: [PATCH v1] Bluetooth: Fix race condition in handling NOP command

[Marcel Holtmann]

Hi Kiran,

> For NOP command, need to cancel work scheduled on cmd_timer,
> on receiving command status or commmand complete event.
> 
> Below use case might lead to race condition multiple when NOP
> commands are queued sequentially:
> 
> hci_cmd_work() {
>   if (atomic_read(&hdev->cmd_cnt) {
>            .
>            .
>            .
>      atomic_dec(&hdev->cmd_cnt);
>      hci_send_frame(hdev,...);
>      schedule_delayed_work(&hdev->cmd_timer,...);
>   }
> }
> 
> On receiving event for first NOP, the work scheduled on hdev->cmd_timer
> is not cancelled and  second NOP is dequeued and sent to controller.
> 
> While waiting for an event for second NOP command, work scheduled on
> cmd_timer for first NOP can get scheduled, resulting in sending third
> NOP command not waiting for an event for second NOP. This might cause
> issues at controller side (like memory overrun, controller going
> unresponsive) resulting in hci tx timeouts, hardware errors etc.
> 
> Signed-off-by: Kiran K <kiran.k@intel.com>
> Reviewed-by: Chethan T N <chethan.tumkur.narayan@intel.com>
> Reviewed-by: Srivatsa Ravishankar <ravishankar.srivatsa@intel.com>
> ---
> net/bluetooth/hci_event.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index ea7fc09478be..14dfbdc8b81b 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -3271,8 +3271,7 @@ static void hci_remote_features_evt(struct hci_dev *hdev,
> static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev,
> 					    u16 opcode, u8 ncmd)
> {
> -	if (opcode != HCI_OP_NOP)
> -		cancel_delayed_work(&hdev->cmd_timer);
> +	cancel_delayed_work(&hdev->cmd_timer);
> 
> 	if (!test_bit(HCI_RESET, &hdev->flags)) {
> 		if (ncmd) {

so this is conflicting with the patch introducing the ncmd timeout handling.

commit de75cd0d9b2f3250d5f25846bb5632ccce6275f4
Author: Manish Mandlik <mmandlik@google.com>
Date:   Thu Apr 29 10:24:22 2021 -0700

    Bluetooth: Add ncmd=0 recovery handling
    
    During command status or command complete event, the controller may set
    ncmd=0 indicating that it is not accepting any more commands. In such a
    case, host holds off sending any more commands to the controller. If the
    controller doesn't recover from such condition, host will wait forever,
    until the user decides that the Bluetooth is broken and may power cycles
    the Bluetooth.
    
    This patch triggers the hardware error to reset the controller and
    driver when it gets into such state as there is no other wat out.

Nowhere in your commit description you are addressing why is this the right to do.

Regards

Marcel

RE: [PATCH v1] Bluetooth: Fix race condition in handling NOP command

[K, Kiran]

Hi Marcel,

> -----Original Message-----
> From: Marcel Holtmann <marcel@holtmann.org>
> Sent: Thursday, August 5, 2021 6:41 PM
> To: K, Kiran <kiran.k@intel.com>
> Cc: BlueZ <linux-bluetooth@vger.kernel.org>; Srivatsa, Ravishankar
> <ravishankar.srivatsa@intel.com>; Tumkur Narayan, Chethan
> <chethan.tumkur.narayan@intel.com>
> Subject: Re: [PATCH v1] Bluetooth: Fix race condition in handling NOP
> command
> 
> Hi Kiran,
> 
> > For NOP command, need to cancel work scheduled on cmd_timer, on
> > receiving command status or commmand complete event.
> >
> > Below use case might lead to race condition multiple when NOP commands
> > are queued sequentially:
> >
> > hci_cmd_work() {
> >   if (atomic_read(&hdev->cmd_cnt) {
> >            .
> >            .
> >            .
> >      atomic_dec(&hdev->cmd_cnt);
> >      hci_send_frame(hdev,...);
> >      schedule_delayed_work(&hdev->cmd_timer,...);
> >   }
> > }
> >
> > On receiving event for first NOP, the work scheduled on
> > hdev->cmd_timer is not cancelled and  second NOP is dequeued and sent
> to controller.
> >
> > While waiting for an event for second NOP command, work scheduled on
> > cmd_timer for first NOP can get scheduled, resulting in sending third
> > NOP command not waiting for an event for second NOP. This might cause
> > issues at controller side (like memory overrun, controller going
> > unresponsive) resulting in hci tx timeouts, hardware errors etc.
> >
> > Signed-off-by: Kiran K <kiran.k@intel.com>
> > Reviewed-by: Chethan T N <chethan.tumkur.narayan@intel.com>
> > Reviewed-by: Srivatsa Ravishankar <ravishankar.srivatsa@intel.com>
> > ---
> > net/bluetooth/hci_event.c | 3 +--
> > 1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > index ea7fc09478be..14dfbdc8b81b 100644
> > --- a/net/bluetooth/hci_event.c
> > +++ b/net/bluetooth/hci_event.c
> > @@ -3271,8 +3271,7 @@ static void hci_remote_features_evt(struct
> > hci_dev *hdev, static inline void handle_cmd_cnt_and_timer(struct hci_dev
> *hdev,
> > 					    u16 opcode, u8 ncmd)
> > {
> > -	if (opcode != HCI_OP_NOP)
> > -		cancel_delayed_work(&hdev->cmd_timer);
> > +	cancel_delayed_work(&hdev->cmd_timer);
> >
> > 	if (!test_bit(HCI_RESET, &hdev->flags)) {
> > 		if (ncmd) {
> 
> so this is conflicting with the patch introducing the ncmd timeout handling.
> 
My patch specifically addresses the issue observed in case of NOP command. It prevents the issue by handling NOP same as any other SIG command.

It looks commit de75cd0d9b2f3250d5f25846bb5632ccce6275f4 tries to recover when controller goes bad.
  
> commit de75cd0d9b2f3250d5f25846bb5632ccce6275f4
> Author: Manish Mandlik <mmandlik@google.com>
> Date:   Thu Apr 29 10:24:22 2021 -0700
> 
>     Bluetooth: Add ncmd=0 recovery handling
> 
>     During command status or command complete event, the controller may
> set
>     ncmd=0 indicating that it is not accepting any more commands. In such a
>     case, host holds off sending any more commands to the controller. If the
>     controller doesn't recover from such condition, host will wait forever,
>     until the user decides that the Bluetooth is broken and may power cycles
>     the Bluetooth.
> 
>     This patch triggers the hardware error to reset the controller and
>     driver when it gets into such state as there is no other wat out.
> 
> Nowhere in your commit description you are addressing why is this the right
> to do.
>

Will fix it in the next version if you are OK with the current fix. Please let me know.

> Regards
> 
> Marcel

Thanks,
Kiran

RE: [PATCH v1] Bluetooth: Fix race condition in handling NOP command

[K, Kiran]

Hi Marcel,

> -----Original Message-----
> From: K, Kiran
> Sent: Friday, August 6, 2021 8:14 PM
> To: 'Marcel Holtmann' <marcel@holtmann.org>
> Cc: BlueZ <linux-bluetooth@vger.kernel.org>; Srivatsa, Ravishankar
> <ravishankar.srivatsa@intel.com>; Tumkur Narayan, Chethan
> <chethan.tumkur.narayan@intel.com>
> Subject: RE: [PATCH v1] Bluetooth: Fix race condition in handling NOP
> command
> 
> Hi Marcel,
> 
> > -----Original Message-----
> > From: Marcel Holtmann <marcel@holtmann.org>
> > Sent: Thursday, August 5, 2021 6:41 PM
> > To: K, Kiran <kiran.k@intel.com>
> > Cc: BlueZ <linux-bluetooth@vger.kernel.org>; Srivatsa, Ravishankar
> > <ravishankar.srivatsa@intel.com>; Tumkur Narayan, Chethan
> > <chethan.tumkur.narayan@intel.com>
> > Subject: Re: [PATCH v1] Bluetooth: Fix race condition in handling NOP
> > command
> >
> > Hi Kiran,
> >
> > > For NOP command, need to cancel work scheduled on cmd_timer, on
> > > receiving command status or commmand complete event.
> > >
> > > Below use case might lead to race condition multiple when NOP
> > > commands are queued sequentially:
> > >
> > > hci_cmd_work() {
> > >   if (atomic_read(&hdev->cmd_cnt) {
> > >            .
> > >            .
> > >            .
> > >      atomic_dec(&hdev->cmd_cnt);
> > >      hci_send_frame(hdev,...);
> > >      schedule_delayed_work(&hdev->cmd_timer,...);
> > >   }
> > > }
> > >
> > > On receiving event for first NOP, the work scheduled on
> > > hdev->cmd_timer is not cancelled and  second NOP is dequeued and
> > > hdev->sent
> > to controller.
> > >
> > > While waiting for an event for second NOP command, work scheduled on
> > > cmd_timer for first NOP can get scheduled, resulting in sending
> > > third NOP command not waiting for an event for second NOP. This
> > > might cause issues at controller side (like memory overrun,
> > > controller going
> > > unresponsive) resulting in hci tx timeouts, hardware errors etc.
> > >
> > > Signed-off-by: Kiran K <kiran.k@intel.com>
> > > Reviewed-by: Chethan T N <chethan.tumkur.narayan@intel.com>
> > > Reviewed-by: Srivatsa Ravishankar <ravishankar.srivatsa@intel.com>
> > > ---
> > > net/bluetooth/hci_event.c | 3 +--
> > > 1 file changed, 1 insertion(+), 2 deletions(-)
> > >
> > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > > index ea7fc09478be..14dfbdc8b81b 100644
> > > --- a/net/bluetooth/hci_event.c
> > > +++ b/net/bluetooth/hci_event.c
> > > @@ -3271,8 +3271,7 @@ static void hci_remote_features_evt(struct
> > > hci_dev *hdev, static inline void handle_cmd_cnt_and_timer(struct
> > > hci_dev
> > *hdev,
> > > 					    u16 opcode, u8 ncmd)
> > > {
> > > -	if (opcode != HCI_OP_NOP)
> > > -		cancel_delayed_work(&hdev->cmd_timer);
> > > +	cancel_delayed_work(&hdev->cmd_timer);
> > >
> > > 	if (!test_bit(HCI_RESET, &hdev->flags)) {
> > > 		if (ncmd) {
> >
> > so this is conflicting with the patch introducing the ncmd timeout handling.
> >
> My patch specifically addresses the issue observed in case of NOP command.
> It prevents the issue by handling NOP same as any other SIG command.
> 
> It looks commit de75cd0d9b2f3250d5f25846bb5632ccce6275f4 tries to
> recover when controller goes bad.
> 

Do you have any further comments here ? Waiting for your input. 

> > commit de75cd0d9b2f3250d5f25846bb5632ccce6275f4
> > Author: Manish Mandlik <mmandlik@google.com>
> > Date:   Thu Apr 29 10:24:22 2021 -0700
> >
> >     Bluetooth: Add ncmd=0 recovery handling
> >
> >     During command status or command complete event, the controller
> > may set
> >     ncmd=0 indicating that it is not accepting any more commands. In such a
> >     case, host holds off sending any more commands to the controller. If the
> >     controller doesn't recover from such condition, host will wait forever,
> >     until the user decides that the Bluetooth is broken and may power cycles
> >     the Bluetooth.
> >
> >     This patch triggers the hardware error to reset the controller and
> >     driver when it gets into such state as there is no other wat out.
> >
> > Nowhere in your commit description you are addressing why is this the
> > right to do.
> >
> 
> Will fix it in the next version if you are OK with the current fix. Please let me
> know.
> 
> > Regards
> >
> > Marcel
> 
> Thanks,
> Kiran

Thanks,
Kiran

Re: [PATCH v1] Bluetooth: Fix race condition in handling NOP command

[Luiz Augusto von Dentz]

Hi Manish,

On Thu, Aug 12, 2021 at 3:58 AM K, Kiran <kiran.k@intel.com> wrote:
>
> Hi Marcel,
>
> > -----Original Message-----
> > From: K, Kiran
> > Sent: Friday, August 6, 2021 8:14 PM
> > To: 'Marcel Holtmann' <marcel@holtmann.org>
> > Cc: BlueZ <linux-bluetooth@vger.kernel.org>; Srivatsa, Ravishankar
> > <ravishankar.srivatsa@intel.com>; Tumkur Narayan, Chethan
> > <chethan.tumkur.narayan@intel.com>
> > Subject: RE: [PATCH v1] Bluetooth: Fix race condition in handling NOP
> > command
> >
> > Hi Marcel,
> >
> > > -----Original Message-----
> > > From: Marcel Holtmann <marcel@holtmann.org>
> > > Sent: Thursday, August 5, 2021 6:41 PM
> > > To: K, Kiran <kiran.k@intel.com>
> > > Cc: BlueZ <linux-bluetooth@vger.kernel.org>; Srivatsa, Ravishankar
> > > <ravishankar.srivatsa@intel.com>; Tumkur Narayan, Chethan
> > > <chethan.tumkur.narayan@intel.com>
> > > Subject: Re: [PATCH v1] Bluetooth: Fix race condition in handling NOP
> > > command
> > >
> > > Hi Kiran,
> > >
> > > > For NOP command, need to cancel work scheduled on cmd_timer, on
> > > > receiving command status or commmand complete event.
> > > >
> > > > Below use case might lead to race condition multiple when NOP
> > > > commands are queued sequentially:
> > > >
> > > > hci_cmd_work() {
> > > >   if (atomic_read(&hdev->cmd_cnt) {
> > > >            .
> > > >            .
> > > >            .
> > > >      atomic_dec(&hdev->cmd_cnt);
> > > >      hci_send_frame(hdev,...);
> > > >      schedule_delayed_work(&hdev->cmd_timer,...);
> > > >   }
> > > > }
> > > >
> > > > On receiving event for first NOP, the work scheduled on
> > > > hdev->cmd_timer is not cancelled and  second NOP is dequeued and
> > > > hdev->sent
> > > to controller.
> > > >
> > > > While waiting for an event for second NOP command, work scheduled on
> > > > cmd_timer for first NOP can get scheduled, resulting in sending
> > > > third NOP command not waiting for an event for second NOP. This
> > > > might cause issues at controller side (like memory overrun,
> > > > controller going
> > > > unresponsive) resulting in hci tx timeouts, hardware errors etc.
> > > >
> > > > Signed-off-by: Kiran K <kiran.k@intel.com>
> > > > Reviewed-by: Chethan T N <chethan.tumkur.narayan@intel.com>
> > > > Reviewed-by: Srivatsa Ravishankar <ravishankar.srivatsa@intel.com>
> > > > ---
> > > > net/bluetooth/hci_event.c | 3 +--
> > > > 1 file changed, 1 insertion(+), 2 deletions(-)
> > > >
> > > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > > > index ea7fc09478be..14dfbdc8b81b 100644
> > > > --- a/net/bluetooth/hci_event.c
> > > > +++ b/net/bluetooth/hci_event.c
> > > > @@ -3271,8 +3271,7 @@ static void hci_remote_features_evt(struct
> > > > hci_dev *hdev, static inline void handle_cmd_cnt_and_timer(struct
> > > > hci_dev
> > > *hdev,
> > > >                                       u16 opcode, u8 ncmd)
> > > > {
> > > > - if (opcode != HCI_OP_NOP)
> > > > -         cancel_delayed_work(&hdev->cmd_timer);
> > > > + cancel_delayed_work(&hdev->cmd_timer);
> > > >
> > > >   if (!test_bit(HCI_RESET, &hdev->flags)) {
> > > >           if (ncmd) {
> > >
> > > so this is conflicting with the patch introducing the ncmd timeout handling.
> > >
> > My patch specifically addresses the issue observed in case of NOP command.
> > It prevents the issue by handling NOP same as any other SIG command.
> >
> > It looks commit de75cd0d9b2f3250d5f25846bb5632ccce6275f4 tries to
> > recover when controller goes bad.
> >
>
> Do you have any further comments here ? Waiting for your input.
>
> > > commit de75cd0d9b2f3250d5f25846bb5632ccce6275f4
> > > Author: Manish Mandlik <mmandlik@google.com>
> > > Date:   Thu Apr 29 10:24:22 2021 -0700
> > >
> > >     Bluetooth: Add ncmd=0 recovery handling
> > >
> > >     During command status or command complete event, the controller
> > > may set
> > >     ncmd=0 indicating that it is not accepting any more commands. In such a
> > >     case, host holds off sending any more commands to the controller. If the
> > >     controller doesn't recover from such condition, host will wait forever,
> > >     until the user decides that the Bluetooth is broken and may power cycles
> > >     the Bluetooth.
> > >
> > >     This patch triggers the hardware error to reset the controller and
> > >     driver when it gets into such state as there is no other wat out.
> > >
> > > Nowhere in your commit description you are addressing why is this the
> > > right to do.
> > >
> >
> > Will fix it in the next version if you are OK with the current fix. Please let me
> > know.

Can you confirm this change doesn't break your patch above?

> >
> > > Regards
> > >
> > > Marcel
> >
> > Thanks,
> > Kiran
>
> Thanks,
> Kiran
>
>


-- 
Luiz Augusto von Dentz

RE: [PATCH v1] Bluetooth: Fix race condition in handling NOP command

[K, Kiran]

Hi Manish, 
> 
> From: Manish Mandlik <mmandlik@google.com> 
> Sent: Saturday, August 14, 2021 5:20 AM
> To: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
> Cc: K, Kiran <kiran.k@intel.com>; Marcel Holtmann <marcel@holtmann.org>; BlueZ <linux-bluetooth@vger.kernel.org>; Srivatsa, Ravishankar <ravishankar.srivatsa@intel.com>; Tumkur Narayan, Chethan <chethan.tumkur.narayan@intel.com>
> Subject: Re: [PATCH v1] Bluetooth: Fix race condition in handling NOP command
> 
> Hi Luiz,
> 
> This patch looks ok to me, it'll not break ncmd timeout handling. 
> 
> @Kiran: Just one nit on the patch: we can get rid of the argument 'u16 opcode' of the function 'handle_cmd_cnt_and_timer()' as it won't be used anymore in this case.

Thanks for the comment. I fix and send out an updated version.
> 
> Regards,
> Manish.
> 
> 
> On Thu, Aug 12, 2021 at 10:31 AM Luiz Augusto von Dentz <mailto:luiz.dentz@gmail.com> wrote:
> Hi Manish,
> 
> On Thu, Aug 12, 2021 at 3:58 AM K, Kiran <mailto:kiran.k@intel.com> wrote:
> >
> > Hi Marcel,
> >
> > > -----Original Message-----
> > > From: K, Kiran
> > > Sent: Friday, August 6, 2021 8:14 PM
> > > To: 'Marcel Holtmann' <mailto:marcel@holtmann.org>
> > > Cc: BlueZ <mailto:linux-bluetooth@vger.kernel.org>; Srivatsa, Ravishankar
> > > <mailto:ravishankar.srivatsa@intel.com>; Tumkur Narayan, Chethan
> > > <mailto:chethan.tumkur.narayan@intel.com>
> > > Subject: RE: [PATCH v1] Bluetooth: Fix race condition in handling NOP
> > > command
> > >
> > > Hi Marcel,
> > >
> > > > -----Original Message-----
> > > > From: Marcel Holtmann <mailto:marcel@holtmann.org>
> > > > Sent: Thursday, August 5, 2021 6:41 PM
> > > > To: K, Kiran <mailto:kiran.k@intel.com>
> > > > Cc: BlueZ <mailto:linux-bluetooth@vger.kernel.org>; Srivatsa, Ravishankar
> > > > <mailto:ravishankar.srivatsa@intel.com>; Tumkur Narayan, Chethan
> > > > <mailto:chethan.tumkur.narayan@intel.com>
> > > > Subject: Re: [PATCH v1] Bluetooth: Fix race condition in handling NOP
> > > > command
> > > >
> > > > Hi Kiran,
> > > >
> > > > > For NOP command, need to cancel work scheduled on cmd_timer, on
> > > > > receiving command status or commmand complete event.
> > > > >
> > > > > Below use case might lead to race condition multiple when NOP
> > > > > commands are queued sequentially:
> > > > >
> > > > > hci_cmd_work() {
> > > > >   if (atomic_read(&hdev->cmd_cnt) {
> > > > >            .
> > > > >            .
> > > > >            .
> > > > >      atomic_dec(&hdev->cmd_cnt);
> > > > >      hci_send_frame(hdev,...);
> > > > >      schedule_delayed_work(&hdev->cmd_timer,...);
> > > > >   }
> > > > > }
> > > > >
> > > > > On receiving event for first NOP, the work scheduled on
> > > > > hdev->cmd_timer is not cancelled and  second NOP is dequeued and
> > > > > hdev->sent
> > > > to controller.
> > > > >
> > > > > While waiting for an event for second NOP command, work scheduled on
> > > > > cmd_timer for first NOP can get scheduled, resulting in sending
> > > > > third NOP command not waiting for an event for second NOP. This
> > > > > might cause issues at controller side (like memory overrun,
> > > > > controller going
> > > > > unresponsive) resulting in hci tx timeouts, hardware errors etc.
> > > > >
> > > > > Signed-off-by: Kiran K <mailto:kiran.k@intel.com>
> > > > > Reviewed-by: Chethan T N <mailto:chethan.tumkur.narayan@intel.com>
> > > > > Reviewed-by: Srivatsa Ravishankar <mailto:ravishankar.srivatsa@intel.com>
> > > > > ---
> > > > > net/bluetooth/hci_event.c | 3 +--
> > > > > 1 file changed, 1 insertion(+), 2 deletions(-)
> > > > >
> > > > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > > > > index ea7fc09478be..14dfbdc8b81b 100644
> > > > > --- a/net/bluetooth/hci_event.c
> > > > > +++ b/net/bluetooth/hci_event.c
> > > > > @@ -3271,8 +3271,7 @@ static void hci_remote_features_evt(struct
> > > > > hci_dev *hdev, static inline void handle_cmd_cnt_and_timer(struct
> > > > > hci_dev
> > > > *hdev,
> > > > >                                       u16 opcode, u8 ncmd)
> > > > > {
> > > > > - if (opcode != HCI_OP_NOP)
> > > > > -         cancel_delayed_work(&hdev->cmd_timer);
> > > > > + cancel_delayed_work(&hdev->cmd_timer);
> > > > >
> > > > >   if (!test_bit(HCI_RESET, &hdev->flags)) {
> > > > >           if (ncmd) {
> > > >
> > > > so this is conflicting with the patch introducing the ncmd timeout handling.
> > > >
> > > My patch specifically addresses the issue observed in case of NOP command.
> > > It prevents the issue by handling NOP same as any other SIG command.
> > >
> > > It looks commit de75cd0d9b2f3250d5f25846bb5632ccce6275f4 tries to
> > > recover when controller goes bad.
> > >
> >
> > Do you have any further comments here ? Waiting for your input.
> >
> > > > commit de75cd0d9b2f3250d5f25846bb5632ccce6275f4
> > > > Author: Manish Mandlik <mailto:mmandlik@google.com>
> > > > Date:   Thu Apr 29 10:24:22 2021 -0700
> > > >
> > > >     Bluetooth: Add ncmd=0 recovery handling
> > > >
> > > >     During command status or command complete event, the controller
> > > > may set
> > > >     ncmd=0 indicating that it is not accepting any more commands. In such a
> > > >     case, host holds off sending any more commands to the controller. If the
> > > >     controller doesn't recover from such condition, host will wait forever,
> > > >     until the user decides that the Bluetooth is broken and may power cycles
> > > >     the Bluetooth.
> > > >
> > > >     This patch triggers the hardware error to reset the controller and
> > > >     driver when it gets into such state as there is no other wat out.
> > > >
> > > > Nowhere in your commit description you are addressing why is this the
> > > > right to do.
> > > >
> > >
> > > Will fix it in the next version if you are OK with the current fix. Please let me
> > > know.
> 
> Can you confirm this change doesn't break your patch above?
> 
> > >
> > > > Regards
> > > >
> > > > Marcel
> > >
> > > Thanks,
> > > Kiran
> >
> > Thanks,
> > Kiran
> >
> >
> 
> 
> -- 
> Luiz Augusto von Dentz
>

Regards,
Kiran