* [PATCH v2 0/3] Bluetooth: ISO-related concurrency fixes
@ 2023-06-13 18:06 Pauli Virtanen
2023-06-13 18:06 ` [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync Pauli Virtanen
` (2 more replies)
0 siblings, 3 replies; 11+ messages in thread
From: Pauli Virtanen @ 2023-06-13 18:06 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
This series addresses some concurrency issues (NULL / GPF) in ISO
sockets or related.
v2:
- Use RCU for the pend_le_* lists, avoid using hci_dev_lock.
- Always call disconn_cfm before hci_conn_del (L2CAP also needs it).
These were found while testing patches that make hci_le_set_cig_params
check the validity of the configuration and return false if incorrect.
This causes dropping of hci_conn just created, which apparently makes
hitting race conditions easier.
The test setup was primitive
while true; do bluetoothctl power on; sleep 12; bluetoothctl power off; sleep 1.5; bluetoothctl power off; sleep 2.5; done;
while true; do sudo systemctl restart bluetooth; sleep 110; done
while true; do systemctl --user restart pipewire wireplumber pipewire-pulse; sleep 91; done
while true; do paplay sample.flac & sleep 2; kill %1; sleep 0.7; done
and equivalent operations manually, on VM + connect to TWS earbuds. This
eventually hit the NULL / GFP errors here, but they are hard to
reproduce aside from the first one that appears in iso-tester.
Pauli Virtanen (3):
Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
Bluetooth: hci_event: call disconnect callback before deleting conn
Bluetooth: ISO: fix iso_conn related locking and validity issues
include/net/bluetooth/hci_core.h | 5 ++
net/bluetooth/hci_conn.c | 9 ++--
net/bluetooth/hci_core.c | 34 +++++++++---
net/bluetooth/hci_event.c | 15 +++---
net/bluetooth/hci_sync.c | 93 ++++++++++++++++++++++++++++----
net/bluetooth/iso.c | 53 ++++++++++--------
net/bluetooth/mgmt.c | 30 +++++------
7 files changed, 175 insertions(+), 64 deletions(-)
--
2.40.1
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
2023-06-13 18:06 [PATCH v2 0/3] Bluetooth: ISO-related concurrency fixes Pauli Virtanen
@ 2023-06-13 18:06 ` Pauli Virtanen
2023-06-13 18:35 ` Bluetooth: ISO-related concurrency fixes bluez.test.bot
2023-06-13 19:04 ` [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync Luiz Augusto von Dentz
2023-06-13 18:06 ` [PATCH v2 2/3] Bluetooth: hci_event: call disconnect callback before deleting conn Pauli Virtanen
2023-06-13 18:06 ` [PATCH v2 3/3] Bluetooth: ISO: fix iso_conn related locking and validity issues Pauli Virtanen
2 siblings, 2 replies; 11+ messages in thread
From: Pauli Virtanen @ 2023-06-13 18:06 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
hci_update_accept_list_sync iterates over hdev->pend_le_conns and
hdev->pend_le_reports, and waits for controller events in the loop body,
without holding hdev lock.
Meanwhile, these lists and the items may be modified e.g. by
le_scan_cleanup. This can invalidate the list cursor in the ongoing
iterations, resulting to invalid behavior (eg use-after-free).
Use RCU for the hci_conn_params action lists. Since the loop bodies in
hci_sync block and we cannot use RCU for the whole loop, add
hci_conn_params.add_pending to keep track which items are left. Copy
data to avoid needing lock on hci_conn_params. Only the flags field is
written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we read
valid values.
Free params everywhere with hci_conn_params_free so the cleanup is
guaranteed to be done properly.
This fixes the following, which can be triggered at least by changing
hci_le_set_cig_params to always return false, and running BlueZ
iso-tester, which causes connections to be created and dropped fast:
==================================================================
BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)
print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)
? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
kasan_report (mm/kasan/report.c:538)
? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)
? mutex_lock (kernel/locking/mutex.c:282)
? __pfx_mutex_lock (kernel/locking/mutex.c:282)
? __pfx_mutex_unlock (kernel/locking/mutex.c:538)
? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)
hci_cmd_sync_work (net/bluetooth/hci_sync.c:306)
process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
? __pfx_worker_thread (kernel/workqueue.c:2480)
kthread (kernel/kthread.c:376)
? __pfx_kthread (kernel/kthread.c:331)
ret_from_fork (arch/x86/entry/entry_64.S:314)
</TASK>
Allocated by task 31:
kasan_save_stack (mm/kasan/common.c:46)
kasan_set_track (mm/kasan/common.c:52)
__kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)
hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)
hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)
hci_connect_cis (net/bluetooth/hci_conn.c:2266)
iso_connect_cis (net/bluetooth/iso.c:390)
iso_sock_connect (net/bluetooth/iso.c:899)
__sys_connect (net/socket.c:2003 net/socket.c:2020)
__x64_sys_connect (net/socket.c:2027)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
Freed by task 15:
kasan_save_stack (mm/kasan/common.c:46)
kasan_set_track (mm/kasan/common.c:52)
kasan_save_free_info (mm/kasan/generic.c:523)
__kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
__kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)
hci_conn_params_del (net/bluetooth/hci_core.c:2323)
le_scan_cleanup (net/bluetooth/hci_conn.c:202)
process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
kthread (kernel/kthread.c:376)
ret_from_fork (arch/x86/entry/entry_64.S:314)
==================================================================
Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---
Notes:
v2: use RCU
include/net/bluetooth/hci_core.h | 5 ++
net/bluetooth/hci_conn.c | 9 ++--
net/bluetooth/hci_core.c | 34 +++++++++---
net/bluetooth/hci_event.c | 12 ++---
net/bluetooth/hci_sync.c | 93 ++++++++++++++++++++++++++++----
net/bluetooth/mgmt.c | 30 +++++------
6 files changed, 141 insertions(+), 42 deletions(-)
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 683666ea210c..8c6ac6d29c62 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -822,6 +822,8 @@ struct hci_conn_params {
struct hci_conn *conn;
bool explicit_connect;
+ /* Accessed without hdev->lock: */
+ bool add_pending;
hci_conn_flags_t flags;
u8 privacy_mode;
};
@@ -1605,6 +1607,9 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
bdaddr_t *addr, u8 addr_type);
void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type);
void hci_conn_params_clear_disabled(struct hci_dev *hdev);
+void hci_conn_params_free(struct hci_conn_params *param);
+void hci_conn_params_set_pending(struct hci_conn_params *param,
+ struct list_head *list);
struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
bdaddr_t *addr,
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 7d4941e6dbdf..ae9a35d1405b 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -118,7 +118,7 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
*/
params->explicit_connect = false;
- list_del_init(¶ms->action);
+ hci_conn_params_set_pending(params, NULL);
switch (params->auto_connect) {
case HCI_AUTO_CONN_EXPLICIT:
@@ -127,10 +127,10 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
return;
case HCI_AUTO_CONN_DIRECT:
case HCI_AUTO_CONN_ALWAYS:
- list_add(¶ms->action, &hdev->pend_le_conns);
+ hci_conn_params_set_pending(params, &hdev->pend_le_conns);
break;
case HCI_AUTO_CONN_REPORT:
- list_add(¶ms->action, &hdev->pend_le_reports);
+ hci_conn_params_set_pending(params, &hdev->pend_le_reports);
break;
default:
break;
@@ -1435,8 +1435,7 @@ static int hci_explicit_conn_params_set(struct hci_dev *hdev,
if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
params->auto_connect == HCI_AUTO_CONN_REPORT ||
params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
- list_del_init(¶ms->action);
- list_add(¶ms->action, &hdev->pend_le_conns);
+ hci_conn_params_set_pending(params, &hdev->pend_le_conns);
}
params->explicit_connect = true;
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 48917c68358d..7992a61fe1fd 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2249,21 +2249,41 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
return NULL;
}
-/* This function requires the caller holds hdev->lock */
+/* This function requires the caller holds hdev->lock or rcu_read_lock */
struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
bdaddr_t *addr, u8 addr_type)
{
struct hci_conn_params *param;
- list_for_each_entry(param, list, action) {
+ rcu_read_lock();
+
+ list_for_each_entry_rcu(param, list, action) {
if (bacmp(¶m->addr, addr) == 0 &&
- param->addr_type == addr_type)
+ param->addr_type == addr_type) {
+ rcu_read_unlock();
return param;
+ }
}
+ rcu_read_unlock();
+
return NULL;
}
+/* This function requires the caller holds hdev->lock */
+void hci_conn_params_set_pending(struct hci_conn_params *param,
+ struct list_head *list)
+{
+ if (!list_empty(¶m->action)) {
+ list_del_rcu(¶m->action);
+ synchronize_rcu();
+ INIT_LIST_HEAD(¶m->action);
+ }
+
+ if (list)
+ list_add_rcu(¶m->action, list);
+}
+
/* This function requires the caller holds hdev->lock */
struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
bdaddr_t *addr, u8 addr_type)
@@ -2297,14 +2317,15 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
return params;
}
-static void hci_conn_params_free(struct hci_conn_params *params)
+void hci_conn_params_free(struct hci_conn_params *params)
{
+ hci_conn_params_set_pending(params, NULL);
+
if (params->conn) {
hci_conn_drop(params->conn);
hci_conn_put(params->conn);
}
- list_del(¶ms->action);
list_del(¶ms->list);
kfree(params);
}
@@ -2342,8 +2363,7 @@ void hci_conn_params_clear_disabled(struct hci_dev *hdev)
continue;
}
- list_del(¶ms->list);
- kfree(params);
+ hci_conn_params_free(params);
}
BT_DBG("All LE disabled connection parameters were removed");
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 7c199f7361f7..8187c9f827fa 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1564,7 +1564,7 @@ static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
if (params)
- params->privacy_mode = cp->mode;
+ WRITE_ONCE(params->privacy_mode, cp->mode);
hci_dev_unlock(hdev);
@@ -2804,8 +2804,8 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
case HCI_AUTO_CONN_DIRECT:
case HCI_AUTO_CONN_ALWAYS:
- list_del_init(¶ms->action);
- list_add(¶ms->action, &hdev->pend_le_conns);
+ hci_conn_params_set_pending(params,
+ &hdev->pend_le_conns);
break;
default:
@@ -3423,8 +3423,8 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
case HCI_AUTO_CONN_DIRECT:
case HCI_AUTO_CONN_ALWAYS:
- list_del_init(¶ms->action);
- list_add(¶ms->action, &hdev->pend_le_conns);
+ hci_conn_params_set_pending(params,
+ &hdev->pend_le_conns);
hci_update_passive_scan(hdev);
break;
@@ -5972,7 +5972,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
conn->dst_type);
if (params) {
- list_del_init(¶ms->action);
+ hci_conn_params_set_pending(params, NULL);
if (params->conn) {
hci_conn_drop(params->conn);
hci_conn_put(params->conn);
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 97da5bcaa904..da12e286ee64 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -2160,15 +2160,23 @@ static int hci_le_del_accept_list_sync(struct hci_dev *hdev,
return 0;
}
+struct conn_params {
+ bdaddr_t addr;
+ u8 addr_type;
+ hci_conn_flags_t flags;
+ u8 privacy_mode;
+};
+
/* Adds connection to resolve list if needed.
* Setting params to NULL programs local hdev->irk
*/
static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
- struct hci_conn_params *params)
+ struct conn_params *params)
{
struct hci_cp_le_add_to_resolv_list cp;
struct smp_irk *irk;
struct bdaddr_list_with_irk *entry;
+ struct hci_conn_params *p;
if (!use_ll_privacy(hdev))
return 0;
@@ -2203,6 +2211,16 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
/* Default privacy mode is always Network */
params->privacy_mode = HCI_NETWORK_PRIVACY;
+ rcu_read_lock();
+ p = hci_pend_le_action_lookup(&hdev->pend_le_conns,
+ ¶ms->addr, params->addr_type);
+ if (!p)
+ p = hci_pend_le_action_lookup(&hdev->pend_le_reports,
+ ¶ms->addr, params->addr_type);
+ if (p)
+ WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY);
+ rcu_read_unlock();
+
done:
if (hci_dev_test_flag(hdev, HCI_PRIVACY))
memcpy(cp.local_irk, hdev->irk, 16);
@@ -2215,7 +2233,7 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
/* Set Device Privacy Mode. */
static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
- struct hci_conn_params *params)
+ struct conn_params *params)
{
struct hci_cp_le_set_privacy_mode cp;
struct smp_irk *irk;
@@ -2240,6 +2258,8 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
bacpy(&cp.bdaddr, &irk->bdaddr);
cp.mode = HCI_DEVICE_PRIVACY;
+ /* Note: params->privacy_mode is not updated since it is a copy */
+
return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE,
sizeof(cp), &cp, HCI_CMD_TIMEOUT);
}
@@ -2249,7 +2269,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
* properly set the privacy mode.
*/
static int hci_le_add_accept_list_sync(struct hci_dev *hdev,
- struct hci_conn_params *params,
+ struct conn_params *params,
u8 *num_entries)
{
struct hci_cp_le_add_to_accept_list cp;
@@ -2447,6 +2467,51 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk);
}
+static void conn_params_add_iter_init(struct list_head *list)
+{
+ struct hci_conn_params *params;
+
+ rcu_read_lock();
+
+ list_for_each_entry_rcu(params, list, action)
+ params->add_pending = true;
+
+ rcu_read_unlock();
+}
+
+static bool conn_params_add_iter_next(struct list_head *list,
+ struct conn_params *item)
+{
+ struct hci_conn_params *params;
+
+ rcu_read_lock();
+
+ list_for_each_entry_rcu(params, list, action) {
+ if (!params->add_pending)
+ continue;
+
+ /* No hdev->lock, but: addr, addr_type are immutable.
+ * privacy_mode is only written by us or in
+ * hci_cc_le_set_privacy_mode that we wait for.
+ * We should be idempotent so MGMT updating flags
+ * while we are processing is OK.
+ */
+ bacpy(&item->addr, ¶ms->addr);
+ item->addr_type = params->addr_type;
+ item->flags = READ_ONCE(params->flags);
+ item->privacy_mode = READ_ONCE(params->privacy_mode);
+
+ params->add_pending = false;
+
+ rcu_read_unlock();
+ return true;
+ }
+
+ rcu_read_unlock();
+
+ return false;
+}
+
/* Device must not be scanning when updating the accept list.
*
* Update is done using the following sequence:
@@ -2466,7 +2531,7 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
*/
static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
{
- struct hci_conn_params *params;
+ struct conn_params params;
struct bdaddr_list *b, *t;
u8 num_entries = 0;
bool pend_conn, pend_report;
@@ -2504,6 +2569,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type))
continue;
+ /* Pointers not dereferenced, no locks needed */
pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns,
&b->bdaddr,
b->bdaddr_type);
@@ -2532,9 +2598,15 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
* available accept list entries in the controller, then
* just abort and return filer policy value to not use the
* accept list.
+ *
+ * The list and params may be mutated while we wait for events,
+ * so use special iteration with copies.
*/
- list_for_each_entry(params, &hdev->pend_le_conns, action) {
- err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
+
+ conn_params_add_iter_init(&hdev->pend_le_conns);
+
+ while (conn_params_add_iter_next(&hdev->pend_le_conns, ¶ms)) {
+ err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
if (err)
goto done;
}
@@ -2543,8 +2615,11 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
* the list of pending reports and also add these to the
* accept list if there is still space. Abort if space runs out.
*/
- list_for_each_entry(params, &hdev->pend_le_reports, action) {
- err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
+
+ conn_params_add_iter_init(&hdev->pend_le_reports);
+
+ while (conn_params_add_iter_next(&hdev->pend_le_reports, ¶ms)) {
+ err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
if (err)
goto done;
}
@@ -4837,12 +4912,12 @@ static void hci_pend_le_actions_clear(struct hci_dev *hdev)
struct hci_conn_params *p;
list_for_each_entry(p, &hdev->le_conn_params, list) {
+ hci_conn_params_set_pending(p, NULL);
if (p->conn) {
hci_conn_drop(p->conn);
hci_conn_put(p->conn);
p->conn = NULL;
}
- list_del_init(&p->action);
}
BT_DBG("All LE pending actions cleared");
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 61c8e1b8f3b0..b35b1c685b86 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1303,15 +1303,15 @@ static void restart_le_actions(struct hci_dev *hdev)
/* Needed for AUTO_OFF case where might not "really"
* have been powered off.
*/
- list_del_init(&p->action);
+ hci_conn_params_set_pending(p, NULL);
switch (p->auto_connect) {
case HCI_AUTO_CONN_DIRECT:
case HCI_AUTO_CONN_ALWAYS:
- list_add(&p->action, &hdev->pend_le_conns);
+ hci_conn_params_set_pending(p, &hdev->pend_le_conns);
break;
case HCI_AUTO_CONN_REPORT:
- list_add(&p->action, &hdev->pend_le_reports);
+ hci_conn_params_set_pending(p, &hdev->pend_le_reports);
break;
default:
break;
@@ -5175,7 +5175,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
goto unlock;
}
- params->flags = current_flags;
+ WRITE_ONCE(params->flags, current_flags);
status = MGMT_STATUS_SUCCESS;
/* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY
@@ -7586,7 +7586,7 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
if (params->auto_connect == auto_connect)
return 0;
- list_del_init(¶ms->action);
+ hci_conn_params_set_pending(params, NULL);
switch (auto_connect) {
case HCI_AUTO_CONN_DISABLED:
@@ -7595,18 +7595,22 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
* connect to device, keep connecting.
*/
if (params->explicit_connect)
- list_add(¶ms->action, &hdev->pend_le_conns);
+ hci_conn_params_set_pending(params,
+ &hdev->pend_le_conns);
break;
case HCI_AUTO_CONN_REPORT:
if (params->explicit_connect)
- list_add(¶ms->action, &hdev->pend_le_conns);
+ hci_conn_params_set_pending(params,
+ &hdev->pend_le_conns);
else
- list_add(¶ms->action, &hdev->pend_le_reports);
+ hci_conn_params_set_pending(params,
+ &hdev->pend_le_reports);
break;
case HCI_AUTO_CONN_DIRECT:
case HCI_AUTO_CONN_ALWAYS:
if (!is_connected(hdev, addr, addr_type))
- list_add(¶ms->action, &hdev->pend_le_conns);
+ hci_conn_params_set_pending(params,
+ &hdev->pend_le_conns);
break;
}
@@ -7829,9 +7833,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
goto unlock;
}
- list_del(¶ms->action);
- list_del(¶ms->list);
- kfree(params);
+ hci_conn_params_free(params);
device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
} else {
@@ -7862,9 +7864,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
continue;
}
- list_del(&p->action);
- list_del(&p->list);
- kfree(p);
+ hci_conn_params_free(p);
}
bt_dev_dbg(hdev, "All LE connection parameters were removed");
--
2.40.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v2 2/3] Bluetooth: hci_event: call disconnect callback before deleting conn
2023-06-13 18:06 [PATCH v2 0/3] Bluetooth: ISO-related concurrency fixes Pauli Virtanen
2023-06-13 18:06 ` [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync Pauli Virtanen
@ 2023-06-13 18:06 ` Pauli Virtanen
2023-06-13 18:06 ` [PATCH v2 3/3] Bluetooth: ISO: fix iso_conn related locking and validity issues Pauli Virtanen
2 siblings, 0 replies; 11+ messages in thread
From: Pauli Virtanen @ 2023-06-13 18:06 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
In hci_cs_disconnect, we do hci_conn_del even if disconnection failed.
ISO, L2CAP and SCO connections refer to the hci_conn without
hci_conn_get, so disconn_cfm must be called so they can clean up their
conn, otherwise use-after-free occurs.
ISO:
==========================================================
iso_sock_connect:880: sk 00000000eabd6557
iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
...
iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073
hci_dev_put:1487: hci0 orig refcnt 17
__iso_chan_add:214: conn 00000000b6251073
iso_sock_clear_timer:117: sock 00000000eabd6557 state 3
...
hci_rx_work:4085: hci0 Event packet
hci_event_packet:7601: hci0: event 0x0f
hci_cmd_status_evt:4346: hci0: opcode 0x0406
hci_cs_disconnect:2760: hci0: status 0x0c
hci_sent_cmd_data:3107: hci0 opcode 0x0406
hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560
hci_conn_unlink:1102: hci0: hcon 000000001696f1fd
hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2
hci_chan_list_flush:2780: hcon 000000001696f1fd
hci_dev_put:1487: hci0 orig refcnt 21
hci_dev_put:1487: hci0 orig refcnt 20
hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c
... <no iso_* activity on sk/conn> ...
iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557
BUG: kernel NULL pointer dereference, address: 0000000000000668
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth
==========================================================
L2CAP:
==================================================================
hci_cmd_status_evt:4359: hci0: opcode 0x0406
hci_cs_disconnect:2760: hci0: status 0x0c
hci_sent_cmd_data:3085: hci0 opcode 0x0406
hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585
hci_conn_unlink:1102: hci0: hcon ffff88800c999000
hci_chan_list_flush:2780: hcon ffff88800c999000
hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280
...
BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]
Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175
CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5b/0x90
print_report+0xcf/0x670
? __virt_addr_valid+0xf8/0x180
? hci_send_acl+0x2d/0x540 [bluetooth]
kasan_report+0xa8/0xe0
? hci_send_acl+0x2d/0x540 [bluetooth]
hci_send_acl+0x2d/0x540 [bluetooth]
? __pfx___lock_acquire+0x10/0x10
l2cap_chan_send+0x1fd/0x1300 [bluetooth]
? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]
? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]
? lock_release+0x1d5/0x3c0
? mark_held_locks+0x1a/0x90
l2cap_sock_sendmsg+0x100/0x170 [bluetooth]
sock_write_iter+0x275/0x280
? __pfx_sock_write_iter+0x10/0x10
? __pfx___lock_acquire+0x10/0x10
do_iter_readv_writev+0x176/0x220
? __pfx_do_iter_readv_writev+0x10/0x10
? find_held_lock+0x83/0xa0
? selinux_file_permission+0x13e/0x210
do_iter_write+0xda/0x340
vfs_writev+0x1b4/0x400
? __pfx_vfs_writev+0x10/0x10
? __seccomp_filter+0x112/0x750
? populate_seccomp_data+0x182/0x220
? __fget_light+0xdf/0x100
? do_writev+0x19d/0x210
do_writev+0x19d/0x210
? __pfx_do_writev+0x10/0x10
? mark_held_locks+0x1a/0x90
do_syscall_64+0x60/0x90
? lockdep_hardirqs_on_prepare+0x149/0x210
? do_syscall_64+0x6c/0x90
? lockdep_hardirqs_on_prepare+0x149/0x210
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7ff45cb23e64
Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff45cb23e64
RDX: 0000000000000001 RSI: 00007fff21ae0aa0 RDI: 0000000000000017
RBP: 00007fff21ae0aa0 R08: 000000000095a8a0 R09: 0000607000053f40
R10: 0000000000000001 R11: 0000000000000202 R12: 00007fff21ae0ac0
R13: 00000fffe435c150 R14: 00007fff21ae0a80 R15: 000060f000000040
</TASK>
Allocated by task 771:
kasan_save_stack+0x33/0x60
kasan_set_track+0x25/0x30
__kasan_kmalloc+0xaa/0xb0
hci_chan_create+0x67/0x1b0 [bluetooth]
l2cap_conn_add.part.0+0x17/0x590 [bluetooth]
l2cap_connect_cfm+0x266/0x6b0 [bluetooth]
hci_le_remote_feat_complete_evt+0x167/0x310 [bluetooth]
hci_event_packet+0x38d/0x800 [bluetooth]
hci_rx_work+0x287/0xb20 [bluetooth]
process_one_work+0x4f7/0x970
worker_thread+0x8f/0x620
kthread+0x17f/0x1c0
ret_from_fork+0x2c/0x50
Freed by task 771:
kasan_save_stack+0x33/0x60
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2e/0x50
____kasan_slab_free+0x169/0x1c0
slab_free_freelist_hook+0x9e/0x1c0
__kmem_cache_free+0xc0/0x310
hci_chan_list_flush+0x46/0x90 [bluetooth]
hci_conn_cleanup+0x7d/0x330 [bluetooth]
hci_cs_disconnect+0x35d/0x530 [bluetooth]
hci_cmd_status_evt+0xef/0x2b0 [bluetooth]
hci_event_packet+0x38d/0x800 [bluetooth]
hci_rx_work+0x287/0xb20 [bluetooth]
process_one_work+0x4f7/0x970
worker_thread+0x8f/0x620
kthread+0x17f/0x1c0
ret_from_fork+0x2c/0x50
==================================================================
Fixes: b8d290525e39 ("Bluetooth: clean up connection in hci_cs_disconnect")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---
Notes:
v2: call disconn_cfm for all conn types, as L2CAP also crashes.
Correct commit in Fixes tag.
net/bluetooth/hci_event.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 8187c9f827fa..a6dabc5b6fad 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2784,6 +2784,9 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
hci_enable_advertising(hdev);
}
+ /* Inform sockets conn is gone before we delete it */
+ hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
+
goto done;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v2 3/3] Bluetooth: ISO: fix iso_conn related locking and validity issues
2023-06-13 18:06 [PATCH v2 0/3] Bluetooth: ISO-related concurrency fixes Pauli Virtanen
2023-06-13 18:06 ` [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync Pauli Virtanen
2023-06-13 18:06 ` [PATCH v2 2/3] Bluetooth: hci_event: call disconnect callback before deleting conn Pauli Virtanen
@ 2023-06-13 18:06 ` Pauli Virtanen
2 siblings, 0 replies; 11+ messages in thread
From: Pauli Virtanen @ 2023-06-13 18:06 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations
that check/update sk_state and access conn should hold lock_sock,
otherwise they can race.
The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock,
which is how it is in connect/disconnect_cfm -> iso_conn_del ->
iso_chan_del.
Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock
around updating sk_state and conn.
iso_conn_del must not occur during iso_connect_cis/bis, as it frees the
iso_conn. Hold hdev->lock longer to prevent that.
This should not reintroduce the issue fixed in commit 241f51931c35
("Bluetooth: ISO: Avoid circular locking dependency"), since the we
acquire locks in order. We retain the fix in iso_sock_connect to release
lock_sock before iso_connect_* acquires hdev->lock.
Similarly for commit 6a5ad251b7cd ("Bluetooth: ISO: Fix possible
circular locking dependency"). We retain the fix in iso_conn_ready to
not acquire iso_conn_lock before lock_sock.
iso_conn_add shall return iso_conn with valid hcon. Make it so also when
reusing an old CIS connection waiting for disconnect timeout (see
__iso_sock_close where conn->hcon is set to NULL).
Trace with iso_conn_del after iso_chan_add in iso_connect_cis:
===============================================================
iso_sock_create:771: sock 00000000be9b69b7
iso_sock_init:693: sk 000000004dff667e
iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1
iso_sock_setsockopt:1289: sk 000000004dff667e
iso_sock_setsockopt:1289: sk 000000004dff667e
iso_sock_setsockopt:1289: sk 000000004dff667e
iso_sock_connect:875: sk 000000004dff667e
iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da
iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e
__iso_chan_add:214: conn 00000000daf8625e
iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12
iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16
iso_sock_clear_timer:117: sock 000000004dff667e state 3
<Note: sk_state is BT_BOUND (3), so iso_connect_cis is still
running at this point>
iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16
hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535
hci_conn_unlink:1102: hci0: hcon 000000007b65d182
hci_chan_list_flush:2780: hcon 000000007b65d182
iso_sock_getsockopt:1376: sk 000000004dff667e
iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
iso_sock_getsockopt:1376: sk 000000004dff667e
iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1
__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7
<Note: sk_state is BT_CONNECT (5), even though iso_chan_del sets
BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it
must be that iso_chan_del occurred between iso_chan_add and end of
iso_connect_cis.>
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0
Oops: 0000 [#1] PREEMPT SMP PTI
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth
===============================================================
Trace with iso_conn_del before iso_chan_add in iso_connect_cis:
===============================================================
iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
...
iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504
hci_dev_put:1487: hci0 orig refcnt 21
hci_event_packet:7607: hci0: event 0x0e
hci_cmd_complete_evt:4231: hci0: opcode 0x2062
hci_cc_le_set_cig_params:3846: hci0: status 0x07
hci_sent_cmd_data:3107: hci0 opcode 0x2062
iso_connect_cfm:1703: hcon 0000000093bc551f bdaddr 28:3d:c2:4a:7e:da status 7
iso_conn_del:187: hcon 0000000093bc551f conn 00000000768ae504, err 12
hci_conn_del:1151: hci0 hcon 0000000093bc551f handle 65535
hci_conn_unlink:1102: hci0: hcon 0000000093bc551f
hci_chan_list_flush:2780: hcon 0000000093bc551f
__iso_chan_add:214: conn 00000000768ae504
<Note: this conn was already freed in iso_conn_del above>
iso_sock_clear_timer:117: sock 0000000098323f95 state 3
general protection fault, probably for non-canonical address 0x30b29c630930aec8: 0000 [#1] PREEMPT SMP PTI
CPU: 1 PID: 1920 Comm: bluetoothd Tainted: G E 6.3.0-rc7+ #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:detach_if_pending+0x28/0xd0
Code: 90 90 0f 1f 44 00 00 48 8b 47 08 48 85 c0 0f 84 ad 00 00 00 55 89 d5 53 48 83 3f 00 48 89 fb 74 7d 66 90 48 8b 03 48 8b 53 08 <>
RSP: 0018:ffffb90841a67d08 EFLAGS: 00010007
RAX: 0000000000000000 RBX: ffff9141bd5061b8 RCX: 0000000000000000
RDX: 30b29c630930aec8 RSI: ffff9141fdd21e80 RDI: ffff9141bd5061b8
RBP: 0000000000000001 R08: 0000000000000000 R09: ffffb90841a67b88
R10: 0000000000000003 R11: ffffffff8613f558 R12: ffff9141fdd21e80
R13: 0000000000000000 R14: ffff9141b5976010 R15: ffff914185755338
FS: 00007f45768bd840(0000) GS:ffff9141fdd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000619000424074 CR3: 0000000009f5e005 CR4: 0000000000170ee0
Call Trace:
<TASK>
timer_delete+0x48/0x80
try_to_grab_pending+0xdf/0x170
__cancel_work+0x37/0xb0
iso_connect_cis+0x141/0x400 [bluetooth]
===============================================================
Trace with NULL conn->hcon in state BT_CONNECT:
===============================================================
__iso_sock_close:619: sk 00000000f7c71fc5 state 1 socket 00000000d90c5fe5
...
__iso_sock_close:619: sk 00000000f7c71fc5 state 8 socket 00000000d90c5fe5
iso_chan_del:153: sk 00000000f7c71fc5, conn 0000000022c03a7e, err 104
...
iso_sock_connect:862: sk 00000000129b56c3
iso_connect_cis:348: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a
hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a
hci_dev_hold:1495: hci0 orig refcnt 19
__iso_chan_add:214: conn 0000000022c03a7e
<Note: reusing old conn>
iso_sock_clear_timer:117: sock 00000000129b56c3 state 3
...
iso_sock_ready:1485: sk 00000000129b56c3
...
iso_sock_sendmsg:1077: sock 00000000e5013966, sk 00000000129b56c3
BUG: kernel NULL pointer dereference, address: 00000000000006a8
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 1 PID: 1403 Comm: wireplumber Tainted: G E 6.3.0-rc7+ #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:iso_sock_sendmsg+0x63/0x2a0 [bluetooth]
===============================================================
Fixes: 241f51931c35 ("Bluetooth: ISO: Avoid circular locking dependency")
Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---
Notes:
v2: no changes
Don't have a clean reproducer, but these occur sometimes on
bluetooth-next/master when sending data over ISO and disconnecting +
reconnecting immediately, although the timing window required for these
to occur is not so wide.
These appear to be somewhat more easily reproduced if
hci_le_set_cig_params is changed to return errors if CIG is busy.
Enabling printks also seems to help.
net/bluetooth/iso.c | 53 ++++++++++++++++++++++++++-------------------
1 file changed, 31 insertions(+), 22 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index b9a008fd10b1..8f570ab66ae7 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -123,8 +123,11 @@ static struct iso_conn *iso_conn_add(struct hci_conn *hcon)
{
struct iso_conn *conn = hcon->iso_data;
- if (conn)
+ if (conn) {
+ if (!conn->hcon)
+ conn->hcon = hcon;
return conn;
+ }
conn = kzalloc(sizeof(*conn), GFP_KERNEL);
if (!conn)
@@ -311,14 +314,13 @@ static int iso_connect_bis(struct sock *sk)
goto unlock;
}
- hci_dev_unlock(hdev);
- hci_dev_put(hdev);
+ lock_sock(sk);
err = iso_chan_add(conn, sk, NULL);
- if (err)
- return err;
-
- lock_sock(sk);
+ if (err) {
+ release_sock(sk);
+ goto unlock;
+ }
/* Update source addr of the socket */
bacpy(&iso_pi(sk)->src, &hcon->src);
@@ -335,7 +337,6 @@ static int iso_connect_bis(struct sock *sk)
}
release_sock(sk);
- return err;
unlock:
hci_dev_unlock(hdev);
@@ -403,14 +404,13 @@ static int iso_connect_cis(struct sock *sk)
goto unlock;
}
- hci_dev_unlock(hdev);
- hci_dev_put(hdev);
+ lock_sock(sk);
err = iso_chan_add(conn, sk, NULL);
- if (err)
- return err;
-
- lock_sock(sk);
+ if (err) {
+ release_sock(sk);
+ goto unlock;
+ }
/* Update source addr of the socket */
bacpy(&iso_pi(sk)->src, &hcon->src);
@@ -427,7 +427,6 @@ static int iso_connect_cis(struct sock *sk)
}
release_sock(sk);
- return err;
unlock:
hci_dev_unlock(hdev);
@@ -1078,8 +1077,8 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg,
size_t len)
{
struct sock *sk = sock->sk;
- struct iso_conn *conn = iso_pi(sk)->conn;
struct sk_buff *skb, **frag;
+ size_t mtu;
int err;
BT_DBG("sock %p, sk %p", sock, sk);
@@ -1091,11 +1090,18 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg,
if (msg->msg_flags & MSG_OOB)
return -EOPNOTSUPP;
- if (sk->sk_state != BT_CONNECTED)
+ lock_sock(sk);
+
+ if (sk->sk_state != BT_CONNECTED) {
+ release_sock(sk);
return -ENOTCONN;
+ }
+
+ mtu = iso_pi(sk)->conn->hcon->hdev->iso_mtu;
+
+ release_sock(sk);
- skb = bt_skb_sendmsg(sk, msg, len, conn->hcon->hdev->iso_mtu,
- HCI_ISO_DATA_HDR_SIZE, 0);
+ skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0);
if (IS_ERR(skb))
return PTR_ERR(skb);
@@ -1108,8 +1114,7 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg,
while (len) {
struct sk_buff *tmp;
- tmp = bt_skb_sendmsg(sk, msg, len, conn->hcon->hdev->iso_mtu,
- 0, 0);
+ tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0);
if (IS_ERR(tmp)) {
kfree_skb(skb);
return PTR_ERR(tmp);
@@ -1164,15 +1169,19 @@ static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
BT_DBG("sk %p", sk);
if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
+ lock_sock(sk);
switch (sk->sk_state) {
case BT_CONNECT2:
- lock_sock(sk);
iso_conn_defer_accept(pi->conn->hcon);
sk->sk_state = BT_CONFIG;
release_sock(sk);
return 0;
case BT_CONNECT:
+ release_sock(sk);
return iso_connect_cis(sk);
+ default:
+ release_sock(sk);
+ break;
}
}
--
2.40.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* RE: Bluetooth: ISO-related concurrency fixes
2023-06-13 18:06 ` [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync Pauli Virtanen
@ 2023-06-13 18:35 ` bluez.test.bot
2023-06-13 19:04 ` [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync Luiz Augusto von Dentz
1 sibling, 0 replies; 11+ messages in thread
From: bluez.test.bot @ 2023-06-13 18:35 UTC (permalink / raw)
To: linux-bluetooth, pav
[-- Attachment #1: Type: text/plain, Size: 8249 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=756835
---Test result---
Test Summary:
CheckPatch FAIL 3.28 seconds
GitLint FAIL 1.12 seconds
SubjectPrefix PASS 0.25 seconds
BuildKernel PASS 31.85 seconds
CheckAllWarning PASS 35.68 seconds
CheckSparse WARNING 40.01 seconds
CheckSmatch WARNING 111.60 seconds
BuildKernel32 PASS 30.98 seconds
TestRunnerSetup PASS 445.96 seconds
TestRunner_l2cap-tester PASS 16.59 seconds
TestRunner_iso-tester PASS 23.20 seconds
TestRunner_bnep-tester PASS 5.37 seconds
TestRunner_mgmt-tester PASS 128.17 seconds
TestRunner_rfcomm-tester PASS 8.67 seconds
TestRunner_sco-tester PASS 8.00 seconds
TestRunner_ioctl-tester PASS 9.18 seconds
TestRunner_mesh-tester PASS 6.73 seconds
TestRunner_smp-tester PASS 7.85 seconds
TestRunner_userchan-tester PASS 5.63 seconds
IncrementalBuild PASS 40.87 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v2,1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
WARNING: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#105:
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
total: 0 errors, 1 warnings, 0 checks, 405 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13279139.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
[v2,2/3] Bluetooth: hci_event: call disconnect callback before deleting conn
WARNING: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#129:
CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2
total: 0 errors, 1 warnings, 0 checks, 9 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13279137.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
[v2,3/3] Bluetooth: ISO: fix iso_conn related locking and validity issues
WARNING: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#120:
iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12
total: 0 errors, 1 warnings, 0 checks, 123 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13279138.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v2,1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
26: B1 Line exceeds max length (155>80): "BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)"
29: B1 Line exceeds max length (81>80): "Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014"
35: B1 Line exceeds max length (107>80): "? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)"
36: B1 Line exceeds max length (122>80): "? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)"
38: B1 Line exceeds max length (122>80): "? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)"
39: B1 Line exceeds max length (120>80): "hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)"
58: B1 Line exceeds max length (105>80): "hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)"
59: B1 Line exceeds max length (81>80): "hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)"
72: B1 Line exceeds max length (85>80): "__kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)"
[v2,2/3] Bluetooth: hci_event: call disconnect callback before deleting conn
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
36: B1 Line exceeds max length (81>80): "Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014"
54: B1 Line exceeds max length (81>80): "Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014"
94: B1 Line exceeds max length (199>80): "Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89"
[v2,3/3] Bluetooth: ISO: fix iso_conn related locking and validity issues
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
68: B1 Line exceeds max length (81>80): "Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014"
90: B1 Line exceeds max length (106>80): "general protection fault, probably for non-canonical address 0x30b29c630930aec8: 0000 [#1] PREEMPT SMP PTI"
92: B1 Line exceeds max length (81>80): "Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014"
94: B1 Line exceeds max length (134>80): "Code: 90 90 0f 1f 44 00 00 48 8b 47 08 48 85 c0 0f 84 ad 00 00 00 55 89 d5 53 48 83 3f 00 48 89 fb 74 7d 66 90 48 8b 03 48 8b 53 08 <>"
134: B1 Line exceeds max length (81>80): "Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014"
143: B2 Line has trailing whitespace: " "
148: B2 Line has trailing whitespace: " "
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h):net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h):
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h):net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h):
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
2023-06-13 18:06 ` [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync Pauli Virtanen
2023-06-13 18:35 ` Bluetooth: ISO-related concurrency fixes bluez.test.bot
@ 2023-06-13 19:04 ` Luiz Augusto von Dentz
2023-06-13 19:38 ` Luiz Augusto von Dentz
1 sibling, 1 reply; 11+ messages in thread
From: Luiz Augusto von Dentz @ 2023-06-13 19:04 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hi Pauli,
On Tue, Jun 13, 2023 at 11:17 AM Pauli Virtanen <pav@iki.fi> wrote:
>
> hci_update_accept_list_sync iterates over hdev->pend_le_conns and
> hdev->pend_le_reports, and waits for controller events in the loop body,
> without holding hdev lock.
>
> Meanwhile, these lists and the items may be modified e.g. by
> le_scan_cleanup. This can invalidate the list cursor in the ongoing
> iterations, resulting to invalid behavior (eg use-after-free).
>
> Use RCU for the hci_conn_params action lists. Since the loop bodies in
> hci_sync block and we cannot use RCU for the whole loop, add
> hci_conn_params.add_pending to keep track which items are left. Copy
> data to avoid needing lock on hci_conn_params. Only the flags field is
> written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we read
> valid values.
>
> Free params everywhere with hci_conn_params_free so the cleanup is
> guaranteed to be done properly.
>
> This fixes the following, which can be triggered at least by changing
> hci_le_set_cig_params to always return false, and running BlueZ
> iso-tester, which causes connections to be created and dropped fast:
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32
>
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
> Workqueue: hci0 hci_cmd_sync_work
> Call Trace:
> <TASK>
> dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)
> print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
> ? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)
> ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> kasan_report (mm/kasan/report.c:538)
> ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> ? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)
> ? mutex_lock (kernel/locking/mutex.c:282)
> ? __pfx_mutex_lock (kernel/locking/mutex.c:282)
> ? __pfx_mutex_unlock (kernel/locking/mutex.c:538)
> ? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)
> hci_cmd_sync_work (net/bluetooth/hci_sync.c:306)
> process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
> worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
> ? __pfx_worker_thread (kernel/workqueue.c:2480)
> kthread (kernel/kthread.c:376)
> ? __pfx_kthread (kernel/kthread.c:331)
> ret_from_fork (arch/x86/entry/entry_64.S:314)
> </TASK>
>
> Allocated by task 31:
> kasan_save_stack (mm/kasan/common.c:46)
> kasan_set_track (mm/kasan/common.c:52)
> __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)
> hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)
> hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)
> hci_connect_cis (net/bluetooth/hci_conn.c:2266)
> iso_connect_cis (net/bluetooth/iso.c:390)
> iso_sock_connect (net/bluetooth/iso.c:899)
> __sys_connect (net/socket.c:2003 net/socket.c:2020)
> __x64_sys_connect (net/socket.c:2027)
> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
>
> Freed by task 15:
> kasan_save_stack (mm/kasan/common.c:46)
> kasan_set_track (mm/kasan/common.c:52)
> kasan_save_free_info (mm/kasan/generic.c:523)
> __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
> __kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)
> hci_conn_params_del (net/bluetooth/hci_core.c:2323)
> le_scan_cleanup (net/bluetooth/hci_conn.c:202)
> process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
> worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
> kthread (kernel/kthread.c:376)
> ret_from_fork (arch/x86/entry/entry_64.S:314)
> ==================================================================
>
> Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3")
> Signed-off-by: Pauli Virtanen <pav@iki.fi>
> ---
>
> Notes:
> v2: use RCU
Really nice work.
> include/net/bluetooth/hci_core.h | 5 ++
> net/bluetooth/hci_conn.c | 9 ++--
> net/bluetooth/hci_core.c | 34 +++++++++---
> net/bluetooth/hci_event.c | 12 ++---
> net/bluetooth/hci_sync.c | 93 ++++++++++++++++++++++++++++----
> net/bluetooth/mgmt.c | 30 +++++------
> 6 files changed, 141 insertions(+), 42 deletions(-)
>
> diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
> index 683666ea210c..8c6ac6d29c62 100644
> --- a/include/net/bluetooth/hci_core.h
> +++ b/include/net/bluetooth/hci_core.h
> @@ -822,6 +822,8 @@ struct hci_conn_params {
>
> struct hci_conn *conn;
> bool explicit_connect;
> + /* Accessed without hdev->lock: */
> + bool add_pending;
That is the only part that Im a little uncorfortable with, are we
doing this because we can't do use the cmd_sync while holding RCU
lock? In that case couldn't we perhaps update the list? Also we could
perhaps add it as a flag rather than a separated field.
> hci_conn_flags_t flags;
> u8 privacy_mode;
> };
> @@ -1605,6 +1607,9 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> bdaddr_t *addr, u8 addr_type);
> void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type);
> void hci_conn_params_clear_disabled(struct hci_dev *hdev);
> +void hci_conn_params_free(struct hci_conn_params *param);
> +void hci_conn_params_set_pending(struct hci_conn_params *param,
> + struct list_head *list);
>
> struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
> bdaddr_t *addr,
> diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> index 7d4941e6dbdf..ae9a35d1405b 100644
> --- a/net/bluetooth/hci_conn.c
> +++ b/net/bluetooth/hci_conn.c
> @@ -118,7 +118,7 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
> */
> params->explicit_connect = false;
>
> - list_del_init(¶ms->action);
> + hci_conn_params_set_pending(params, NULL);
>
> switch (params->auto_connect) {
> case HCI_AUTO_CONN_EXPLICIT:
> @@ -127,10 +127,10 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
> return;
> case HCI_AUTO_CONN_DIRECT:
> case HCI_AUTO_CONN_ALWAYS:
> - list_add(¶ms->action, &hdev->pend_le_conns);
> + hci_conn_params_set_pending(params, &hdev->pend_le_conns);
> break;
> case HCI_AUTO_CONN_REPORT:
> - list_add(¶ms->action, &hdev->pend_le_reports);
> + hci_conn_params_set_pending(params, &hdev->pend_le_reports);
> break;
> default:
> break;
> @@ -1435,8 +1435,7 @@ static int hci_explicit_conn_params_set(struct hci_dev *hdev,
> if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
> params->auto_connect == HCI_AUTO_CONN_REPORT ||
> params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
> - list_del_init(¶ms->action);
> - list_add(¶ms->action, &hdev->pend_le_conns);
> + hci_conn_params_set_pending(params, &hdev->pend_le_conns);
Id just follow the name convention e.g. hci_conn_params_list_add,
hci_conn_params_list_del, etc.
> }
>
> params->explicit_connect = true;
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 48917c68358d..7992a61fe1fd 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -2249,21 +2249,41 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
> return NULL;
> }
>
> -/* This function requires the caller holds hdev->lock */
> +/* This function requires the caller holds hdev->lock or rcu_read_lock */
> struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
> bdaddr_t *addr, u8 addr_type)
> {
> struct hci_conn_params *param;
>
> - list_for_each_entry(param, list, action) {
> + rcu_read_lock();
> +
> + list_for_each_entry_rcu(param, list, action) {
> if (bacmp(¶m->addr, addr) == 0 &&
> - param->addr_type == addr_type)
> + param->addr_type == addr_type) {
> + rcu_read_unlock();
> return param;
> + }
> }
>
> + rcu_read_unlock();
> +
> return NULL;
> }
>
> +/* This function requires the caller holds hdev->lock */
> +void hci_conn_params_set_pending(struct hci_conn_params *param,
> + struct list_head *list)
> +{
> + if (!list_empty(¶m->action)) {
> + list_del_rcu(¶m->action);
> + synchronize_rcu();
> + INIT_LIST_HEAD(¶m->action);
> + }
> +
> + if (list)
> + list_add_rcu(¶m->action, list);
> +}
> +
> /* This function requires the caller holds hdev->lock */
> struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> bdaddr_t *addr, u8 addr_type)
> @@ -2297,14 +2317,15 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> return params;
> }
>
> -static void hci_conn_params_free(struct hci_conn_params *params)
> +void hci_conn_params_free(struct hci_conn_params *params)
> {
> + hci_conn_params_set_pending(params, NULL);
> +
> if (params->conn) {
> hci_conn_drop(params->conn);
> hci_conn_put(params->conn);
> }
>
> - list_del(¶ms->action);
> list_del(¶ms->list);
> kfree(params);
> }
> @@ -2342,8 +2363,7 @@ void hci_conn_params_clear_disabled(struct hci_dev *hdev)
> continue;
> }
>
> - list_del(¶ms->list);
> - kfree(params);
> + hci_conn_params_free(params);
> }
>
> BT_DBG("All LE disabled connection parameters were removed");
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 7c199f7361f7..8187c9f827fa 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -1564,7 +1564,7 @@ static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
>
> params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
> if (params)
> - params->privacy_mode = cp->mode;
> + WRITE_ONCE(params->privacy_mode, cp->mode);
>
> hci_dev_unlock(hdev);
>
> @@ -2804,8 +2804,8 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
>
> case HCI_AUTO_CONN_DIRECT:
> case HCI_AUTO_CONN_ALWAYS:
> - list_del_init(¶ms->action);
> - list_add(¶ms->action, &hdev->pend_le_conns);
> + hci_conn_params_set_pending(params,
> + &hdev->pend_le_conns);
> break;
>
> default:
> @@ -3423,8 +3423,8 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
>
> case HCI_AUTO_CONN_DIRECT:
> case HCI_AUTO_CONN_ALWAYS:
> - list_del_init(¶ms->action);
> - list_add(¶ms->action, &hdev->pend_le_conns);
> + hci_conn_params_set_pending(params,
> + &hdev->pend_le_conns);
> hci_update_passive_scan(hdev);
> break;
>
> @@ -5972,7 +5972,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
> params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
> conn->dst_type);
> if (params) {
> - list_del_init(¶ms->action);
> + hci_conn_params_set_pending(params, NULL);
> if (params->conn) {
> hci_conn_drop(params->conn);
> hci_conn_put(params->conn);
> diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> index 97da5bcaa904..da12e286ee64 100644
> --- a/net/bluetooth/hci_sync.c
> +++ b/net/bluetooth/hci_sync.c
> @@ -2160,15 +2160,23 @@ static int hci_le_del_accept_list_sync(struct hci_dev *hdev,
> return 0;
> }
>
> +struct conn_params {
> + bdaddr_t addr;
> + u8 addr_type;
> + hci_conn_flags_t flags;
> + u8 privacy_mode;
> +};
> +
> /* Adds connection to resolve list if needed.
> * Setting params to NULL programs local hdev->irk
> */
> static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> - struct hci_conn_params *params)
> + struct conn_params *params)
> {
> struct hci_cp_le_add_to_resolv_list cp;
> struct smp_irk *irk;
> struct bdaddr_list_with_irk *entry;
> + struct hci_conn_params *p;
>
> if (!use_ll_privacy(hdev))
> return 0;
> @@ -2203,6 +2211,16 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> /* Default privacy mode is always Network */
> params->privacy_mode = HCI_NETWORK_PRIVACY;
>
> + rcu_read_lock();
> + p = hci_pend_le_action_lookup(&hdev->pend_le_conns,
> + ¶ms->addr, params->addr_type);
> + if (!p)
> + p = hci_pend_le_action_lookup(&hdev->pend_le_reports,
> + ¶ms->addr, params->addr_type);
> + if (p)
> + WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY);
> + rcu_read_unlock();
> +
> done:
> if (hci_dev_test_flag(hdev, HCI_PRIVACY))
> memcpy(cp.local_irk, hdev->irk, 16);
> @@ -2215,7 +2233,7 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
>
> /* Set Device Privacy Mode. */
> static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> - struct hci_conn_params *params)
> + struct conn_params *params)
> {
> struct hci_cp_le_set_privacy_mode cp;
> struct smp_irk *irk;
> @@ -2240,6 +2258,8 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> bacpy(&cp.bdaddr, &irk->bdaddr);
> cp.mode = HCI_DEVICE_PRIVACY;
>
> + /* Note: params->privacy_mode is not updated since it is a copy */
> +
> return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE,
> sizeof(cp), &cp, HCI_CMD_TIMEOUT);
> }
> @@ -2249,7 +2269,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> * properly set the privacy mode.
> */
> static int hci_le_add_accept_list_sync(struct hci_dev *hdev,
> - struct hci_conn_params *params,
> + struct conn_params *params,
> u8 *num_entries)
> {
> struct hci_cp_le_add_to_accept_list cp;
> @@ -2447,6 +2467,51 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
> return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk);
> }
>
> +static void conn_params_add_iter_init(struct list_head *list)
> +{
> + struct hci_conn_params *params;
> +
> + rcu_read_lock();
> +
> + list_for_each_entry_rcu(params, list, action)
> + params->add_pending = true;
> +
> + rcu_read_unlock();
> +}
> +
> +static bool conn_params_add_iter_next(struct list_head *list,
> + struct conn_params *item)
> +{
> + struct hci_conn_params *params;
> +
> + rcu_read_lock();
> +
> + list_for_each_entry_rcu(params, list, action) {
> + if (!params->add_pending)
> + continue;
> +
> + /* No hdev->lock, but: addr, addr_type are immutable.
> + * privacy_mode is only written by us or in
> + * hci_cc_le_set_privacy_mode that we wait for.
> + * We should be idempotent so MGMT updating flags
> + * while we are processing is OK.
> + */
> + bacpy(&item->addr, ¶ms->addr);
> + item->addr_type = params->addr_type;
> + item->flags = READ_ONCE(params->flags);
> + item->privacy_mode = READ_ONCE(params->privacy_mode);
> +
> + params->add_pending = false;
> +
> + rcu_read_unlock();
> + return true;
> + }
> +
> + rcu_read_unlock();
> +
> + return false;
> +}
> +
> /* Device must not be scanning when updating the accept list.
> *
> * Update is done using the following sequence:
> @@ -2466,7 +2531,7 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
> */
> static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> {
> - struct hci_conn_params *params;
> + struct conn_params params;
> struct bdaddr_list *b, *t;
> u8 num_entries = 0;
> bool pend_conn, pend_report;
> @@ -2504,6 +2569,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type))
> continue;
>
> + /* Pointers not dereferenced, no locks needed */
> pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns,
> &b->bdaddr,
> b->bdaddr_type);
> @@ -2532,9 +2598,15 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> * available accept list entries in the controller, then
> * just abort and return filer policy value to not use the
> * accept list.
> + *
> + * The list and params may be mutated while we wait for events,
> + * so use special iteration with copies.
> */
> - list_for_each_entry(params, &hdev->pend_le_conns, action) {
> - err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
> +
> + conn_params_add_iter_init(&hdev->pend_le_conns);
> +
> + while (conn_params_add_iter_next(&hdev->pend_le_conns, ¶ms)) {
> + err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
> if (err)
> goto done;
> }
> @@ -2543,8 +2615,11 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> * the list of pending reports and also add these to the
> * accept list if there is still space. Abort if space runs out.
> */
> - list_for_each_entry(params, &hdev->pend_le_reports, action) {
> - err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
> +
> + conn_params_add_iter_init(&hdev->pend_le_reports);
> +
> + while (conn_params_add_iter_next(&hdev->pend_le_reports, ¶ms)) {
> + err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
> if (err)
> goto done;
> }
> @@ -4837,12 +4912,12 @@ static void hci_pend_le_actions_clear(struct hci_dev *hdev)
> struct hci_conn_params *p;
>
> list_for_each_entry(p, &hdev->le_conn_params, list) {
> + hci_conn_params_set_pending(p, NULL);
> if (p->conn) {
> hci_conn_drop(p->conn);
> hci_conn_put(p->conn);
> p->conn = NULL;
> }
> - list_del_init(&p->action);
> }
>
> BT_DBG("All LE pending actions cleared");
> diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> index 61c8e1b8f3b0..b35b1c685b86 100644
> --- a/net/bluetooth/mgmt.c
> +++ b/net/bluetooth/mgmt.c
> @@ -1303,15 +1303,15 @@ static void restart_le_actions(struct hci_dev *hdev)
> /* Needed for AUTO_OFF case where might not "really"
> * have been powered off.
> */
> - list_del_init(&p->action);
> + hci_conn_params_set_pending(p, NULL);
>
> switch (p->auto_connect) {
> case HCI_AUTO_CONN_DIRECT:
> case HCI_AUTO_CONN_ALWAYS:
> - list_add(&p->action, &hdev->pend_le_conns);
> + hci_conn_params_set_pending(p, &hdev->pend_le_conns);
> break;
> case HCI_AUTO_CONN_REPORT:
> - list_add(&p->action, &hdev->pend_le_reports);
> + hci_conn_params_set_pending(p, &hdev->pend_le_reports);
> break;
> default:
> break;
> @@ -5175,7 +5175,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
> goto unlock;
> }
>
> - params->flags = current_flags;
> + WRITE_ONCE(params->flags, current_flags);
> status = MGMT_STATUS_SUCCESS;
>
> /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY
> @@ -7586,7 +7586,7 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
> if (params->auto_connect == auto_connect)
> return 0;
>
> - list_del_init(¶ms->action);
> + hci_conn_params_set_pending(params, NULL);
>
> switch (auto_connect) {
> case HCI_AUTO_CONN_DISABLED:
> @@ -7595,18 +7595,22 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
> * connect to device, keep connecting.
> */
> if (params->explicit_connect)
> - list_add(¶ms->action, &hdev->pend_le_conns);
> + hci_conn_params_set_pending(params,
> + &hdev->pend_le_conns);
> break;
> case HCI_AUTO_CONN_REPORT:
> if (params->explicit_connect)
> - list_add(¶ms->action, &hdev->pend_le_conns);
> + hci_conn_params_set_pending(params,
> + &hdev->pend_le_conns);
> else
> - list_add(¶ms->action, &hdev->pend_le_reports);
> + hci_conn_params_set_pending(params,
> + &hdev->pend_le_reports);
> break;
> case HCI_AUTO_CONN_DIRECT:
> case HCI_AUTO_CONN_ALWAYS:
> if (!is_connected(hdev, addr, addr_type))
> - list_add(¶ms->action, &hdev->pend_le_conns);
> + hci_conn_params_set_pending(params,
> + &hdev->pend_le_conns);
> break;
> }
>
> @@ -7829,9 +7833,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
> goto unlock;
> }
>
> - list_del(¶ms->action);
> - list_del(¶ms->list);
> - kfree(params);
> + hci_conn_params_free(params);
>
> device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
> } else {
> @@ -7862,9 +7864,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
> p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
> continue;
> }
> - list_del(&p->action);
> - list_del(&p->list);
> - kfree(p);
> + hci_conn_params_free(p);
> }
>
> bt_dev_dbg(hdev, "All LE connection parameters were removed");
> --
> 2.40.1
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
2023-06-13 19:04 ` [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync Luiz Augusto von Dentz
@ 2023-06-13 19:38 ` Luiz Augusto von Dentz
2023-06-13 23:07 ` Pauli Virtanen
0 siblings, 1 reply; 11+ messages in thread
From: Luiz Augusto von Dentz @ 2023-06-13 19:38 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hi Pauli,
On Tue, Jun 13, 2023 at 12:04 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Pauli,
>
> On Tue, Jun 13, 2023 at 11:17 AM Pauli Virtanen <pav@iki.fi> wrote:
> >
> > hci_update_accept_list_sync iterates over hdev->pend_le_conns and
> > hdev->pend_le_reports, and waits for controller events in the loop body,
> > without holding hdev lock.
> >
> > Meanwhile, these lists and the items may be modified e.g. by
> > le_scan_cleanup. This can invalidate the list cursor in the ongoing
> > iterations, resulting to invalid behavior (eg use-after-free).
> >
> > Use RCU for the hci_conn_params action lists. Since the loop bodies in
> > hci_sync block and we cannot use RCU for the whole loop, add
> > hci_conn_params.add_pending to keep track which items are left. Copy
> > data to avoid needing lock on hci_conn_params. Only the flags field is
> > written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we read
> > valid values.
> >
> > Free params everywhere with hci_conn_params_free so the cleanup is
> > guaranteed to be done properly.
> >
> > This fixes the following, which can be triggered at least by changing
> > hci_le_set_cig_params to always return false, and running BlueZ
> > iso-tester, which causes connections to be created and dropped fast:
> >
> > ==================================================================
> > BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32
> >
> > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
> > Workqueue: hci0 hci_cmd_sync_work
> > Call Trace:
> > <TASK>
> > dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)
> > print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
> > ? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)
> > ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > kasan_report (mm/kasan/report.c:538)
> > ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > ? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)
> > ? mutex_lock (kernel/locking/mutex.c:282)
> > ? __pfx_mutex_lock (kernel/locking/mutex.c:282)
> > ? __pfx_mutex_unlock (kernel/locking/mutex.c:538)
> > ? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)
> > hci_cmd_sync_work (net/bluetooth/hci_sync.c:306)
> > process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
> > worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
> > ? __pfx_worker_thread (kernel/workqueue.c:2480)
> > kthread (kernel/kthread.c:376)
> > ? __pfx_kthread (kernel/kthread.c:331)
> > ret_from_fork (arch/x86/entry/entry_64.S:314)
> > </TASK>
> >
> > Allocated by task 31:
> > kasan_save_stack (mm/kasan/common.c:46)
> > kasan_set_track (mm/kasan/common.c:52)
> > __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)
> > hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)
> > hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)
> > hci_connect_cis (net/bluetooth/hci_conn.c:2266)
> > iso_connect_cis (net/bluetooth/iso.c:390)
> > iso_sock_connect (net/bluetooth/iso.c:899)
> > __sys_connect (net/socket.c:2003 net/socket.c:2020)
> > __x64_sys_connect (net/socket.c:2027)
> > do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
> >
> > Freed by task 15:
> > kasan_save_stack (mm/kasan/common.c:46)
> > kasan_set_track (mm/kasan/common.c:52)
> > kasan_save_free_info (mm/kasan/generic.c:523)
> > __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
> > __kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)
> > hci_conn_params_del (net/bluetooth/hci_core.c:2323)
> > le_scan_cleanup (net/bluetooth/hci_conn.c:202)
> > process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
> > worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
> > kthread (kernel/kthread.c:376)
> > ret_from_fork (arch/x86/entry/entry_64.S:314)
> > ==================================================================
> >
> > Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3")
> > Signed-off-by: Pauli Virtanen <pav@iki.fi>
> > ---
> >
> > Notes:
> > v2: use RCU
>
> Really nice work.
>
> > include/net/bluetooth/hci_core.h | 5 ++
> > net/bluetooth/hci_conn.c | 9 ++--
> > net/bluetooth/hci_core.c | 34 +++++++++---
> > net/bluetooth/hci_event.c | 12 ++---
> > net/bluetooth/hci_sync.c | 93 ++++++++++++++++++++++++++++----
> > net/bluetooth/mgmt.c | 30 +++++------
> > 6 files changed, 141 insertions(+), 42 deletions(-)
> >
> > diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
> > index 683666ea210c..8c6ac6d29c62 100644
> > --- a/include/net/bluetooth/hci_core.h
> > +++ b/include/net/bluetooth/hci_core.h
> > @@ -822,6 +822,8 @@ struct hci_conn_params {
> >
> > struct hci_conn *conn;
> > bool explicit_connect;
> > + /* Accessed without hdev->lock: */
> > + bool add_pending;
>
> That is the only part that Im a little uncorfortable with, are we
> doing this because we can't do use the cmd_sync while holding RCU
> lock? In that case couldn't we perhaps update the list? Also we could
> perhaps add it as a flag rather than a separated field.
>
> > hci_conn_flags_t flags;
> > u8 privacy_mode;
> > };
> > @@ -1605,6 +1607,9 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > bdaddr_t *addr, u8 addr_type);
> > void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type);
> > void hci_conn_params_clear_disabled(struct hci_dev *hdev);
> > +void hci_conn_params_free(struct hci_conn_params *param);
> > +void hci_conn_params_set_pending(struct hci_conn_params *param,
> > + struct list_head *list);
> >
> > struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
> > bdaddr_t *addr,
> > diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> > index 7d4941e6dbdf..ae9a35d1405b 100644
> > --- a/net/bluetooth/hci_conn.c
> > +++ b/net/bluetooth/hci_conn.c
> > @@ -118,7 +118,7 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
> > */
> > params->explicit_connect = false;
> >
> > - list_del_init(¶ms->action);
> > + hci_conn_params_set_pending(params, NULL);
> >
> > switch (params->auto_connect) {
> > case HCI_AUTO_CONN_EXPLICIT:
> > @@ -127,10 +127,10 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
> > return;
> > case HCI_AUTO_CONN_DIRECT:
> > case HCI_AUTO_CONN_ALWAYS:
> > - list_add(¶ms->action, &hdev->pend_le_conns);
> > + hci_conn_params_set_pending(params, &hdev->pend_le_conns);
> > break;
> > case HCI_AUTO_CONN_REPORT:
> > - list_add(¶ms->action, &hdev->pend_le_reports);
> > + hci_conn_params_set_pending(params, &hdev->pend_le_reports);
> > break;
> > default:
> > break;
> > @@ -1435,8 +1435,7 @@ static int hci_explicit_conn_params_set(struct hci_dev *hdev,
> > if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
> > params->auto_connect == HCI_AUTO_CONN_REPORT ||
> > params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
> > - list_del_init(¶ms->action);
> > - list_add(¶ms->action, &hdev->pend_le_conns);
> > + hci_conn_params_set_pending(params, &hdev->pend_le_conns);
>
> Id just follow the name convention e.g. hci_conn_params_list_add,
> hci_conn_params_list_del, etc.
>
> > }
> >
> > params->explicit_connect = true;
> > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > index 48917c68358d..7992a61fe1fd 100644
> > --- a/net/bluetooth/hci_core.c
> > +++ b/net/bluetooth/hci_core.c
> > @@ -2249,21 +2249,41 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
> > return NULL;
> > }
> >
> > -/* This function requires the caller holds hdev->lock */
> > +/* This function requires the caller holds hdev->lock or rcu_read_lock */
> > struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
> > bdaddr_t *addr, u8 addr_type)
> > {
> > struct hci_conn_params *param;
> >
> > - list_for_each_entry(param, list, action) {
> > + rcu_read_lock();
> > +
> > + list_for_each_entry_rcu(param, list, action) {
> > if (bacmp(¶m->addr, addr) == 0 &&
> > - param->addr_type == addr_type)
> > + param->addr_type == addr_type) {
> > + rcu_read_unlock();
> > return param;
> > + }
> > }
> >
> > + rcu_read_unlock();
> > +
> > return NULL;
> > }
> >
> > +/* This function requires the caller holds hdev->lock */
> > +void hci_conn_params_set_pending(struct hci_conn_params *param,
> > + struct list_head *list)
> > +{
> > + if (!list_empty(¶m->action)) {
> > + list_del_rcu(¶m->action);
> > + synchronize_rcu();
> > + INIT_LIST_HEAD(¶m->action);
> > + }
> > +
> > + if (list)
> > + list_add_rcu(¶m->action, list);
> > +}
> > +
> > /* This function requires the caller holds hdev->lock */
> > struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > bdaddr_t *addr, u8 addr_type)
> > @@ -2297,14 +2317,15 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > return params;
> > }
> >
> > -static void hci_conn_params_free(struct hci_conn_params *params)
> > +void hci_conn_params_free(struct hci_conn_params *params)
> > {
> > + hci_conn_params_set_pending(params, NULL);
> > +
> > if (params->conn) {
> > hci_conn_drop(params->conn);
> > hci_conn_put(params->conn);
> > }
> >
> > - list_del(¶ms->action);
> > list_del(¶ms->list);
> > kfree(params);
> > }
> > @@ -2342,8 +2363,7 @@ void hci_conn_params_clear_disabled(struct hci_dev *hdev)
> > continue;
> > }
> >
> > - list_del(¶ms->list);
> > - kfree(params);
> > + hci_conn_params_free(params);
> > }
> >
> > BT_DBG("All LE disabled connection parameters were removed");
> > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > index 7c199f7361f7..8187c9f827fa 100644
> > --- a/net/bluetooth/hci_event.c
> > +++ b/net/bluetooth/hci_event.c
> > @@ -1564,7 +1564,7 @@ static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
> >
> > params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
> > if (params)
> > - params->privacy_mode = cp->mode;
> > + WRITE_ONCE(params->privacy_mode, cp->mode);
> >
> > hci_dev_unlock(hdev);
> >
> > @@ -2804,8 +2804,8 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
> >
> > case HCI_AUTO_CONN_DIRECT:
> > case HCI_AUTO_CONN_ALWAYS:
> > - list_del_init(¶ms->action);
> > - list_add(¶ms->action, &hdev->pend_le_conns);
> > + hci_conn_params_set_pending(params,
> > + &hdev->pend_le_conns);
> > break;
> >
> > default:
> > @@ -3423,8 +3423,8 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
> >
> > case HCI_AUTO_CONN_DIRECT:
> > case HCI_AUTO_CONN_ALWAYS:
> > - list_del_init(¶ms->action);
> > - list_add(¶ms->action, &hdev->pend_le_conns);
> > + hci_conn_params_set_pending(params,
> > + &hdev->pend_le_conns);
> > hci_update_passive_scan(hdev);
> > break;
> >
> > @@ -5972,7 +5972,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
> > params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
> > conn->dst_type);
> > if (params) {
> > - list_del_init(¶ms->action);
> > + hci_conn_params_set_pending(params, NULL);
> > if (params->conn) {
> > hci_conn_drop(params->conn);
> > hci_conn_put(params->conn);
> > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > index 97da5bcaa904..da12e286ee64 100644
> > --- a/net/bluetooth/hci_sync.c
> > +++ b/net/bluetooth/hci_sync.c
> > @@ -2160,15 +2160,23 @@ static int hci_le_del_accept_list_sync(struct hci_dev *hdev,
> > return 0;
> > }
> >
> > +struct conn_params {
> > + bdaddr_t addr;
> > + u8 addr_type;
> > + hci_conn_flags_t flags;
> > + u8 privacy_mode;
> > +};
> > +
> > /* Adds connection to resolve list if needed.
> > * Setting params to NULL programs local hdev->irk
> > */
> > static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > - struct hci_conn_params *params)
> > + struct conn_params *params)
> > {
> > struct hci_cp_le_add_to_resolv_list cp;
> > struct smp_irk *irk;
> > struct bdaddr_list_with_irk *entry;
> > + struct hci_conn_params *p;
> >
> > if (!use_ll_privacy(hdev))
> > return 0;
> > @@ -2203,6 +2211,16 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > /* Default privacy mode is always Network */
> > params->privacy_mode = HCI_NETWORK_PRIVACY;
> >
> > + rcu_read_lock();
> > + p = hci_pend_le_action_lookup(&hdev->pend_le_conns,
> > + ¶ms->addr, params->addr_type);
> > + if (!p)
> > + p = hci_pend_le_action_lookup(&hdev->pend_le_reports,
> > + ¶ms->addr, params->addr_type);
> > + if (p)
> > + WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY);
> > + rcu_read_unlock();
> > +
> > done:
> > if (hci_dev_test_flag(hdev, HCI_PRIVACY))
> > memcpy(cp.local_irk, hdev->irk, 16);
> > @@ -2215,7 +2233,7 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> >
> > /* Set Device Privacy Mode. */
> > static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > - struct hci_conn_params *params)
> > + struct conn_params *params)
> > {
> > struct hci_cp_le_set_privacy_mode cp;
> > struct smp_irk *irk;
> > @@ -2240,6 +2258,8 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > bacpy(&cp.bdaddr, &irk->bdaddr);
> > cp.mode = HCI_DEVICE_PRIVACY;
> >
> > + /* Note: params->privacy_mode is not updated since it is a copy */
> > +
> > return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE,
> > sizeof(cp), &cp, HCI_CMD_TIMEOUT);
> > }
> > @@ -2249,7 +2269,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > * properly set the privacy mode.
> > */
> > static int hci_le_add_accept_list_sync(struct hci_dev *hdev,
> > - struct hci_conn_params *params,
> > + struct conn_params *params,
> > u8 *num_entries)
> > {
> > struct hci_cp_le_add_to_accept_list cp;
> > @@ -2447,6 +2467,51 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
> > return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk);
> > }
> >
> > +static void conn_params_add_iter_init(struct list_head *list)
> > +{
> > + struct hci_conn_params *params;
> > +
> > + rcu_read_lock();
> > +
> > + list_for_each_entry_rcu(params, list, action)
> > + params->add_pending = true;
> > +
> > + rcu_read_unlock();
> > +}
> > +
> > +static bool conn_params_add_iter_next(struct list_head *list,
> > + struct conn_params *item)
> > +{
> > + struct hci_conn_params *params;
> > +
> > + rcu_read_lock();
> > +
> > + list_for_each_entry_rcu(params, list, action) {
> > + if (!params->add_pending)
> > + continue;
> > +
> > + /* No hdev->lock, but: addr, addr_type are immutable.
> > + * privacy_mode is only written by us or in
> > + * hci_cc_le_set_privacy_mode that we wait for.
> > + * We should be idempotent so MGMT updating flags
> > + * while we are processing is OK.
> > + */
> > + bacpy(&item->addr, ¶ms->addr);
> > + item->addr_type = params->addr_type;
> > + item->flags = READ_ONCE(params->flags);
> > + item->privacy_mode = READ_ONCE(params->privacy_mode);
> > +
> > + params->add_pending = false;
> > +
> > + rcu_read_unlock();
> > + return true;
> > + }
> > +
> > + rcu_read_unlock();
> > +
> > + return false;
> > +}
> > +
> > /* Device must not be scanning when updating the accept list.
> > *
> > * Update is done using the following sequence:
> > @@ -2466,7 +2531,7 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
> > */
> > static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > {
> > - struct hci_conn_params *params;
> > + struct conn_params params;
> > struct bdaddr_list *b, *t;
> > u8 num_entries = 0;
> > bool pend_conn, pend_report;
> > @@ -2504,6 +2569,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type))
> > continue;
> >
> > + /* Pointers not dereferenced, no locks needed */
> > pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns,
> > &b->bdaddr,
> > b->bdaddr_type);
> > @@ -2532,9 +2598,15 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > * available accept list entries in the controller, then
> > * just abort and return filer policy value to not use the
> > * accept list.
> > + *
> > + * The list and params may be mutated while we wait for events,
> > + * so use special iteration with copies.
> > */
> > - list_for_each_entry(params, &hdev->pend_le_conns, action) {
> > - err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
> > +
> > + conn_params_add_iter_init(&hdev->pend_le_conns);
> > +
> > + while (conn_params_add_iter_next(&hdev->pend_le_conns, ¶ms)) {
> > + err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
> > if (err)
> > goto done;
Perhaps we should be using list_for_each_entry_continue_rcu instead of
creating our own version of it? Or at least use it internally on
iter_next, anyway I think what we are after is some way to do
rcu_unlock add_to_list rcu_lock on a loop.
> > }
> > @@ -2543,8 +2615,11 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > * the list of pending reports and also add these to the
> > * accept list if there is still space. Abort if space runs out.
> > */
> > - list_for_each_entry(params, &hdev->pend_le_reports, action) {
> > - err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
> > +
> > + conn_params_add_iter_init(&hdev->pend_le_reports);
> > +
> > + while (conn_params_add_iter_next(&hdev->pend_le_reports, ¶ms)) {
> > + err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
> > if (err)
> > goto done;
> > }
> > @@ -4837,12 +4912,12 @@ static void hci_pend_le_actions_clear(struct hci_dev *hdev)
> > struct hci_conn_params *p;
> >
> > list_for_each_entry(p, &hdev->le_conn_params, list) {
> > + hci_conn_params_set_pending(p, NULL);
> > if (p->conn) {
> > hci_conn_drop(p->conn);
> > hci_conn_put(p->conn);
> > p->conn = NULL;
> > }
> > - list_del_init(&p->action);
> > }
> >
> > BT_DBG("All LE pending actions cleared");
> > diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> > index 61c8e1b8f3b0..b35b1c685b86 100644
> > --- a/net/bluetooth/mgmt.c
> > +++ b/net/bluetooth/mgmt.c
> > @@ -1303,15 +1303,15 @@ static void restart_le_actions(struct hci_dev *hdev)
> > /* Needed for AUTO_OFF case where might not "really"
> > * have been powered off.
> > */
> > - list_del_init(&p->action);
> > + hci_conn_params_set_pending(p, NULL);
> >
> > switch (p->auto_connect) {
> > case HCI_AUTO_CONN_DIRECT:
> > case HCI_AUTO_CONN_ALWAYS:
> > - list_add(&p->action, &hdev->pend_le_conns);
> > + hci_conn_params_set_pending(p, &hdev->pend_le_conns);
> > break;
> > case HCI_AUTO_CONN_REPORT:
> > - list_add(&p->action, &hdev->pend_le_reports);
> > + hci_conn_params_set_pending(p, &hdev->pend_le_reports);
> > break;
> > default:
> > break;
> > @@ -5175,7 +5175,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
> > goto unlock;
> > }
> >
> > - params->flags = current_flags;
> > + WRITE_ONCE(params->flags, current_flags);
> > status = MGMT_STATUS_SUCCESS;
> >
> > /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY
> > @@ -7586,7 +7586,7 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
> > if (params->auto_connect == auto_connect)
> > return 0;
> >
> > - list_del_init(¶ms->action);
> > + hci_conn_params_set_pending(params, NULL);
> >
> > switch (auto_connect) {
> > case HCI_AUTO_CONN_DISABLED:
> > @@ -7595,18 +7595,22 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
> > * connect to device, keep connecting.
> > */
> > if (params->explicit_connect)
> > - list_add(¶ms->action, &hdev->pend_le_conns);
> > + hci_conn_params_set_pending(params,
> > + &hdev->pend_le_conns);
> > break;
> > case HCI_AUTO_CONN_REPORT:
> > if (params->explicit_connect)
> > - list_add(¶ms->action, &hdev->pend_le_conns);
> > + hci_conn_params_set_pending(params,
> > + &hdev->pend_le_conns);
> > else
> > - list_add(¶ms->action, &hdev->pend_le_reports);
> > + hci_conn_params_set_pending(params,
> > + &hdev->pend_le_reports);
> > break;
> > case HCI_AUTO_CONN_DIRECT:
> > case HCI_AUTO_CONN_ALWAYS:
> > if (!is_connected(hdev, addr, addr_type))
> > - list_add(¶ms->action, &hdev->pend_le_conns);
> > + hci_conn_params_set_pending(params,
> > + &hdev->pend_le_conns);
> > break;
> > }
> >
> > @@ -7829,9 +7833,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
> > goto unlock;
> > }
> >
> > - list_del(¶ms->action);
> > - list_del(¶ms->list);
> > - kfree(params);
> > + hci_conn_params_free(params);
> >
> > device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
> > } else {
> > @@ -7862,9 +7864,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
> > p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
> > continue;
> > }
> > - list_del(&p->action);
> > - list_del(&p->list);
> > - kfree(p);
> > + hci_conn_params_free(p);
> > }
> >
> > bt_dev_dbg(hdev, "All LE connection parameters were removed");
> > --
> > 2.40.1
> >
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
2023-06-13 19:38 ` Luiz Augusto von Dentz
@ 2023-06-13 23:07 ` Pauli Virtanen
2023-06-14 16:19 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 11+ messages in thread
From: Pauli Virtanen @ 2023-06-13 23:07 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hi Luiz,
ti, 2023-06-13 kello 12:38 -0700, Luiz Augusto von Dentz kirjoitti:
> Hi Pauli,
>
> On Tue, Jun 13, 2023 at 12:04 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > Hi Pauli,
> >
> > On Tue, Jun 13, 2023 at 11:17 AM Pauli Virtanen <pav@iki.fi> wrote:
> > >
> > > hci_update_accept_list_sync iterates over hdev->pend_le_conns and
> > > hdev->pend_le_reports, and waits for controller events in the loop body,
> > > without holding hdev lock.
> > >
> > > Meanwhile, these lists and the items may be modified e.g. by
> > > le_scan_cleanup. This can invalidate the list cursor in the ongoing
> > > iterations, resulting to invalid behavior (eg use-after-free).
> > >
> > > Use RCU for the hci_conn_params action lists. Since the loop bodies in
> > > hci_sync block and we cannot use RCU for the whole loop, add
> > > hci_conn_params.add_pending to keep track which items are left. Copy
> > > data to avoid needing lock on hci_conn_params. Only the flags field is
> > > written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we read
> > > valid values.
> > >
> > > Free params everywhere with hci_conn_params_free so the cleanup is
> > > guaranteed to be done properly.
> > >
> > > This fixes the following, which can be triggered at least by changing
> > > hci_le_set_cig_params to always return false, and running BlueZ
> > > iso-tester, which causes connections to be created and dropped fast:
> > >
> > > ==================================================================
> > > BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32
> > >
> > > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
> > > Workqueue: hci0 hci_cmd_sync_work
> > > Call Trace:
> > > <TASK>
> > > dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)
> > > print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
> > > ? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)
> > > ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > kasan_report (mm/kasan/report.c:538)
> > > ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > ? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)
> > > ? mutex_lock (kernel/locking/mutex.c:282)
> > > ? __pfx_mutex_lock (kernel/locking/mutex.c:282)
> > > ? __pfx_mutex_unlock (kernel/locking/mutex.c:538)
> > > ? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)
> > > hci_cmd_sync_work (net/bluetooth/hci_sync.c:306)
> > > process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
> > > worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
> > > ? __pfx_worker_thread (kernel/workqueue.c:2480)
> > > kthread (kernel/kthread.c:376)
> > > ? __pfx_kthread (kernel/kthread.c:331)
> > > ret_from_fork (arch/x86/entry/entry_64.S:314)
> > > </TASK>
> > >
> > > Allocated by task 31:
> > > kasan_save_stack (mm/kasan/common.c:46)
> > > kasan_set_track (mm/kasan/common.c:52)
> > > __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)
> > > hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)
> > > hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)
> > > hci_connect_cis (net/bluetooth/hci_conn.c:2266)
> > > iso_connect_cis (net/bluetooth/iso.c:390)
> > > iso_sock_connect (net/bluetooth/iso.c:899)
> > > __sys_connect (net/socket.c:2003 net/socket.c:2020)
> > > __x64_sys_connect (net/socket.c:2027)
> > > do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> > > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
> > >
> > > Freed by task 15:
> > > kasan_save_stack (mm/kasan/common.c:46)
> > > kasan_set_track (mm/kasan/common.c:52)
> > > kasan_save_free_info (mm/kasan/generic.c:523)
> > > __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
> > > __kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)
> > > hci_conn_params_del (net/bluetooth/hci_core.c:2323)
> > > le_scan_cleanup (net/bluetooth/hci_conn.c:202)
> > > process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
> > > worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
> > > kthread (kernel/kthread.c:376)
> > > ret_from_fork (arch/x86/entry/entry_64.S:314)
> > > ==================================================================
> > >
> > > Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3")
> > > Signed-off-by: Pauli Virtanen <pav@iki.fi>
> > > ---
> > >
> > > Notes:
> > > v2: use RCU
> >
> > Really nice work.
> >
> > > include/net/bluetooth/hci_core.h | 5 ++
> > > net/bluetooth/hci_conn.c | 9 ++--
> > > net/bluetooth/hci_core.c | 34 +++++++++---
> > > net/bluetooth/hci_event.c | 12 ++---
> > > net/bluetooth/hci_sync.c | 93 ++++++++++++++++++++++++++++----
> > > net/bluetooth/mgmt.c | 30 +++++------
> > > 6 files changed, 141 insertions(+), 42 deletions(-)
> > >
> > > diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
> > > index 683666ea210c..8c6ac6d29c62 100644
> > > --- a/include/net/bluetooth/hci_core.h
> > > +++ b/include/net/bluetooth/hci_core.h
> > > @@ -822,6 +822,8 @@ struct hci_conn_params {
> > >
> > > struct hci_conn *conn;
> > > bool explicit_connect;
> > > + /* Accessed without hdev->lock: */
> > > + bool add_pending;
> >
> > That is the only part that Im a little uncorfortable with, are we
> > doing this because we can't do use the cmd_sync while holding RCU
> > lock? In that case couldn't we perhaps update the list? Also we could
> > perhaps add it as a flag rather than a separated field.
Yes, it is because we have to release the rcu read lock while doing
__hci_cmd_sync_sk, and when we'd like to re-lock to continue the
iteration we can't know if the current pointer we have is still valid
and points to the same object (also if same address appears in list it
might be different object).
At the moment I'm not seeing how to iterate over this in principle
arbitrarily mutating list, without either marking the list entries in
one way or another in the iteration, or having some more lifetime
guarantees for them.
The marker could be a flag, but would maybe need atomic ops if the flag
field is written concurrently also from elsewhere if we want to be 100%
sure...
A problem with modifying the list (ie using action field to track
iteration status) is that in other parts things are looked up with
hci_pend_le_action_lookup so the items can't be moved away from it
temporarily (which otherwise would probably work here).
> > > hci_conn_flags_t flags;
> > > u8 privacy_mode;
> > > };
> > > @@ -1605,6 +1607,9 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > > bdaddr_t *addr, u8 addr_type);
> > > void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type);
> > > void hci_conn_params_clear_disabled(struct hci_dev *hdev);
> > > +void hci_conn_params_free(struct hci_conn_params *param);
> > > +void hci_conn_params_set_pending(struct hci_conn_params *param,
> > > + struct list_head *list);
> > >
> > > struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
> > > bdaddr_t *addr,
> > > diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> > > index 7d4941e6dbdf..ae9a35d1405b 100644
> > > --- a/net/bluetooth/hci_conn.c
> > > +++ b/net/bluetooth/hci_conn.c
> > > @@ -118,7 +118,7 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
> > > */
> > > params->explicit_connect = false;
> > >
> > > - list_del_init(¶ms->action);
> > > + hci_conn_params_set_pending(params, NULL);
> > >
> > > switch (params->auto_connect) {
> > > case HCI_AUTO_CONN_EXPLICIT:
> > > @@ -127,10 +127,10 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
> > > return;
> > > case HCI_AUTO_CONN_DIRECT:
> > > case HCI_AUTO_CONN_ALWAYS:
> > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > + hci_conn_params_set_pending(params, &hdev->pend_le_conns);
> > > break;
> > > case HCI_AUTO_CONN_REPORT:
> > > - list_add(¶ms->action, &hdev->pend_le_reports);
> > > + hci_conn_params_set_pending(params, &hdev->pend_le_reports);
> > > break;
> > > default:
> > > break;
> > > @@ -1435,8 +1435,7 @@ static int hci_explicit_conn_params_set(struct hci_dev *hdev,
> > > if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
> > > params->auto_connect == HCI_AUTO_CONN_REPORT ||
> > > params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
> > > - list_del_init(¶ms->action);
> > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > + hci_conn_params_set_pending(params, &hdev->pend_le_conns);
> >
> > Id just follow the name convention e.g. hci_conn_params_list_add,
> > hci_conn_params_list_del, etc.
Ok. hci_conn_params are also in the different hdev->le_conn_params
list, maybe hci_pend_le_list_add, hci_pend_le_list_del_init
> >
> > > }
> > >
> > > params->explicit_connect = true;
> > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > index 48917c68358d..7992a61fe1fd 100644
> > > --- a/net/bluetooth/hci_core.c
> > > +++ b/net/bluetooth/hci_core.c
> > > @@ -2249,21 +2249,41 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
> > > return NULL;
> > > }
> > >
> > > -/* This function requires the caller holds hdev->lock */
> > > +/* This function requires the caller holds hdev->lock or rcu_read_lock */
> > > struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
> > > bdaddr_t *addr, u8 addr_type)
> > > {
> > > struct hci_conn_params *param;
> > >
> > > - list_for_each_entry(param, list, action) {
> > > + rcu_read_lock();
> > > +
> > > + list_for_each_entry_rcu(param, list, action) {
> > > if (bacmp(¶m->addr, addr) == 0 &&
> > > - param->addr_type == addr_type)
> > > + param->addr_type == addr_type) {
> > > + rcu_read_unlock();
> > > return param;
> > > + }
> > > }
> > >
> > > + rcu_read_unlock();
> > > +
> > > return NULL;
> > > }
> > >
> > > +/* This function requires the caller holds hdev->lock */
> > > +void hci_conn_params_set_pending(struct hci_conn_params *param,
> > > + struct list_head *list)
> > > +{
> > > + if (!list_empty(¶m->action)) {
> > > + list_del_rcu(¶m->action);
> > > + synchronize_rcu();
> > > + INIT_LIST_HEAD(¶m->action);
> > > + }
> > > +
> > > + if (list)
> > > + list_add_rcu(¶m->action, list);
> > > +}
> > > +
> > > /* This function requires the caller holds hdev->lock */
> > > struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > > bdaddr_t *addr, u8 addr_type)
> > > @@ -2297,14 +2317,15 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > > return params;
> > > }
> > >
> > > -static void hci_conn_params_free(struct hci_conn_params *params)
> > > +void hci_conn_params_free(struct hci_conn_params *params)
> > > {
> > > + hci_conn_params_set_pending(params, NULL);
> > > +
> > > if (params->conn) {
> > > hci_conn_drop(params->conn);
> > > hci_conn_put(params->conn);
> > > }
> > >
> > > - list_del(¶ms->action);
> > > list_del(¶ms->list);
> > > kfree(params);
> > > }
> > > @@ -2342,8 +2363,7 @@ void hci_conn_params_clear_disabled(struct hci_dev *hdev)
> > > continue;
> > > }
> > >
> > > - list_del(¶ms->list);
> > > - kfree(params);
> > > + hci_conn_params_free(params);
> > > }
> > >
> > > BT_DBG("All LE disabled connection parameters were removed");
> > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > > index 7c199f7361f7..8187c9f827fa 100644
> > > --- a/net/bluetooth/hci_event.c
> > > +++ b/net/bluetooth/hci_event.c
> > > @@ -1564,7 +1564,7 @@ static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
> > >
> > > params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
> > > if (params)
> > > - params->privacy_mode = cp->mode;
> > > + WRITE_ONCE(params->privacy_mode, cp->mode);
> > >
> > > hci_dev_unlock(hdev);
> > >
> > > @@ -2804,8 +2804,8 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
> > >
> > > case HCI_AUTO_CONN_DIRECT:
> > > case HCI_AUTO_CONN_ALWAYS:
> > > - list_del_init(¶ms->action);
> > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > + hci_conn_params_set_pending(params,
> > > + &hdev->pend_le_conns);
> > > break;
> > >
> > > default:
> > > @@ -3423,8 +3423,8 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
> > >
> > > case HCI_AUTO_CONN_DIRECT:
> > > case HCI_AUTO_CONN_ALWAYS:
> > > - list_del_init(¶ms->action);
> > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > + hci_conn_params_set_pending(params,
> > > + &hdev->pend_le_conns);
> > > hci_update_passive_scan(hdev);
> > > break;
> > >
> > > @@ -5972,7 +5972,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
> > > params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
> > > conn->dst_type);
> > > if (params) {
> > > - list_del_init(¶ms->action);
> > > + hci_conn_params_set_pending(params, NULL);
> > > if (params->conn) {
> > > hci_conn_drop(params->conn);
> > > hci_conn_put(params->conn);
> > > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > > index 97da5bcaa904..da12e286ee64 100644
> > > --- a/net/bluetooth/hci_sync.c
> > > +++ b/net/bluetooth/hci_sync.c
> > > @@ -2160,15 +2160,23 @@ static int hci_le_del_accept_list_sync(struct hci_dev *hdev,
> > > return 0;
> > > }
> > >
> > > +struct conn_params {
> > > + bdaddr_t addr;
> > > + u8 addr_type;
> > > + hci_conn_flags_t flags;
> > > + u8 privacy_mode;
> > > +};
> > > +
> > > /* Adds connection to resolve list if needed.
> > > * Setting params to NULL programs local hdev->irk
> > > */
> > > static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > > - struct hci_conn_params *params)
> > > + struct conn_params *params)
> > > {
> > > struct hci_cp_le_add_to_resolv_list cp;
> > > struct smp_irk *irk;
> > > struct bdaddr_list_with_irk *entry;
> > > + struct hci_conn_params *p;
> > >
> > > if (!use_ll_privacy(hdev))
> > > return 0;
> > > @@ -2203,6 +2211,16 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > > /* Default privacy mode is always Network */
> > > params->privacy_mode = HCI_NETWORK_PRIVACY;
> > >
> > > + rcu_read_lock();
> > > + p = hci_pend_le_action_lookup(&hdev->pend_le_conns,
> > > + ¶ms->addr, params->addr_type);
> > > + if (!p)
> > > + p = hci_pend_le_action_lookup(&hdev->pend_le_reports,
> > > + ¶ms->addr, params->addr_type);
> > > + if (p)
> > > + WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY);
> > > + rcu_read_unlock();
> > > +
> > > done:
> > > if (hci_dev_test_flag(hdev, HCI_PRIVACY))
> > > memcpy(cp.local_irk, hdev->irk, 16);
> > > @@ -2215,7 +2233,7 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > >
> > > /* Set Device Privacy Mode. */
> > > static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > > - struct hci_conn_params *params)
> > > + struct conn_params *params)
> > > {
> > > struct hci_cp_le_set_privacy_mode cp;
> > > struct smp_irk *irk;
> > > @@ -2240,6 +2258,8 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > > bacpy(&cp.bdaddr, &irk->bdaddr);
> > > cp.mode = HCI_DEVICE_PRIVACY;
> > >
> > > + /* Note: params->privacy_mode is not updated since it is a copy */
> > > +
> > > return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE,
> > > sizeof(cp), &cp, HCI_CMD_TIMEOUT);
> > > }
> > > @@ -2249,7 +2269,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > > * properly set the privacy mode.
> > > */
> > > static int hci_le_add_accept_list_sync(struct hci_dev *hdev,
> > > - struct hci_conn_params *params,
> > > + struct conn_params *params,
> > > u8 *num_entries)
> > > {
> > > struct hci_cp_le_add_to_accept_list cp;
> > > @@ -2447,6 +2467,51 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
> > > return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk);
> > > }
> > >
> > > +static void conn_params_add_iter_init(struct list_head *list)
> > > +{
> > > + struct hci_conn_params *params;
> > > +
> > > + rcu_read_lock();
> > > +
> > > + list_for_each_entry_rcu(params, list, action)
> > > + params->add_pending = true;
> > > +
> > > + rcu_read_unlock();
> > > +}
> > > +
> > > +static bool conn_params_add_iter_next(struct list_head *list,
> > > + struct conn_params *item)
> > > +{
> > > + struct hci_conn_params *params;
> > > +
> > > + rcu_read_lock();
> > > +
> > > + list_for_each_entry_rcu(params, list, action) {
> > > + if (!params->add_pending)
> > > + continue;
> > > +
> > > + /* No hdev->lock, but: addr, addr_type are immutable.
> > > + * privacy_mode is only written by us or in
> > > + * hci_cc_le_set_privacy_mode that we wait for.
> > > + * We should be idempotent so MGMT updating flags
> > > + * while we are processing is OK.
> > > + */
> > > + bacpy(&item->addr, ¶ms->addr);
> > > + item->addr_type = params->addr_type;
> > > + item->flags = READ_ONCE(params->flags);
> > > + item->privacy_mode = READ_ONCE(params->privacy_mode);
> > > +
> > > + params->add_pending = false;
> > > +
> > > + rcu_read_unlock();
> > > + return true;
> > > + }
> > > +
> > > + rcu_read_unlock();
> > > +
> > > + return false;
> > > +}
> > > +
> > > /* Device must not be scanning when updating the accept list.
> > > *
> > > * Update is done using the following sequence:
> > > @@ -2466,7 +2531,7 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
> > > */
> > > static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > {
> > > - struct hci_conn_params *params;
> > > + struct conn_params params;
> > > struct bdaddr_list *b, *t;
> > > u8 num_entries = 0;
> > > bool pend_conn, pend_report;
> > > @@ -2504,6 +2569,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type))
> > > continue;
> > >
> > > + /* Pointers not dereferenced, no locks needed */
> > > pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns,
> > > &b->bdaddr,
> > > b->bdaddr_type);
> > > @@ -2532,9 +2598,15 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > * available accept list entries in the controller, then
> > > * just abort and return filer policy value to not use the
> > > * accept list.
> > > + *
> > > + * The list and params may be mutated while we wait for events,
> > > + * so use special iteration with copies.
> > > */
> > > - list_for_each_entry(params, &hdev->pend_le_conns, action) {
> > > - err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
> > > +
> > > + conn_params_add_iter_init(&hdev->pend_le_conns);
> > > +
> > > + while (conn_params_add_iter_next(&hdev->pend_le_conns, ¶ms)) {
> > > + err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
> > > if (err)
> > > goto done;
>
> Perhaps we should be using list_for_each_entry_continue_rcu instead of
> creating our own version of it? Or at least use it internally on
> iter_next, anyway I think what we are after is some way to do
> rcu_unlock add_to_list rcu_lock on a loop.
I think list_for_each_entry_continue_rcu differs from
list_for_each_entry_rcu in that it doesn't start from the list head.
IIUC it requires starting from a valid list entry, and needs holding
the rcu read lock all the time, to ensure it is not invalidated. If so,
it seems it can't be used here since we need to release the lock and
the cursor might be gone before we re-lock.
> > > }
> > > @@ -2543,8 +2615,11 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > * the list of pending reports and also add these to the
> > > * accept list if there is still space. Abort if space runs out.
> > > */
> > > - list_for_each_entry(params, &hdev->pend_le_reports, action) {
> > > - err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
> > > +
> > > + conn_params_add_iter_init(&hdev->pend_le_reports);
> > > +
> > > + while (conn_params_add_iter_next(&hdev->pend_le_reports, ¶ms)) {
> > > + err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
> > > if (err)
> > > goto done;
> > > }
> > > @@ -4837,12 +4912,12 @@ static void hci_pend_le_actions_clear(struct hci_dev *hdev)
> > > struct hci_conn_params *p;
> > >
> > > list_for_each_entry(p, &hdev->le_conn_params, list) {
> > > + hci_conn_params_set_pending(p, NULL);
> > > if (p->conn) {
> > > hci_conn_drop(p->conn);
> > > hci_conn_put(p->conn);
> > > p->conn = NULL;
> > > }
> > > - list_del_init(&p->action);
> > > }
> > >
> > > BT_DBG("All LE pending actions cleared");
> > > diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> > > index 61c8e1b8f3b0..b35b1c685b86 100644
> > > --- a/net/bluetooth/mgmt.c
> > > +++ b/net/bluetooth/mgmt.c
> > > @@ -1303,15 +1303,15 @@ static void restart_le_actions(struct hci_dev *hdev)
> > > /* Needed for AUTO_OFF case where might not "really"
> > > * have been powered off.
> > > */
> > > - list_del_init(&p->action);
> > > + hci_conn_params_set_pending(p, NULL);
> > >
> > > switch (p->auto_connect) {
> > > case HCI_AUTO_CONN_DIRECT:
> > > case HCI_AUTO_CONN_ALWAYS:
> > > - list_add(&p->action, &hdev->pend_le_conns);
> > > + hci_conn_params_set_pending(p, &hdev->pend_le_conns);
> > > break;
> > > case HCI_AUTO_CONN_REPORT:
> > > - list_add(&p->action, &hdev->pend_le_reports);
> > > + hci_conn_params_set_pending(p, &hdev->pend_le_reports);
> > > break;
> > > default:
> > > break;
> > > @@ -5175,7 +5175,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
> > > goto unlock;
> > > }
> > >
> > > - params->flags = current_flags;
> > > + WRITE_ONCE(params->flags, current_flags);
> > > status = MGMT_STATUS_SUCCESS;
> > >
> > > /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY
> > > @@ -7586,7 +7586,7 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
> > > if (params->auto_connect == auto_connect)
> > > return 0;
> > >
> > > - list_del_init(¶ms->action);
> > > + hci_conn_params_set_pending(params, NULL);
> > >
> > > switch (auto_connect) {
> > > case HCI_AUTO_CONN_DISABLED:
> > > @@ -7595,18 +7595,22 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
> > > * connect to device, keep connecting.
> > > */
> > > if (params->explicit_connect)
> > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > + hci_conn_params_set_pending(params,
> > > + &hdev->pend_le_conns);
> > > break;
> > > case HCI_AUTO_CONN_REPORT:
> > > if (params->explicit_connect)
> > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > + hci_conn_params_set_pending(params,
> > > + &hdev->pend_le_conns);
> > > else
> > > - list_add(¶ms->action, &hdev->pend_le_reports);
> > > + hci_conn_params_set_pending(params,
> > > + &hdev->pend_le_reports);
> > > break;
> > > case HCI_AUTO_CONN_DIRECT:
> > > case HCI_AUTO_CONN_ALWAYS:
> > > if (!is_connected(hdev, addr, addr_type))
> > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > + hci_conn_params_set_pending(params,
> > > + &hdev->pend_le_conns);
> > > break;
> > > }
> > >
> > > @@ -7829,9 +7833,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
> > > goto unlock;
> > > }
> > >
> > > - list_del(¶ms->action);
> > > - list_del(¶ms->list);
> > > - kfree(params);
> > > + hci_conn_params_free(params);
> > >
> > > device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
> > > } else {
> > > @@ -7862,9 +7864,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
> > > p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
> > > continue;
> > > }
> > > - list_del(&p->action);
> > > - list_del(&p->list);
> > > - kfree(p);
> > > + hci_conn_params_free(p);
> > > }
> > >
> > > bt_dev_dbg(hdev, "All LE connection parameters were removed");
> > > --
> > > 2.40.1
> > >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
2023-06-13 23:07 ` Pauli Virtanen
@ 2023-06-14 16:19 ` Luiz Augusto von Dentz
2023-06-15 20:10 ` Pauli Virtanen
0 siblings, 1 reply; 11+ messages in thread
From: Luiz Augusto von Dentz @ 2023-06-14 16:19 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hi Pauli,
On Tue, Jun 13, 2023 at 4:07 PM Pauli Virtanen <pav@iki.fi> wrote:
>
> Hi Luiz,
>
> ti, 2023-06-13 kello 12:38 -0700, Luiz Augusto von Dentz kirjoitti:
> > Hi Pauli,
> >
> > On Tue, Jun 13, 2023 at 12:04 PM Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > Hi Pauli,
> > >
> > > On Tue, Jun 13, 2023 at 11:17 AM Pauli Virtanen <pav@iki.fi> wrote:
> > > >
> > > > hci_update_accept_list_sync iterates over hdev->pend_le_conns and
> > > > hdev->pend_le_reports, and waits for controller events in the loop body,
> > > > without holding hdev lock.
> > > >
> > > > Meanwhile, these lists and the items may be modified e.g. by
> > > > le_scan_cleanup. This can invalidate the list cursor in the ongoing
> > > > iterations, resulting to invalid behavior (eg use-after-free).
> > > >
> > > > Use RCU for the hci_conn_params action lists. Since the loop bodies in
> > > > hci_sync block and we cannot use RCU for the whole loop, add
> > > > hci_conn_params.add_pending to keep track which items are left. Copy
> > > > data to avoid needing lock on hci_conn_params. Only the flags field is
> > > > written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we read
> > > > valid values.
> > > >
> > > > Free params everywhere with hci_conn_params_free so the cleanup is
> > > > guaranteed to be done properly.
> > > >
> > > > This fixes the following, which can be triggered at least by changing
> > > > hci_le_set_cig_params to always return false, and running BlueZ
> > > > iso-tester, which causes connections to be created and dropped fast:
> > > >
> > > > ==================================================================
> > > > BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > > Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32
> > > >
> > > > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
> > > > Workqueue: hci0 hci_cmd_sync_work
> > > > Call Trace:
> > > > <TASK>
> > > > dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)
> > > > print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
> > > > ? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)
> > > > ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > > kasan_report (mm/kasan/report.c:538)
> > > > ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > > hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > > ? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)
> > > > ? mutex_lock (kernel/locking/mutex.c:282)
> > > > ? __pfx_mutex_lock (kernel/locking/mutex.c:282)
> > > > ? __pfx_mutex_unlock (kernel/locking/mutex.c:538)
> > > > ? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)
> > > > hci_cmd_sync_work (net/bluetooth/hci_sync.c:306)
> > > > process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
> > > > worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
> > > > ? __pfx_worker_thread (kernel/workqueue.c:2480)
> > > > kthread (kernel/kthread.c:376)
> > > > ? __pfx_kthread (kernel/kthread.c:331)
> > > > ret_from_fork (arch/x86/entry/entry_64.S:314)
> > > > </TASK>
> > > >
> > > > Allocated by task 31:
> > > > kasan_save_stack (mm/kasan/common.c:46)
> > > > kasan_set_track (mm/kasan/common.c:52)
> > > > __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)
> > > > hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)
> > > > hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)
> > > > hci_connect_cis (net/bluetooth/hci_conn.c:2266)
> > > > iso_connect_cis (net/bluetooth/iso.c:390)
> > > > iso_sock_connect (net/bluetooth/iso.c:899)
> > > > __sys_connect (net/socket.c:2003 net/socket.c:2020)
> > > > __x64_sys_connect (net/socket.c:2027)
> > > > do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> > > > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
> > > >
> > > > Freed by task 15:
> > > > kasan_save_stack (mm/kasan/common.c:46)
> > > > kasan_set_track (mm/kasan/common.c:52)
> > > > kasan_save_free_info (mm/kasan/generic.c:523)
> > > > __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
> > > > __kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)
> > > > hci_conn_params_del (net/bluetooth/hci_core.c:2323)
> > > > le_scan_cleanup (net/bluetooth/hci_conn.c:202)
> > > > process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
> > > > worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
> > > > kthread (kernel/kthread.c:376)
> > > > ret_from_fork (arch/x86/entry/entry_64.S:314)
> > > > ==================================================================
> > > >
> > > > Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3")
> > > > Signed-off-by: Pauli Virtanen <pav@iki.fi>
> > > > ---
> > > >
> > > > Notes:
> > > > v2: use RCU
> > >
> > > Really nice work.
> > >
> > > > include/net/bluetooth/hci_core.h | 5 ++
> > > > net/bluetooth/hci_conn.c | 9 ++--
> > > > net/bluetooth/hci_core.c | 34 +++++++++---
> > > > net/bluetooth/hci_event.c | 12 ++---
> > > > net/bluetooth/hci_sync.c | 93 ++++++++++++++++++++++++++++----
> > > > net/bluetooth/mgmt.c | 30 +++++------
> > > > 6 files changed, 141 insertions(+), 42 deletions(-)
> > > >
> > > > diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
> > > > index 683666ea210c..8c6ac6d29c62 100644
> > > > --- a/include/net/bluetooth/hci_core.h
> > > > +++ b/include/net/bluetooth/hci_core.h
> > > > @@ -822,6 +822,8 @@ struct hci_conn_params {
> > > >
> > > > struct hci_conn *conn;
> > > > bool explicit_connect;
> > > > + /* Accessed without hdev->lock: */
> > > > + bool add_pending;
> > >
> > > That is the only part that Im a little uncorfortable with, are we
> > > doing this because we can't do use the cmd_sync while holding RCU
> > > lock? In that case couldn't we perhaps update the list? Also we could
> > > perhaps add it as a flag rather than a separated field.
>
> Yes, it is because we have to release the rcu read lock while doing
> __hci_cmd_sync_sk, and when we'd like to re-lock to continue the
> iteration we can't know if the current pointer we have is still valid
> and points to the same object (also if same address appears in list it
> might be different object).
>
> At the moment I'm not seeing how to iterate over this in principle
> arbitrarily mutating list, without either marking the list entries in
> one way or another in the iteration, or having some more lifetime
> guarantees for them.
>
> The marker could be a flag, but would maybe need atomic ops if the flag
> field is written concurrently also from elsewhere if we want to be 100%
> sure...
>
> A problem with modifying the list (ie using action field to track
> iteration status) is that in other parts things are looked up with
> hci_pend_le_action_lookup so the items can't be moved away from it
> temporarily (which otherwise would probably work here).
>
> > > > hci_conn_flags_t flags;
> > > > u8 privacy_mode;
> > > > };
> > > > @@ -1605,6 +1607,9 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > > > bdaddr_t *addr, u8 addr_type);
> > > > void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type);
> > > > void hci_conn_params_clear_disabled(struct hci_dev *hdev);
> > > > +void hci_conn_params_free(struct hci_conn_params *param);
> > > > +void hci_conn_params_set_pending(struct hci_conn_params *param,
> > > > + struct list_head *list);
> > > >
> > > > struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
> > > > bdaddr_t *addr,
> > > > diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> > > > index 7d4941e6dbdf..ae9a35d1405b 100644
> > > > --- a/net/bluetooth/hci_conn.c
> > > > +++ b/net/bluetooth/hci_conn.c
> > > > @@ -118,7 +118,7 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
> > > > */
> > > > params->explicit_connect = false;
> > > >
> > > > - list_del_init(¶ms->action);
> > > > + hci_conn_params_set_pending(params, NULL);
> > > >
> > > > switch (params->auto_connect) {
> > > > case HCI_AUTO_CONN_EXPLICIT:
> > > > @@ -127,10 +127,10 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
> > > > return;
> > > > case HCI_AUTO_CONN_DIRECT:
> > > > case HCI_AUTO_CONN_ALWAYS:
> > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > + hci_conn_params_set_pending(params, &hdev->pend_le_conns);
> > > > break;
> > > > case HCI_AUTO_CONN_REPORT:
> > > > - list_add(¶ms->action, &hdev->pend_le_reports);
> > > > + hci_conn_params_set_pending(params, &hdev->pend_le_reports);
> > > > break;
> > > > default:
> > > > break;
> > > > @@ -1435,8 +1435,7 @@ static int hci_explicit_conn_params_set(struct hci_dev *hdev,
> > > > if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
> > > > params->auto_connect == HCI_AUTO_CONN_REPORT ||
> > > > params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
> > > > - list_del_init(¶ms->action);
> > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > + hci_conn_params_set_pending(params, &hdev->pend_le_conns);
> > >
> > > Id just follow the name convention e.g. hci_conn_params_list_add,
> > > hci_conn_params_list_del, etc.
>
> Ok. hci_conn_params are also in the different hdev->le_conn_params
> list, maybe hci_pend_le_list_add, hci_pend_le_list_del_init
>
> > >
> > > > }
> > > >
> > > > params->explicit_connect = true;
> > > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > > index 48917c68358d..7992a61fe1fd 100644
> > > > --- a/net/bluetooth/hci_core.c
> > > > +++ b/net/bluetooth/hci_core.c
> > > > @@ -2249,21 +2249,41 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
> > > > return NULL;
> > > > }
> > > >
> > > > -/* This function requires the caller holds hdev->lock */
> > > > +/* This function requires the caller holds hdev->lock or rcu_read_lock */
> > > > struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
> > > > bdaddr_t *addr, u8 addr_type)
> > > > {
> > > > struct hci_conn_params *param;
> > > >
> > > > - list_for_each_entry(param, list, action) {
> > > > + rcu_read_lock();
> > > > +
> > > > + list_for_each_entry_rcu(param, list, action) {
> > > > if (bacmp(¶m->addr, addr) == 0 &&
> > > > - param->addr_type == addr_type)
> > > > + param->addr_type == addr_type) {
> > > > + rcu_read_unlock();
> > > > return param;
> > > > + }
> > > > }
> > > >
> > > > + rcu_read_unlock();
> > > > +
> > > > return NULL;
> > > > }
> > > >
> > > > +/* This function requires the caller holds hdev->lock */
> > > > +void hci_conn_params_set_pending(struct hci_conn_params *param,
> > > > + struct list_head *list)
> > > > +{
> > > > + if (!list_empty(¶m->action)) {
> > > > + list_del_rcu(¶m->action);
> > > > + synchronize_rcu();
> > > > + INIT_LIST_HEAD(¶m->action);
> > > > + }
> > > > +
> > > > + if (list)
> > > > + list_add_rcu(¶m->action, list);
> > > > +}
> > > > +
> > > > /* This function requires the caller holds hdev->lock */
> > > > struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > > > bdaddr_t *addr, u8 addr_type)
> > > > @@ -2297,14 +2317,15 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > > > return params;
> > > > }
> > > >
> > > > -static void hci_conn_params_free(struct hci_conn_params *params)
> > > > +void hci_conn_params_free(struct hci_conn_params *params)
> > > > {
> > > > + hci_conn_params_set_pending(params, NULL);
> > > > +
> > > > if (params->conn) {
> > > > hci_conn_drop(params->conn);
> > > > hci_conn_put(params->conn);
> > > > }
> > > >
> > > > - list_del(¶ms->action);
> > > > list_del(¶ms->list);
> > > > kfree(params);
> > > > }
> > > > @@ -2342,8 +2363,7 @@ void hci_conn_params_clear_disabled(struct hci_dev *hdev)
> > > > continue;
> > > > }
> > > >
> > > > - list_del(¶ms->list);
> > > > - kfree(params);
> > > > + hci_conn_params_free(params);
> > > > }
> > > >
> > > > BT_DBG("All LE disabled connection parameters were removed");
> > > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > > > index 7c199f7361f7..8187c9f827fa 100644
> > > > --- a/net/bluetooth/hci_event.c
> > > > +++ b/net/bluetooth/hci_event.c
> > > > @@ -1564,7 +1564,7 @@ static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
> > > >
> > > > params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
> > > > if (params)
> > > > - params->privacy_mode = cp->mode;
> > > > + WRITE_ONCE(params->privacy_mode, cp->mode);
> > > >
> > > > hci_dev_unlock(hdev);
> > > >
> > > > @@ -2804,8 +2804,8 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
> > > >
> > > > case HCI_AUTO_CONN_DIRECT:
> > > > case HCI_AUTO_CONN_ALWAYS:
> > > > - list_del_init(¶ms->action);
> > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > + hci_conn_params_set_pending(params,
> > > > + &hdev->pend_le_conns);
> > > > break;
> > > >
> > > > default:
> > > > @@ -3423,8 +3423,8 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
> > > >
> > > > case HCI_AUTO_CONN_DIRECT:
> > > > case HCI_AUTO_CONN_ALWAYS:
> > > > - list_del_init(¶ms->action);
> > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > + hci_conn_params_set_pending(params,
> > > > + &hdev->pend_le_conns);
> > > > hci_update_passive_scan(hdev);
> > > > break;
> > > >
> > > > @@ -5972,7 +5972,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
> > > > params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
> > > > conn->dst_type);
> > > > if (params) {
> > > > - list_del_init(¶ms->action);
> > > > + hci_conn_params_set_pending(params, NULL);
> > > > if (params->conn) {
> > > > hci_conn_drop(params->conn);
> > > > hci_conn_put(params->conn);
> > > > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > > > index 97da5bcaa904..da12e286ee64 100644
> > > > --- a/net/bluetooth/hci_sync.c
> > > > +++ b/net/bluetooth/hci_sync.c
> > > > @@ -2160,15 +2160,23 @@ static int hci_le_del_accept_list_sync(struct hci_dev *hdev,
> > > > return 0;
> > > > }
> > > >
> > > > +struct conn_params {
> > > > + bdaddr_t addr;
> > > > + u8 addr_type;
> > > > + hci_conn_flags_t flags;
> > > > + u8 privacy_mode;
> > > > +};
> > > > +
> > > > /* Adds connection to resolve list if needed.
> > > > * Setting params to NULL programs local hdev->irk
> > > > */
> > > > static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > > > - struct hci_conn_params *params)
> > > > + struct conn_params *params)
> > > > {
> > > > struct hci_cp_le_add_to_resolv_list cp;
> > > > struct smp_irk *irk;
> > > > struct bdaddr_list_with_irk *entry;
> > > > + struct hci_conn_params *p;
> > > >
> > > > if (!use_ll_privacy(hdev))
> > > > return 0;
> > > > @@ -2203,6 +2211,16 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > > > /* Default privacy mode is always Network */
> > > > params->privacy_mode = HCI_NETWORK_PRIVACY;
> > > >
> > > > + rcu_read_lock();
> > > > + p = hci_pend_le_action_lookup(&hdev->pend_le_conns,
> > > > + ¶ms->addr, params->addr_type);
> > > > + if (!p)
> > > > + p = hci_pend_le_action_lookup(&hdev->pend_le_reports,
> > > > + ¶ms->addr, params->addr_type);
> > > > + if (p)
> > > > + WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY);
> > > > + rcu_read_unlock();
> > > > +
> > > > done:
> > > > if (hci_dev_test_flag(hdev, HCI_PRIVACY))
> > > > memcpy(cp.local_irk, hdev->irk, 16);
> > > > @@ -2215,7 +2233,7 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > > >
> > > > /* Set Device Privacy Mode. */
> > > > static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > > > - struct hci_conn_params *params)
> > > > + struct conn_params *params)
> > > > {
> > > > struct hci_cp_le_set_privacy_mode cp;
> > > > struct smp_irk *irk;
> > > > @@ -2240,6 +2258,8 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > > > bacpy(&cp.bdaddr, &irk->bdaddr);
> > > > cp.mode = HCI_DEVICE_PRIVACY;
> > > >
> > > > + /* Note: params->privacy_mode is not updated since it is a copy */
> > > > +
> > > > return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE,
> > > > sizeof(cp), &cp, HCI_CMD_TIMEOUT);
> > > > }
> > > > @@ -2249,7 +2269,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > > > * properly set the privacy mode.
> > > > */
> > > > static int hci_le_add_accept_list_sync(struct hci_dev *hdev,
> > > > - struct hci_conn_params *params,
> > > > + struct conn_params *params,
> > > > u8 *num_entries)
> > > > {
> > > > struct hci_cp_le_add_to_accept_list cp;
> > > > @@ -2447,6 +2467,51 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
> > > > return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk);
> > > > }
> > > >
> > > > +static void conn_params_add_iter_init(struct list_head *list)
> > > > +{
> > > > + struct hci_conn_params *params;
> > > > +
> > > > + rcu_read_lock();
> > > > +
> > > > + list_for_each_entry_rcu(params, list, action)
> > > > + params->add_pending = true;
> > > > +
> > > > + rcu_read_unlock();
> > > > +}
> > > > +
> > > > +static bool conn_params_add_iter_next(struct list_head *list,
> > > > + struct conn_params *item)
> > > > +{
> > > > + struct hci_conn_params *params;
> > > > +
> > > > + rcu_read_lock();
> > > > +
> > > > + list_for_each_entry_rcu(params, list, action) {
> > > > + if (!params->add_pending)
> > > > + continue;
> > > > +
> > > > + /* No hdev->lock, but: addr, addr_type are immutable.
> > > > + * privacy_mode is only written by us or in
> > > > + * hci_cc_le_set_privacy_mode that we wait for.
> > > > + * We should be idempotent so MGMT updating flags
> > > > + * while we are processing is OK.
> > > > + */
> > > > + bacpy(&item->addr, ¶ms->addr);
> > > > + item->addr_type = params->addr_type;
> > > > + item->flags = READ_ONCE(params->flags);
> > > > + item->privacy_mode = READ_ONCE(params->privacy_mode);
> > > > +
> > > > + params->add_pending = false;
> > > > +
> > > > + rcu_read_unlock();
> > > > + return true;
> > > > + }
> > > > +
> > > > + rcu_read_unlock();
> > > > +
> > > > + return false;
> > > > +}
> > > > +
> > > > /* Device must not be scanning when updating the accept list.
> > > > *
> > > > * Update is done using the following sequence:
> > > > @@ -2466,7 +2531,7 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
> > > > */
> > > > static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > > {
> > > > - struct hci_conn_params *params;
> > > > + struct conn_params params;
> > > > struct bdaddr_list *b, *t;
> > > > u8 num_entries = 0;
> > > > bool pend_conn, pend_report;
> > > > @@ -2504,6 +2569,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > > if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type))
> > > > continue;
> > > >
> > > > + /* Pointers not dereferenced, no locks needed */
> > > > pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns,
> > > > &b->bdaddr,
> > > > b->bdaddr_type);
> > > > @@ -2532,9 +2598,15 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > > * available accept list entries in the controller, then
> > > > * just abort and return filer policy value to not use the
> > > > * accept list.
> > > > + *
> > > > + * The list and params may be mutated while we wait for events,
> > > > + * so use special iteration with copies.
> > > > */
> > > > - list_for_each_entry(params, &hdev->pend_le_conns, action) {
> > > > - err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
> > > > +
> > > > + conn_params_add_iter_init(&hdev->pend_le_conns);
> > > > +
> > > > + while (conn_params_add_iter_next(&hdev->pend_le_conns, ¶ms)) {
> > > > + err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
> > > > if (err)
> > > > goto done;
> >
> > Perhaps we should be using list_for_each_entry_continue_rcu instead of
> > creating our own version of it? Or at least use it internally on
> > iter_next, anyway I think what we are after is some way to do
> > rcu_unlock add_to_list rcu_lock on a loop.
>
> I think list_for_each_entry_continue_rcu differs from
> list_for_each_entry_rcu in that it doesn't start from the list head.
>
> IIUC it requires starting from a valid list entry, and needs holding
> the rcu read lock all the time, to ensure it is not invalidated. If so,
> it seems it can't be used here since we need to release the lock and
> the cursor might be gone before we re-lock.
I wonder if we can have something similar to for_each_safe version
under rcu_lock then or perhaps there is a problem with the whole list
getting freed in the meantime? It is perhaps a good idea to introduce
some test to cover this in iso-tester so we make sure we don't
reintroduce it this sort of problem in the future.
> > > > }
> > > > @@ -2543,8 +2615,11 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > > * the list of pending reports and also add these to the
> > > > * accept list if there is still space. Abort if space runs out.
> > > > */
> > > > - list_for_each_entry(params, &hdev->pend_le_reports, action) {
> > > > - err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
> > > > +
> > > > + conn_params_add_iter_init(&hdev->pend_le_reports);
> > > > +
> > > > + while (conn_params_add_iter_next(&hdev->pend_le_reports, ¶ms)) {
> > > > + err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
> > > > if (err)
> > > > goto done;
> > > > }
> > > > @@ -4837,12 +4912,12 @@ static void hci_pend_le_actions_clear(struct hci_dev *hdev)
> > > > struct hci_conn_params *p;
> > > >
> > > > list_for_each_entry(p, &hdev->le_conn_params, list) {
> > > > + hci_conn_params_set_pending(p, NULL);
> > > > if (p->conn) {
> > > > hci_conn_drop(p->conn);
> > > > hci_conn_put(p->conn);
> > > > p->conn = NULL;
> > > > }
> > > > - list_del_init(&p->action);
> > > > }
> > > >
> > > > BT_DBG("All LE pending actions cleared");
> > > > diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> > > > index 61c8e1b8f3b0..b35b1c685b86 100644
> > > > --- a/net/bluetooth/mgmt.c
> > > > +++ b/net/bluetooth/mgmt.c
> > > > @@ -1303,15 +1303,15 @@ static void restart_le_actions(struct hci_dev *hdev)
> > > > /* Needed for AUTO_OFF case where might not "really"
> > > > * have been powered off.
> > > > */
> > > > - list_del_init(&p->action);
> > > > + hci_conn_params_set_pending(p, NULL);
> > > >
> > > > switch (p->auto_connect) {
> > > > case HCI_AUTO_CONN_DIRECT:
> > > > case HCI_AUTO_CONN_ALWAYS:
> > > > - list_add(&p->action, &hdev->pend_le_conns);
> > > > + hci_conn_params_set_pending(p, &hdev->pend_le_conns);
> > > > break;
> > > > case HCI_AUTO_CONN_REPORT:
> > > > - list_add(&p->action, &hdev->pend_le_reports);
> > > > + hci_conn_params_set_pending(p, &hdev->pend_le_reports);
> > > > break;
> > > > default:
> > > > break;
> > > > @@ -5175,7 +5175,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
> > > > goto unlock;
> > > > }
> > > >
> > > > - params->flags = current_flags;
> > > > + WRITE_ONCE(params->flags, current_flags);
> > > > status = MGMT_STATUS_SUCCESS;
> > > >
> > > > /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY
> > > > @@ -7586,7 +7586,7 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
> > > > if (params->auto_connect == auto_connect)
> > > > return 0;
> > > >
> > > > - list_del_init(¶ms->action);
> > > > + hci_conn_params_set_pending(params, NULL);
> > > >
> > > > switch (auto_connect) {
> > > > case HCI_AUTO_CONN_DISABLED:
> > > > @@ -7595,18 +7595,22 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
> > > > * connect to device, keep connecting.
> > > > */
> > > > if (params->explicit_connect)
> > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > + hci_conn_params_set_pending(params,
> > > > + &hdev->pend_le_conns);
> > > > break;
> > > > case HCI_AUTO_CONN_REPORT:
> > > > if (params->explicit_connect)
> > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > + hci_conn_params_set_pending(params,
> > > > + &hdev->pend_le_conns);
> > > > else
> > > > - list_add(¶ms->action, &hdev->pend_le_reports);
> > > > + hci_conn_params_set_pending(params,
> > > > + &hdev->pend_le_reports);
> > > > break;
> > > > case HCI_AUTO_CONN_DIRECT:
> > > > case HCI_AUTO_CONN_ALWAYS:
> > > > if (!is_connected(hdev, addr, addr_type))
> > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > + hci_conn_params_set_pending(params,
> > > > + &hdev->pend_le_conns);
> > > > break;
> > > > }
> > > >
> > > > @@ -7829,9 +7833,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
> > > > goto unlock;
> > > > }
> > > >
> > > > - list_del(¶ms->action);
> > > > - list_del(¶ms->list);
> > > > - kfree(params);
> > > > + hci_conn_params_free(params);
> > > >
> > > > device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
> > > > } else {
> > > > @@ -7862,9 +7864,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
> > > > p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
> > > > continue;
> > > > }
> > > > - list_del(&p->action);
> > > > - list_del(&p->list);
> > > > - kfree(p);
> > > > + hci_conn_params_free(p);
> > > > }
> > > >
> > > > bt_dev_dbg(hdev, "All LE connection parameters were removed");
> > > > --
> > > > 2.40.1
> > > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
> >
> >
> >
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
2023-06-14 16:19 ` Luiz Augusto von Dentz
@ 2023-06-15 20:10 ` Pauli Virtanen
2023-06-15 22:32 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 11+ messages in thread
From: Pauli Virtanen @ 2023-06-15 20:10 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hi Luiz,
ke, 2023-06-14 kello 09:19 -0700, Luiz Augusto von Dentz kirjoitti:
> Hi Pauli,
>
> On Tue, Jun 13, 2023 at 4:07 PM Pauli Virtanen <pav@iki.fi> wrote:
> >
> > Hi Luiz,
> >
> > ti, 2023-06-13 kello 12:38 -0700, Luiz Augusto von Dentz kirjoitti:
> > > Hi Pauli,
> > >
> > > On Tue, Jun 13, 2023 at 12:04 PM Luiz Augusto von Dentz
> > > <luiz.dentz@gmail.com> wrote:
> > > >
> > > > Hi Pauli,
> > > >
> > > > On Tue, Jun 13, 2023 at 11:17 AM Pauli Virtanen <pav@iki.fi> wrote:
> > > > >
> > > > > hci_update_accept_list_sync iterates over hdev->pend_le_conns and
> > > > > hdev->pend_le_reports, and waits for controller events in the loop body,
> > > > > without holding hdev lock.
> > > > >
> > > > > Meanwhile, these lists and the items may be modified e.g. by
> > > > > le_scan_cleanup. This can invalidate the list cursor in the ongoing
> > > > > iterations, resulting to invalid behavior (eg use-after-free).
> > > > >
> > > > > Use RCU for the hci_conn_params action lists. Since the loop bodies in
> > > > > hci_sync block and we cannot use RCU for the whole loop, add
> > > > > hci_conn_params.add_pending to keep track which items are left. Copy
> > > > > data to avoid needing lock on hci_conn_params. Only the flags field is
> > > > > written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we read
> > > > > valid values.
> > > > >
> > > > > Free params everywhere with hci_conn_params_free so the cleanup is
> > > > > guaranteed to be done properly.
> > > > >
> > > > > This fixes the following, which can be triggered at least by changing
> > > > > hci_le_set_cig_params to always return false, and running BlueZ
> > > > > iso-tester, which causes connections to be created and dropped fast:
> > > > >
> > > > > ==================================================================
> > > > > BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > > > Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32
> > > > >
> > > > > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
> > > > > Workqueue: hci0 hci_cmd_sync_work
> > > > > Call Trace:
> > > > > <TASK>
> > > > > dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)
> > > > > print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
> > > > > ? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)
> > > > > ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > > > kasan_report (mm/kasan/report.c:538)
> > > > > ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > > > hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > > > ? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)
> > > > > ? mutex_lock (kernel/locking/mutex.c:282)
> > > > > ? __pfx_mutex_lock (kernel/locking/mutex.c:282)
> > > > > ? __pfx_mutex_unlock (kernel/locking/mutex.c:538)
> > > > > ? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)
> > > > > hci_cmd_sync_work (net/bluetooth/hci_sync.c:306)
> > > > > process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
> > > > > worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
> > > > > ? __pfx_worker_thread (kernel/workqueue.c:2480)
> > > > > kthread (kernel/kthread.c:376)
> > > > > ? __pfx_kthread (kernel/kthread.c:331)
> > > > > ret_from_fork (arch/x86/entry/entry_64.S:314)
> > > > > </TASK>
> > > > >
> > > > > Allocated by task 31:
> > > > > kasan_save_stack (mm/kasan/common.c:46)
> > > > > kasan_set_track (mm/kasan/common.c:52)
> > > > > __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)
> > > > > hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)
> > > > > hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)
> > > > > hci_connect_cis (net/bluetooth/hci_conn.c:2266)
> > > > > iso_connect_cis (net/bluetooth/iso.c:390)
> > > > > iso_sock_connect (net/bluetooth/iso.c:899)
> > > > > __sys_connect (net/socket.c:2003 net/socket.c:2020)
> > > > > __x64_sys_connect (net/socket.c:2027)
> > > > > do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> > > > > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
> > > > >
> > > > > Freed by task 15:
> > > > > kasan_save_stack (mm/kasan/common.c:46)
> > > > > kasan_set_track (mm/kasan/common.c:52)
> > > > > kasan_save_free_info (mm/kasan/generic.c:523)
> > > > > __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
> > > > > __kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)
> > > > > hci_conn_params_del (net/bluetooth/hci_core.c:2323)
> > > > > le_scan_cleanup (net/bluetooth/hci_conn.c:202)
> > > > > process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
> > > > > worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
> > > > > kthread (kernel/kthread.c:376)
> > > > > ret_from_fork (arch/x86/entry/entry_64.S:314)
> > > > > ==================================================================
> > > > >
> > > > > Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3")
> > > > > Signed-off-by: Pauli Virtanen <pav@iki.fi>
> > > > > ---
> > > > >
> > > > > Notes:
> > > > > v2: use RCU
> > > >
> > > > Really nice work.
> > > >
> > > > > include/net/bluetooth/hci_core.h | 5 ++
> > > > > net/bluetooth/hci_conn.c | 9 ++--
> > > > > net/bluetooth/hci_core.c | 34 +++++++++---
> > > > > net/bluetooth/hci_event.c | 12 ++---
> > > > > net/bluetooth/hci_sync.c | 93 ++++++++++++++++++++++++++++----
> > > > > net/bluetooth/mgmt.c | 30 +++++------
> > > > > 6 files changed, 141 insertions(+), 42 deletions(-)
> > > > >
> > > > > diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
> > > > > index 683666ea210c..8c6ac6d29c62 100644
> > > > > --- a/include/net/bluetooth/hci_core.h
> > > > > +++ b/include/net/bluetooth/hci_core.h
> > > > > @@ -822,6 +822,8 @@ struct hci_conn_params {
> > > > >
> > > > > struct hci_conn *conn;
> > > > > bool explicit_connect;
> > > > > + /* Accessed without hdev->lock: */
> > > > > + bool add_pending;
> > > >
> > > > That is the only part that Im a little uncorfortable with, are we
> > > > doing this because we can't do use the cmd_sync while holding RCU
> > > > lock? In that case couldn't we perhaps update the list? Also we could
> > > > perhaps add it as a flag rather than a separated field.
> >
> > Yes, it is because we have to release the rcu read lock while doing
> > __hci_cmd_sync_sk, and when we'd like to re-lock to continue the
> > iteration we can't know if the current pointer we have is still valid
> > and points to the same object (also if same address appears in list it
> > might be different object).
> >
> > At the moment I'm not seeing how to iterate over this in principle
> > arbitrarily mutating list, without either marking the list entries in
> > one way or another in the iteration, or having some more lifetime
> > guarantees for them.
> >
> > The marker could be a flag, but would maybe need atomic ops if the flag
> > field is written concurrently also from elsewhere if we want to be 100%
> > sure...
> >
> > A problem with modifying the list (ie using action field to track
> > iteration status) is that in other parts things are looked up with
> > hci_pend_le_action_lookup so the items can't be moved away from it
> > temporarily (which otherwise would probably work here).
> >
> > > > > hci_conn_flags_t flags;
> > > > > u8 privacy_mode;
> > > > > };
> > > > > @@ -1605,6 +1607,9 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > > > > bdaddr_t *addr, u8 addr_type);
> > > > > void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type);
> > > > > void hci_conn_params_clear_disabled(struct hci_dev *hdev);
> > > > > +void hci_conn_params_free(struct hci_conn_params *param);
> > > > > +void hci_conn_params_set_pending(struct hci_conn_params *param,
> > > > > + struct list_head *list);
> > > > >
> > > > > struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
> > > > > bdaddr_t *addr,
> > > > > diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> > > > > index 7d4941e6dbdf..ae9a35d1405b 100644
> > > > > --- a/net/bluetooth/hci_conn.c
> > > > > +++ b/net/bluetooth/hci_conn.c
> > > > > @@ -118,7 +118,7 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
> > > > > */
> > > > > params->explicit_connect = false;
> > > > >
> > > > > - list_del_init(¶ms->action);
> > > > > + hci_conn_params_set_pending(params, NULL);
> > > > >
> > > > > switch (params->auto_connect) {
> > > > > case HCI_AUTO_CONN_EXPLICIT:
> > > > > @@ -127,10 +127,10 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
> > > > > return;
> > > > > case HCI_AUTO_CONN_DIRECT:
> > > > > case HCI_AUTO_CONN_ALWAYS:
> > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > + hci_conn_params_set_pending(params, &hdev->pend_le_conns);
> > > > > break;
> > > > > case HCI_AUTO_CONN_REPORT:
> > > > > - list_add(¶ms->action, &hdev->pend_le_reports);
> > > > > + hci_conn_params_set_pending(params, &hdev->pend_le_reports);
> > > > > break;
> > > > > default:
> > > > > break;
> > > > > @@ -1435,8 +1435,7 @@ static int hci_explicit_conn_params_set(struct hci_dev *hdev,
> > > > > if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
> > > > > params->auto_connect == HCI_AUTO_CONN_REPORT ||
> > > > > params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
> > > > > - list_del_init(¶ms->action);
> > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > + hci_conn_params_set_pending(params, &hdev->pend_le_conns);
> > > >
> > > > Id just follow the name convention e.g. hci_conn_params_list_add,
> > > > hci_conn_params_list_del, etc.
> >
> > Ok. hci_conn_params are also in the different hdev->le_conn_params
> > list, maybe hci_pend_le_list_add, hci_pend_le_list_del_init
> >
> > > >
> > > > > }
> > > > >
> > > > > params->explicit_connect = true;
> > > > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > > > index 48917c68358d..7992a61fe1fd 100644
> > > > > --- a/net/bluetooth/hci_core.c
> > > > > +++ b/net/bluetooth/hci_core.c
> > > > > @@ -2249,21 +2249,41 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
> > > > > return NULL;
> > > > > }
> > > > >
> > > > > -/* This function requires the caller holds hdev->lock */
> > > > > +/* This function requires the caller holds hdev->lock or rcu_read_lock */
> > > > > struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
> > > > > bdaddr_t *addr, u8 addr_type)
> > > > > {
> > > > > struct hci_conn_params *param;
> > > > >
> > > > > - list_for_each_entry(param, list, action) {
> > > > > + rcu_read_lock();
> > > > > +
> > > > > + list_for_each_entry_rcu(param, list, action) {
> > > > > if (bacmp(¶m->addr, addr) == 0 &&
> > > > > - param->addr_type == addr_type)
> > > > > + param->addr_type == addr_type) {
> > > > > + rcu_read_unlock();
> > > > > return param;
> > > > > + }
> > > > > }
> > > > >
> > > > > + rcu_read_unlock();
> > > > > +
> > > > > return NULL;
> > > > > }
> > > > >
> > > > > +/* This function requires the caller holds hdev->lock */
> > > > > +void hci_conn_params_set_pending(struct hci_conn_params *param,
> > > > > + struct list_head *list)
> > > > > +{
> > > > > + if (!list_empty(¶m->action)) {
> > > > > + list_del_rcu(¶m->action);
> > > > > + synchronize_rcu();
> > > > > + INIT_LIST_HEAD(¶m->action);
> > > > > + }
> > > > > +
> > > > > + if (list)
> > > > > + list_add_rcu(¶m->action, list);
> > > > > +}
> > > > > +
> > > > > /* This function requires the caller holds hdev->lock */
> > > > > struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > > > > bdaddr_t *addr, u8 addr_type)
> > > > > @@ -2297,14 +2317,15 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > > > > return params;
> > > > > }
> > > > >
> > > > > -static void hci_conn_params_free(struct hci_conn_params *params)
> > > > > +void hci_conn_params_free(struct hci_conn_params *params)
> > > > > {
> > > > > + hci_conn_params_set_pending(params, NULL);
> > > > > +
> > > > > if (params->conn) {
> > > > > hci_conn_drop(params->conn);
> > > > > hci_conn_put(params->conn);
> > > > > }
> > > > >
> > > > > - list_del(¶ms->action);
> > > > > list_del(¶ms->list);
> > > > > kfree(params);
> > > > > }
> > > > > @@ -2342,8 +2363,7 @@ void hci_conn_params_clear_disabled(struct hci_dev *hdev)
> > > > > continue;
> > > > > }
> > > > >
> > > > > - list_del(¶ms->list);
> > > > > - kfree(params);
> > > > > + hci_conn_params_free(params);
> > > > > }
> > > > >
> > > > > BT_DBG("All LE disabled connection parameters were removed");
> > > > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > > > > index 7c199f7361f7..8187c9f827fa 100644
> > > > > --- a/net/bluetooth/hci_event.c
> > > > > +++ b/net/bluetooth/hci_event.c
> > > > > @@ -1564,7 +1564,7 @@ static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
> > > > >
> > > > > params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
> > > > > if (params)
> > > > > - params->privacy_mode = cp->mode;
> > > > > + WRITE_ONCE(params->privacy_mode, cp->mode);
> > > > >
> > > > > hci_dev_unlock(hdev);
> > > > >
> > > > > @@ -2804,8 +2804,8 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
> > > > >
> > > > > case HCI_AUTO_CONN_DIRECT:
> > > > > case HCI_AUTO_CONN_ALWAYS:
> > > > > - list_del_init(¶ms->action);
> > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > + hci_conn_params_set_pending(params,
> > > > > + &hdev->pend_le_conns);
> > > > > break;
> > > > >
> > > > > default:
> > > > > @@ -3423,8 +3423,8 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
> > > > >
> > > > > case HCI_AUTO_CONN_DIRECT:
> > > > > case HCI_AUTO_CONN_ALWAYS:
> > > > > - list_del_init(¶ms->action);
> > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > + hci_conn_params_set_pending(params,
> > > > > + &hdev->pend_le_conns);
> > > > > hci_update_passive_scan(hdev);
> > > > > break;
> > > > >
> > > > > @@ -5972,7 +5972,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
> > > > > params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
> > > > > conn->dst_type);
> > > > > if (params) {
> > > > > - list_del_init(¶ms->action);
> > > > > + hci_conn_params_set_pending(params, NULL);
> > > > > if (params->conn) {
> > > > > hci_conn_drop(params->conn);
> > > > > hci_conn_put(params->conn);
> > > > > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > > > > index 97da5bcaa904..da12e286ee64 100644
> > > > > --- a/net/bluetooth/hci_sync.c
> > > > > +++ b/net/bluetooth/hci_sync.c
> > > > > @@ -2160,15 +2160,23 @@ static int hci_le_del_accept_list_sync(struct hci_dev *hdev,
> > > > > return 0;
> > > > > }
> > > > >
> > > > > +struct conn_params {
> > > > > + bdaddr_t addr;
> > > > > + u8 addr_type;
> > > > > + hci_conn_flags_t flags;
> > > > > + u8 privacy_mode;
> > > > > +};
> > > > > +
> > > > > /* Adds connection to resolve list if needed.
> > > > > * Setting params to NULL programs local hdev->irk
> > > > > */
> > > > > static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > > > > - struct hci_conn_params *params)
> > > > > + struct conn_params *params)
> > > > > {
> > > > > struct hci_cp_le_add_to_resolv_list cp;
> > > > > struct smp_irk *irk;
> > > > > struct bdaddr_list_with_irk *entry;
> > > > > + struct hci_conn_params *p;
> > > > >
> > > > > if (!use_ll_privacy(hdev))
> > > > > return 0;
> > > > > @@ -2203,6 +2211,16 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > > > > /* Default privacy mode is always Network */
> > > > > params->privacy_mode = HCI_NETWORK_PRIVACY;
> > > > >
> > > > > + rcu_read_lock();
> > > > > + p = hci_pend_le_action_lookup(&hdev->pend_le_conns,
> > > > > + ¶ms->addr, params->addr_type);
> > > > > + if (!p)
> > > > > + p = hci_pend_le_action_lookup(&hdev->pend_le_reports,
> > > > > + ¶ms->addr, params->addr_type);
> > > > > + if (p)
> > > > > + WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY);
> > > > > + rcu_read_unlock();
> > > > > +
> > > > > done:
> > > > > if (hci_dev_test_flag(hdev, HCI_PRIVACY))
> > > > > memcpy(cp.local_irk, hdev->irk, 16);
> > > > > @@ -2215,7 +2233,7 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > > > >
> > > > > /* Set Device Privacy Mode. */
> > > > > static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > > > > - struct hci_conn_params *params)
> > > > > + struct conn_params *params)
> > > > > {
> > > > > struct hci_cp_le_set_privacy_mode cp;
> > > > > struct smp_irk *irk;
> > > > > @@ -2240,6 +2258,8 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > > > > bacpy(&cp.bdaddr, &irk->bdaddr);
> > > > > cp.mode = HCI_DEVICE_PRIVACY;
> > > > >
> > > > > + /* Note: params->privacy_mode is not updated since it is a copy */
> > > > > +
> > > > > return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE,
> > > > > sizeof(cp), &cp, HCI_CMD_TIMEOUT);
> > > > > }
> > > > > @@ -2249,7 +2269,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > > > > * properly set the privacy mode.
> > > > > */
> > > > > static int hci_le_add_accept_list_sync(struct hci_dev *hdev,
> > > > > - struct hci_conn_params *params,
> > > > > + struct conn_params *params,
> > > > > u8 *num_entries)
> > > > > {
> > > > > struct hci_cp_le_add_to_accept_list cp;
> > > > > @@ -2447,6 +2467,51 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
> > > > > return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk);
> > > > > }
> > > > >
> > > > > +static void conn_params_add_iter_init(struct list_head *list)
> > > > > +{
> > > > > + struct hci_conn_params *params;
> > > > > +
> > > > > + rcu_read_lock();
> > > > > +
> > > > > + list_for_each_entry_rcu(params, list, action)
> > > > > + params->add_pending = true;
> > > > > +
> > > > > + rcu_read_unlock();
> > > > > +}
> > > > > +
> > > > > +static bool conn_params_add_iter_next(struct list_head *list,
> > > > > + struct conn_params *item)
> > > > > +{
> > > > > + struct hci_conn_params *params;
> > > > > +
> > > > > + rcu_read_lock();
> > > > > +
> > > > > + list_for_each_entry_rcu(params, list, action) {
> > > > > + if (!params->add_pending)
> > > > > + continue;
> > > > > +
> > > > > + /* No hdev->lock, but: addr, addr_type are immutable.
> > > > > + * privacy_mode is only written by us or in
> > > > > + * hci_cc_le_set_privacy_mode that we wait for.
> > > > > + * We should be idempotent so MGMT updating flags
> > > > > + * while we are processing is OK.
> > > > > + */
> > > > > + bacpy(&item->addr, ¶ms->addr);
> > > > > + item->addr_type = params->addr_type;
> > > > > + item->flags = READ_ONCE(params->flags);
> > > > > + item->privacy_mode = READ_ONCE(params->privacy_mode);
> > > > > +
> > > > > + params->add_pending = false;
> > > > > +
> > > > > + rcu_read_unlock();
> > > > > + return true;
> > > > > + }
> > > > > +
> > > > > + rcu_read_unlock();
> > > > > +
> > > > > + return false;
> > > > > +}
> > > > > +
> > > > > /* Device must not be scanning when updating the accept list.
> > > > > *
> > > > > * Update is done using the following sequence:
> > > > > @@ -2466,7 +2531,7 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
> > > > > */
> > > > > static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > > > {
> > > > > - struct hci_conn_params *params;
> > > > > + struct conn_params params;
> > > > > struct bdaddr_list *b, *t;
> > > > > u8 num_entries = 0;
> > > > > bool pend_conn, pend_report;
> > > > > @@ -2504,6 +2569,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > > > if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type))
> > > > > continue;
> > > > >
> > > > > + /* Pointers not dereferenced, no locks needed */
> > > > > pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns,
> > > > > &b->bdaddr,
> > > > > b->bdaddr_type);
> > > > > @@ -2532,9 +2598,15 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > > > * available accept list entries in the controller, then
> > > > > * just abort and return filer policy value to not use the
> > > > > * accept list.
> > > > > + *
> > > > > + * The list and params may be mutated while we wait for events,
> > > > > + * so use special iteration with copies.
> > > > > */
> > > > > - list_for_each_entry(params, &hdev->pend_le_conns, action) {
> > > > > - err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
> > > > > +
> > > > > + conn_params_add_iter_init(&hdev->pend_le_conns);
> > > > > +
> > > > > + while (conn_params_add_iter_next(&hdev->pend_le_conns, ¶ms)) {
> > > > > + err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
> > > > > if (err)
> > > > > goto done;
> > >
> > > Perhaps we should be using list_for_each_entry_continue_rcu instead of
> > > creating our own version of it? Or at least use it internally on
> > > iter_next, anyway I think what we are after is some way to do
> > > rcu_unlock add_to_list rcu_lock on a loop.
> >
> > I think list_for_each_entry_continue_rcu differs from
> > list_for_each_entry_rcu in that it doesn't start from the list head.
> >
> > IIUC it requires starting from a valid list entry, and needs holding
> > the rcu read lock all the time, to ensure it is not invalidated. If so,
> > it seems it can't be used here since we need to release the lock and
> > the cursor might be gone before we re-lock.
>
> I wonder if we can have something similar to for_each_safe version
> under rcu_lock then or perhaps there is a problem with the whole list
> getting freed in the meantime? It is perhaps a good idea to introduce
> some test to cover this in iso-tester so we make sure we don't
> reintroduce it this sort of problem in the future.
Any element of the list can in principle get freed while we wait for
controller to reply. The *_safe iterator guards against freeing the
current element, but if it's the next element that gets freed it
crashes too.
If we want alternatives, making a copy of all items in the list under
rcu lock and then releasing and iterating over the copied list would
work. Or we could add refcount or some other "don't free me yet" flag
to the params (but we might want to make a copy still to ensure the
flags aren't changed under us).
I sent a patch adding a reproducer to mgmt-tester.c. There's maybe more
ways that you can hit it with enough bad luck (or emulator timing
help).
> > > > > }
> > > > > @@ -2543,8 +2615,11 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > > > * the list of pending reports and also add these to the
> > > > > * accept list if there is still space. Abort if space runs out.
> > > > > */
> > > > > - list_for_each_entry(params, &hdev->pend_le_reports, action) {
> > > > > - err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
> > > > > +
> > > > > + conn_params_add_iter_init(&hdev->pend_le_reports);
> > > > > +
> > > > > + while (conn_params_add_iter_next(&hdev->pend_le_reports, ¶ms)) {
> > > > > + err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
> > > > > if (err)
> > > > > goto done;
> > > > > }
> > > > > @@ -4837,12 +4912,12 @@ static void hci_pend_le_actions_clear(struct hci_dev *hdev)
> > > > > struct hci_conn_params *p;
> > > > >
> > > > > list_for_each_entry(p, &hdev->le_conn_params, list) {
> > > > > + hci_conn_params_set_pending(p, NULL);
> > > > > if (p->conn) {
> > > > > hci_conn_drop(p->conn);
> > > > > hci_conn_put(p->conn);
> > > > > p->conn = NULL;
> > > > > }
> > > > > - list_del_init(&p->action);
> > > > > }
> > > > >
> > > > > BT_DBG("All LE pending actions cleared");
> > > > > diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> > > > > index 61c8e1b8f3b0..b35b1c685b86 100644
> > > > > --- a/net/bluetooth/mgmt.c
> > > > > +++ b/net/bluetooth/mgmt.c
> > > > > @@ -1303,15 +1303,15 @@ static void restart_le_actions(struct hci_dev *hdev)
> > > > > /* Needed for AUTO_OFF case where might not "really"
> > > > > * have been powered off.
> > > > > */
> > > > > - list_del_init(&p->action);
> > > > > + hci_conn_params_set_pending(p, NULL);
> > > > >
> > > > > switch (p->auto_connect) {
> > > > > case HCI_AUTO_CONN_DIRECT:
> > > > > case HCI_AUTO_CONN_ALWAYS:
> > > > > - list_add(&p->action, &hdev->pend_le_conns);
> > > > > + hci_conn_params_set_pending(p, &hdev->pend_le_conns);
> > > > > break;
> > > > > case HCI_AUTO_CONN_REPORT:
> > > > > - list_add(&p->action, &hdev->pend_le_reports);
> > > > > + hci_conn_params_set_pending(p, &hdev->pend_le_reports);
> > > > > break;
> > > > > default:
> > > > > break;
> > > > > @@ -5175,7 +5175,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
> > > > > goto unlock;
> > > > > }
> > > > >
> > > > > - params->flags = current_flags;
> > > > > + WRITE_ONCE(params->flags, current_flags);
> > > > > status = MGMT_STATUS_SUCCESS;
> > > > >
> > > > > /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY
> > > > > @@ -7586,7 +7586,7 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
> > > > > if (params->auto_connect == auto_connect)
> > > > > return 0;
> > > > >
> > > > > - list_del_init(¶ms->action);
> > > > > + hci_conn_params_set_pending(params, NULL);
> > > > >
> > > > > switch (auto_connect) {
> > > > > case HCI_AUTO_CONN_DISABLED:
> > > > > @@ -7595,18 +7595,22 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
> > > > > * connect to device, keep connecting.
> > > > > */
> > > > > if (params->explicit_connect)
> > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > + hci_conn_params_set_pending(params,
> > > > > + &hdev->pend_le_conns);
> > > > > break;
> > > > > case HCI_AUTO_CONN_REPORT:
> > > > > if (params->explicit_connect)
> > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > + hci_conn_params_set_pending(params,
> > > > > + &hdev->pend_le_conns);
> > > > > else
> > > > > - list_add(¶ms->action, &hdev->pend_le_reports);
> > > > > + hci_conn_params_set_pending(params,
> > > > > + &hdev->pend_le_reports);
> > > > > break;
> > > > > case HCI_AUTO_CONN_DIRECT:
> > > > > case HCI_AUTO_CONN_ALWAYS:
> > > > > if (!is_connected(hdev, addr, addr_type))
> > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > + hci_conn_params_set_pending(params,
> > > > > + &hdev->pend_le_conns);
> > > > > break;
> > > > > }
> > > > >
> > > > > @@ -7829,9 +7833,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
> > > > > goto unlock;
> > > > > }
> > > > >
> > > > > - list_del(¶ms->action);
> > > > > - list_del(¶ms->list);
> > > > > - kfree(params);
> > > > > + hci_conn_params_free(params);
> > > > >
> > > > > device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
> > > > > } else {
> > > > > @@ -7862,9 +7864,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
> > > > > p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
> > > > > continue;
> > > > > }
> > > > > - list_del(&p->action);
> > > > > - list_del(&p->list);
> > > > > - kfree(p);
> > > > > + hci_conn_params_free(p);
> > > > > }
> > > > >
> > > > > bt_dev_dbg(hdev, "All LE connection parameters were removed");
> > > > > --
> > > > > 2.40.1
> > > > >
> > > >
> > > >
> > > > --
> > > > Luiz Augusto von Dentz
> > >
> > >
> > >
> >
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
2023-06-15 20:10 ` Pauli Virtanen
@ 2023-06-15 22:32 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 11+ messages in thread
From: Luiz Augusto von Dentz @ 2023-06-15 22:32 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hi Pauli,
On Thu, Jun 15, 2023 at 1:10 PM Pauli Virtanen <pav@iki.fi> wrote:
>
> Hi Luiz,
>
> ke, 2023-06-14 kello 09:19 -0700, Luiz Augusto von Dentz kirjoitti:
> > Hi Pauli,
> >
> > On Tue, Jun 13, 2023 at 4:07 PM Pauli Virtanen <pav@iki.fi> wrote:
> > >
> > > Hi Luiz,
> > >
> > > ti, 2023-06-13 kello 12:38 -0700, Luiz Augusto von Dentz kirjoitti:
> > > > Hi Pauli,
> > > >
> > > > On Tue, Jun 13, 2023 at 12:04 PM Luiz Augusto von Dentz
> > > > <luiz.dentz@gmail.com> wrote:
> > > > >
> > > > > Hi Pauli,
> > > > >
> > > > > On Tue, Jun 13, 2023 at 11:17 AM Pauli Virtanen <pav@iki.fi> wrote:
> > > > > >
> > > > > > hci_update_accept_list_sync iterates over hdev->pend_le_conns and
> > > > > > hdev->pend_le_reports, and waits for controller events in the loop body,
> > > > > > without holding hdev lock.
> > > > > >
> > > > > > Meanwhile, these lists and the items may be modified e.g. by
> > > > > > le_scan_cleanup. This can invalidate the list cursor in the ongoing
> > > > > > iterations, resulting to invalid behavior (eg use-after-free).
> > > > > >
> > > > > > Use RCU for the hci_conn_params action lists. Since the loop bodies in
> > > > > > hci_sync block and we cannot use RCU for the whole loop, add
> > > > > > hci_conn_params.add_pending to keep track which items are left. Copy
> > > > > > data to avoid needing lock on hci_conn_params. Only the flags field is
> > > > > > written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we read
> > > > > > valid values.
> > > > > >
> > > > > > Free params everywhere with hci_conn_params_free so the cleanup is
> > > > > > guaranteed to be done properly.
> > > > > >
> > > > > > This fixes the following, which can be triggered at least by changing
> > > > > > hci_le_set_cig_params to always return false, and running BlueZ
> > > > > > iso-tester, which causes connections to be created and dropped fast:
> > > > > >
> > > > > > ==================================================================
> > > > > > BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > > > > Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32
> > > > > >
> > > > > > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
> > > > > > Workqueue: hci0 hci_cmd_sync_work
> > > > > > Call Trace:
> > > > > > <TASK>
> > > > > > dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)
> > > > > > print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
> > > > > > ? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)
> > > > > > ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > > > > kasan_report (mm/kasan/report.c:538)
> > > > > > ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > > > > hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
> > > > > > ? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)
> > > > > > ? mutex_lock (kernel/locking/mutex.c:282)
> > > > > > ? __pfx_mutex_lock (kernel/locking/mutex.c:282)
> > > > > > ? __pfx_mutex_unlock (kernel/locking/mutex.c:538)
> > > > > > ? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)
> > > > > > hci_cmd_sync_work (net/bluetooth/hci_sync.c:306)
> > > > > > process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
> > > > > > worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
> > > > > > ? __pfx_worker_thread (kernel/workqueue.c:2480)
> > > > > > kthread (kernel/kthread.c:376)
> > > > > > ? __pfx_kthread (kernel/kthread.c:331)
> > > > > > ret_from_fork (arch/x86/entry/entry_64.S:314)
> > > > > > </TASK>
> > > > > >
> > > > > > Allocated by task 31:
> > > > > > kasan_save_stack (mm/kasan/common.c:46)
> > > > > > kasan_set_track (mm/kasan/common.c:52)
> > > > > > __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)
> > > > > > hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)
> > > > > > hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)
> > > > > > hci_connect_cis (net/bluetooth/hci_conn.c:2266)
> > > > > > iso_connect_cis (net/bluetooth/iso.c:390)
> > > > > > iso_sock_connect (net/bluetooth/iso.c:899)
> > > > > > __sys_connect (net/socket.c:2003 net/socket.c:2020)
> > > > > > __x64_sys_connect (net/socket.c:2027)
> > > > > > do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> > > > > > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
> > > > > >
> > > > > > Freed by task 15:
> > > > > > kasan_save_stack (mm/kasan/common.c:46)
> > > > > > kasan_set_track (mm/kasan/common.c:52)
> > > > > > kasan_save_free_info (mm/kasan/generic.c:523)
> > > > > > __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
> > > > > > __kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)
> > > > > > hci_conn_params_del (net/bluetooth/hci_core.c:2323)
> > > > > > le_scan_cleanup (net/bluetooth/hci_conn.c:202)
> > > > > > process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
> > > > > > worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
> > > > > > kthread (kernel/kthread.c:376)
> > > > > > ret_from_fork (arch/x86/entry/entry_64.S:314)
> > > > > > ==================================================================
> > > > > >
> > > > > > Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3")
> > > > > > Signed-off-by: Pauli Virtanen <pav@iki.fi>
> > > > > > ---
> > > > > >
> > > > > > Notes:
> > > > > > v2: use RCU
> > > > >
> > > > > Really nice work.
> > > > >
> > > > > > include/net/bluetooth/hci_core.h | 5 ++
> > > > > > net/bluetooth/hci_conn.c | 9 ++--
> > > > > > net/bluetooth/hci_core.c | 34 +++++++++---
> > > > > > net/bluetooth/hci_event.c | 12 ++---
> > > > > > net/bluetooth/hci_sync.c | 93 ++++++++++++++++++++++++++++----
> > > > > > net/bluetooth/mgmt.c | 30 +++++------
> > > > > > 6 files changed, 141 insertions(+), 42 deletions(-)
> > > > > >
> > > > > > diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
> > > > > > index 683666ea210c..8c6ac6d29c62 100644
> > > > > > --- a/include/net/bluetooth/hci_core.h
> > > > > > +++ b/include/net/bluetooth/hci_core.h
> > > > > > @@ -822,6 +822,8 @@ struct hci_conn_params {
> > > > > >
> > > > > > struct hci_conn *conn;
> > > > > > bool explicit_connect;
> > > > > > + /* Accessed without hdev->lock: */
> > > > > > + bool add_pending;
> > > > >
> > > > > That is the only part that Im a little uncorfortable with, are we
> > > > > doing this because we can't do use the cmd_sync while holding RCU
> > > > > lock? In that case couldn't we perhaps update the list? Also we could
> > > > > perhaps add it as a flag rather than a separated field.
> > >
> > > Yes, it is because we have to release the rcu read lock while doing
> > > __hci_cmd_sync_sk, and when we'd like to re-lock to continue the
> > > iteration we can't know if the current pointer we have is still valid
> > > and points to the same object (also if same address appears in list it
> > > might be different object).
> > >
> > > At the moment I'm not seeing how to iterate over this in principle
> > > arbitrarily mutating list, without either marking the list entries in
> > > one way or another in the iteration, or having some more lifetime
> > > guarantees for them.
> > >
> > > The marker could be a flag, but would maybe need atomic ops if the flag
> > > field is written concurrently also from elsewhere if we want to be 100%
> > > sure...
> > >
> > > A problem with modifying the list (ie using action field to track
> > > iteration status) is that in other parts things are looked up with
> > > hci_pend_le_action_lookup so the items can't be moved away from it
> > > temporarily (which otherwise would probably work here).
> > >
> > > > > > hci_conn_flags_t flags;
> > > > > > u8 privacy_mode;
> > > > > > };
> > > > > > @@ -1605,6 +1607,9 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > > > > > bdaddr_t *addr, u8 addr_type);
> > > > > > void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type);
> > > > > > void hci_conn_params_clear_disabled(struct hci_dev *hdev);
> > > > > > +void hci_conn_params_free(struct hci_conn_params *param);
> > > > > > +void hci_conn_params_set_pending(struct hci_conn_params *param,
> > > > > > + struct list_head *list);
> > > > > >
> > > > > > struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
> > > > > > bdaddr_t *addr,
> > > > > > diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> > > > > > index 7d4941e6dbdf..ae9a35d1405b 100644
> > > > > > --- a/net/bluetooth/hci_conn.c
> > > > > > +++ b/net/bluetooth/hci_conn.c
> > > > > > @@ -118,7 +118,7 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
> > > > > > */
> > > > > > params->explicit_connect = false;
> > > > > >
> > > > > > - list_del_init(¶ms->action);
> > > > > > + hci_conn_params_set_pending(params, NULL);
> > > > > >
> > > > > > switch (params->auto_connect) {
> > > > > > case HCI_AUTO_CONN_EXPLICIT:
> > > > > > @@ -127,10 +127,10 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
> > > > > > return;
> > > > > > case HCI_AUTO_CONN_DIRECT:
> > > > > > case HCI_AUTO_CONN_ALWAYS:
> > > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > > + hci_conn_params_set_pending(params, &hdev->pend_le_conns);
> > > > > > break;
> > > > > > case HCI_AUTO_CONN_REPORT:
> > > > > > - list_add(¶ms->action, &hdev->pend_le_reports);
> > > > > > + hci_conn_params_set_pending(params, &hdev->pend_le_reports);
> > > > > > break;
> > > > > > default:
> > > > > > break;
> > > > > > @@ -1435,8 +1435,7 @@ static int hci_explicit_conn_params_set(struct hci_dev *hdev,
> > > > > > if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
> > > > > > params->auto_connect == HCI_AUTO_CONN_REPORT ||
> > > > > > params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
> > > > > > - list_del_init(¶ms->action);
> > > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > > + hci_conn_params_set_pending(params, &hdev->pend_le_conns);
> > > > >
> > > > > Id just follow the name convention e.g. hci_conn_params_list_add,
> > > > > hci_conn_params_list_del, etc.
> > >
> > > Ok. hci_conn_params are also in the different hdev->le_conn_params
> > > list, maybe hci_pend_le_list_add, hci_pend_le_list_del_init
> > >
> > > > >
> > > > > > }
> > > > > >
> > > > > > params->explicit_connect = true;
> > > > > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > > > > index 48917c68358d..7992a61fe1fd 100644
> > > > > > --- a/net/bluetooth/hci_core.c
> > > > > > +++ b/net/bluetooth/hci_core.c
> > > > > > @@ -2249,21 +2249,41 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
> > > > > > return NULL;
> > > > > > }
> > > > > >
> > > > > > -/* This function requires the caller holds hdev->lock */
> > > > > > +/* This function requires the caller holds hdev->lock or rcu_read_lock */
> > > > > > struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
> > > > > > bdaddr_t *addr, u8 addr_type)
> > > > > > {
> > > > > > struct hci_conn_params *param;
> > > > > >
> > > > > > - list_for_each_entry(param, list, action) {
> > > > > > + rcu_read_lock();
> > > > > > +
> > > > > > + list_for_each_entry_rcu(param, list, action) {
> > > > > > if (bacmp(¶m->addr, addr) == 0 &&
> > > > > > - param->addr_type == addr_type)
> > > > > > + param->addr_type == addr_type) {
> > > > > > + rcu_read_unlock();
> > > > > > return param;
> > > > > > + }
> > > > > > }
> > > > > >
> > > > > > + rcu_read_unlock();
> > > > > > +
> > > > > > return NULL;
> > > > > > }
> > > > > >
> > > > > > +/* This function requires the caller holds hdev->lock */
> > > > > > +void hci_conn_params_set_pending(struct hci_conn_params *param,
> > > > > > + struct list_head *list)
> > > > > > +{
> > > > > > + if (!list_empty(¶m->action)) {
> > > > > > + list_del_rcu(¶m->action);
> > > > > > + synchronize_rcu();
> > > > > > + INIT_LIST_HEAD(¶m->action);
> > > > > > + }
> > > > > > +
> > > > > > + if (list)
> > > > > > + list_add_rcu(¶m->action, list);
> > > > > > +}
> > > > > > +
> > > > > > /* This function requires the caller holds hdev->lock */
> > > > > > struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > > > > > bdaddr_t *addr, u8 addr_type)
> > > > > > @@ -2297,14 +2317,15 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
> > > > > > return params;
> > > > > > }
> > > > > >
> > > > > > -static void hci_conn_params_free(struct hci_conn_params *params)
> > > > > > +void hci_conn_params_free(struct hci_conn_params *params)
> > > > > > {
> > > > > > + hci_conn_params_set_pending(params, NULL);
> > > > > > +
> > > > > > if (params->conn) {
> > > > > > hci_conn_drop(params->conn);
> > > > > > hci_conn_put(params->conn);
> > > > > > }
> > > > > >
> > > > > > - list_del(¶ms->action);
> > > > > > list_del(¶ms->list);
> > > > > > kfree(params);
> > > > > > }
> > > > > > @@ -2342,8 +2363,7 @@ void hci_conn_params_clear_disabled(struct hci_dev *hdev)
> > > > > > continue;
> > > > > > }
> > > > > >
> > > > > > - list_del(¶ms->list);
> > > > > > - kfree(params);
> > > > > > + hci_conn_params_free(params);
> > > > > > }
> > > > > >
> > > > > > BT_DBG("All LE disabled connection parameters were removed");
> > > > > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> > > > > > index 7c199f7361f7..8187c9f827fa 100644
> > > > > > --- a/net/bluetooth/hci_event.c
> > > > > > +++ b/net/bluetooth/hci_event.c
> > > > > > @@ -1564,7 +1564,7 @@ static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
> > > > > >
> > > > > > params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
> > > > > > if (params)
> > > > > > - params->privacy_mode = cp->mode;
> > > > > > + WRITE_ONCE(params->privacy_mode, cp->mode);
> > > > > >
> > > > > > hci_dev_unlock(hdev);
> > > > > >
> > > > > > @@ -2804,8 +2804,8 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
> > > > > >
> > > > > > case HCI_AUTO_CONN_DIRECT:
> > > > > > case HCI_AUTO_CONN_ALWAYS:
> > > > > > - list_del_init(¶ms->action);
> > > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > > + hci_conn_params_set_pending(params,
> > > > > > + &hdev->pend_le_conns);
> > > > > > break;
> > > > > >
> > > > > > default:
> > > > > > @@ -3423,8 +3423,8 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
> > > > > >
> > > > > > case HCI_AUTO_CONN_DIRECT:
> > > > > > case HCI_AUTO_CONN_ALWAYS:
> > > > > > - list_del_init(¶ms->action);
> > > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > > + hci_conn_params_set_pending(params,
> > > > > > + &hdev->pend_le_conns);
> > > > > > hci_update_passive_scan(hdev);
> > > > > > break;
> > > > > >
> > > > > > @@ -5972,7 +5972,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
> > > > > > params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
> > > > > > conn->dst_type);
> > > > > > if (params) {
> > > > > > - list_del_init(¶ms->action);
> > > > > > + hci_conn_params_set_pending(params, NULL);
> > > > > > if (params->conn) {
> > > > > > hci_conn_drop(params->conn);
> > > > > > hci_conn_put(params->conn);
> > > > > > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > > > > > index 97da5bcaa904..da12e286ee64 100644
> > > > > > --- a/net/bluetooth/hci_sync.c
> > > > > > +++ b/net/bluetooth/hci_sync.c
> > > > > > @@ -2160,15 +2160,23 @@ static int hci_le_del_accept_list_sync(struct hci_dev *hdev,
> > > > > > return 0;
> > > > > > }
> > > > > >
> > > > > > +struct conn_params {
> > > > > > + bdaddr_t addr;
> > > > > > + u8 addr_type;
> > > > > > + hci_conn_flags_t flags;
> > > > > > + u8 privacy_mode;
> > > > > > +};
> > > > > > +
> > > > > > /* Adds connection to resolve list if needed.
> > > > > > * Setting params to NULL programs local hdev->irk
> > > > > > */
> > > > > > static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > > > > > - struct hci_conn_params *params)
> > > > > > + struct conn_params *params)
> > > > > > {
> > > > > > struct hci_cp_le_add_to_resolv_list cp;
> > > > > > struct smp_irk *irk;
> > > > > > struct bdaddr_list_with_irk *entry;
> > > > > > + struct hci_conn_params *p;
> > > > > >
> > > > > > if (!use_ll_privacy(hdev))
> > > > > > return 0;
> > > > > > @@ -2203,6 +2211,16 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > > > > > /* Default privacy mode is always Network */
> > > > > > params->privacy_mode = HCI_NETWORK_PRIVACY;
> > > > > >
> > > > > > + rcu_read_lock();
> > > > > > + p = hci_pend_le_action_lookup(&hdev->pend_le_conns,
> > > > > > + ¶ms->addr, params->addr_type);
> > > > > > + if (!p)
> > > > > > + p = hci_pend_le_action_lookup(&hdev->pend_le_reports,
> > > > > > + ¶ms->addr, params->addr_type);
> > > > > > + if (p)
> > > > > > + WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY);
> > > > > > + rcu_read_unlock();
> > > > > > +
> > > > > > done:
> > > > > > if (hci_dev_test_flag(hdev, HCI_PRIVACY))
> > > > > > memcpy(cp.local_irk, hdev->irk, 16);
> > > > > > @@ -2215,7 +2233,7 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
> > > > > >
> > > > > > /* Set Device Privacy Mode. */
> > > > > > static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > > > > > - struct hci_conn_params *params)
> > > > > > + struct conn_params *params)
> > > > > > {
> > > > > > struct hci_cp_le_set_privacy_mode cp;
> > > > > > struct smp_irk *irk;
> > > > > > @@ -2240,6 +2258,8 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > > > > > bacpy(&cp.bdaddr, &irk->bdaddr);
> > > > > > cp.mode = HCI_DEVICE_PRIVACY;
> > > > > >
> > > > > > + /* Note: params->privacy_mode is not updated since it is a copy */
> > > > > > +
> > > > > > return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE,
> > > > > > sizeof(cp), &cp, HCI_CMD_TIMEOUT);
> > > > > > }
> > > > > > @@ -2249,7 +2269,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
> > > > > > * properly set the privacy mode.
> > > > > > */
> > > > > > static int hci_le_add_accept_list_sync(struct hci_dev *hdev,
> > > > > > - struct hci_conn_params *params,
> > > > > > + struct conn_params *params,
> > > > > > u8 *num_entries)
> > > > > > {
> > > > > > struct hci_cp_le_add_to_accept_list cp;
> > > > > > @@ -2447,6 +2467,51 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
> > > > > > return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk);
> > > > > > }
> > > > > >
> > > > > > +static void conn_params_add_iter_init(struct list_head *list)
> > > > > > +{
> > > > > > + struct hci_conn_params *params;
> > > > > > +
> > > > > > + rcu_read_lock();
> > > > > > +
> > > > > > + list_for_each_entry_rcu(params, list, action)
> > > > > > + params->add_pending = true;
> > > > > > +
> > > > > > + rcu_read_unlock();
> > > > > > +}
> > > > > > +
> > > > > > +static bool conn_params_add_iter_next(struct list_head *list,
> > > > > > + struct conn_params *item)
> > > > > > +{
> > > > > > + struct hci_conn_params *params;
> > > > > > +
> > > > > > + rcu_read_lock();
> > > > > > +
> > > > > > + list_for_each_entry_rcu(params, list, action) {
> > > > > > + if (!params->add_pending)
> > > > > > + continue;
> > > > > > +
> > > > > > + /* No hdev->lock, but: addr, addr_type are immutable.
> > > > > > + * privacy_mode is only written by us or in
> > > > > > + * hci_cc_le_set_privacy_mode that we wait for.
> > > > > > + * We should be idempotent so MGMT updating flags
> > > > > > + * while we are processing is OK.
> > > > > > + */
> > > > > > + bacpy(&item->addr, ¶ms->addr);
> > > > > > + item->addr_type = params->addr_type;
> > > > > > + item->flags = READ_ONCE(params->flags);
> > > > > > + item->privacy_mode = READ_ONCE(params->privacy_mode);
> > > > > > +
> > > > > > + params->add_pending = false;
> > > > > > +
> > > > > > + rcu_read_unlock();
> > > > > > + return true;
> > > > > > + }
> > > > > > +
> > > > > > + rcu_read_unlock();
> > > > > > +
> > > > > > + return false;
> > > > > > +}
> > > > > > +
> > > > > > /* Device must not be scanning when updating the accept list.
> > > > > > *
> > > > > > * Update is done using the following sequence:
> > > > > > @@ -2466,7 +2531,7 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
> > > > > > */
> > > > > > static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > > > > {
> > > > > > - struct hci_conn_params *params;
> > > > > > + struct conn_params params;
> > > > > > struct bdaddr_list *b, *t;
> > > > > > u8 num_entries = 0;
> > > > > > bool pend_conn, pend_report;
> > > > > > @@ -2504,6 +2569,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > > > > if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type))
> > > > > > continue;
> > > > > >
> > > > > > + /* Pointers not dereferenced, no locks needed */
> > > > > > pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns,
> > > > > > &b->bdaddr,
> > > > > > b->bdaddr_type);
> > > > > > @@ -2532,9 +2598,15 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > > > > * available accept list entries in the controller, then
> > > > > > * just abort and return filer policy value to not use the
> > > > > > * accept list.
> > > > > > + *
> > > > > > + * The list and params may be mutated while we wait for events,
> > > > > > + * so use special iteration with copies.
> > > > > > */
> > > > > > - list_for_each_entry(params, &hdev->pend_le_conns, action) {
> > > > > > - err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
> > > > > > +
> > > > > > + conn_params_add_iter_init(&hdev->pend_le_conns);
> > > > > > +
> > > > > > + while (conn_params_add_iter_next(&hdev->pend_le_conns, ¶ms)) {
> > > > > > + err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
> > > > > > if (err)
> > > > > > goto done;
> > > >
> > > > Perhaps we should be using list_for_each_entry_continue_rcu instead of
> > > > creating our own version of it? Or at least use it internally on
> > > > iter_next, anyway I think what we are after is some way to do
> > > > rcu_unlock add_to_list rcu_lock on a loop.
> > >
> > > I think list_for_each_entry_continue_rcu differs from
> > > list_for_each_entry_rcu in that it doesn't start from the list head.
> > >
> > > IIUC it requires starting from a valid list entry, and needs holding
> > > the rcu read lock all the time, to ensure it is not invalidated. If so,
> > > it seems it can't be used here since we need to release the lock and
> > > the cursor might be gone before we re-lock.
> >
> > I wonder if we can have something similar to for_each_safe version
> > under rcu_lock then or perhaps there is a problem with the whole list
> > getting freed in the meantime? It is perhaps a good idea to introduce
> > some test to cover this in iso-tester so we make sure we don't
> > reintroduce it this sort of problem in the future.
>
> Any element of the list can in principle get freed while we wait for
> controller to reply. The *_safe iterator guards against freeing the
> current element, but if it's the next element that gets freed it
> crashes too.
>
> If we want alternatives, making a copy of all items in the list under
> rcu lock and then releasing and iterating over the copied list would
> work. Or we could add refcount or some other "don't free me yet" flag
> to the params (but we might want to make a copy still to ensure the
> flags aren't changed under us).
>
> I sent a patch adding a reproducer to mgmt-tester.c. There's maybe more
> ways that you can hit it with enough bad luck (or emulator timing
> help).
I guess we shall just do the local copy then, we anyway iterate over
the list a couple of times, doing one extra loop shouldn't make it
much worse beside with the current version is probably worst in this
respect.
>
> > > > > > }
> > > > > > @@ -2543,8 +2615,11 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
> > > > > > * the list of pending reports and also add these to the
> > > > > > * accept list if there is still space. Abort if space runs out.
> > > > > > */
> > > > > > - list_for_each_entry(params, &hdev->pend_le_reports, action) {
> > > > > > - err = hci_le_add_accept_list_sync(hdev, params, &num_entries);
> > > > > > +
> > > > > > + conn_params_add_iter_init(&hdev->pend_le_reports);
> > > > > > +
> > > > > > + while (conn_params_add_iter_next(&hdev->pend_le_reports, ¶ms)) {
> > > > > > + err = hci_le_add_accept_list_sync(hdev, ¶ms, &num_entries);
> > > > > > if (err)
> > > > > > goto done;
> > > > > > }
> > > > > > @@ -4837,12 +4912,12 @@ static void hci_pend_le_actions_clear(struct hci_dev *hdev)
> > > > > > struct hci_conn_params *p;
> > > > > >
> > > > > > list_for_each_entry(p, &hdev->le_conn_params, list) {
> > > > > > + hci_conn_params_set_pending(p, NULL);
> > > > > > if (p->conn) {
> > > > > > hci_conn_drop(p->conn);
> > > > > > hci_conn_put(p->conn);
> > > > > > p->conn = NULL;
> > > > > > }
> > > > > > - list_del_init(&p->action);
> > > > > > }
> > > > > >
> > > > > > BT_DBG("All LE pending actions cleared");
> > > > > > diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> > > > > > index 61c8e1b8f3b0..b35b1c685b86 100644
> > > > > > --- a/net/bluetooth/mgmt.c
> > > > > > +++ b/net/bluetooth/mgmt.c
> > > > > > @@ -1303,15 +1303,15 @@ static void restart_le_actions(struct hci_dev *hdev)
> > > > > > /* Needed for AUTO_OFF case where might not "really"
> > > > > > * have been powered off.
> > > > > > */
> > > > > > - list_del_init(&p->action);
> > > > > > + hci_conn_params_set_pending(p, NULL);
> > > > > >
> > > > > > switch (p->auto_connect) {
> > > > > > case HCI_AUTO_CONN_DIRECT:
> > > > > > case HCI_AUTO_CONN_ALWAYS:
> > > > > > - list_add(&p->action, &hdev->pend_le_conns);
> > > > > > + hci_conn_params_set_pending(p, &hdev->pend_le_conns);
> > > > > > break;
> > > > > > case HCI_AUTO_CONN_REPORT:
> > > > > > - list_add(&p->action, &hdev->pend_le_reports);
> > > > > > + hci_conn_params_set_pending(p, &hdev->pend_le_reports);
> > > > > > break;
> > > > > > default:
> > > > > > break;
> > > > > > @@ -5175,7 +5175,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
> > > > > > goto unlock;
> > > > > > }
> > > > > >
> > > > > > - params->flags = current_flags;
> > > > > > + WRITE_ONCE(params->flags, current_flags);
> > > > > > status = MGMT_STATUS_SUCCESS;
> > > > > >
> > > > > > /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY
> > > > > > @@ -7586,7 +7586,7 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
> > > > > > if (params->auto_connect == auto_connect)
> > > > > > return 0;
> > > > > >
> > > > > > - list_del_init(¶ms->action);
> > > > > > + hci_conn_params_set_pending(params, NULL);
> > > > > >
> > > > > > switch (auto_connect) {
> > > > > > case HCI_AUTO_CONN_DISABLED:
> > > > > > @@ -7595,18 +7595,22 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
> > > > > > * connect to device, keep connecting.
> > > > > > */
> > > > > > if (params->explicit_connect)
> > > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > > + hci_conn_params_set_pending(params,
> > > > > > + &hdev->pend_le_conns);
> > > > > > break;
> > > > > > case HCI_AUTO_CONN_REPORT:
> > > > > > if (params->explicit_connect)
> > > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > > + hci_conn_params_set_pending(params,
> > > > > > + &hdev->pend_le_conns);
> > > > > > else
> > > > > > - list_add(¶ms->action, &hdev->pend_le_reports);
> > > > > > + hci_conn_params_set_pending(params,
> > > > > > + &hdev->pend_le_reports);
> > > > > > break;
> > > > > > case HCI_AUTO_CONN_DIRECT:
> > > > > > case HCI_AUTO_CONN_ALWAYS:
> > > > > > if (!is_connected(hdev, addr, addr_type))
> > > > > > - list_add(¶ms->action, &hdev->pend_le_conns);
> > > > > > + hci_conn_params_set_pending(params,
> > > > > > + &hdev->pend_le_conns);
> > > > > > break;
> > > > > > }
> > > > > >
> > > > > > @@ -7829,9 +7833,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
> > > > > > goto unlock;
> > > > > > }
> > > > > >
> > > > > > - list_del(¶ms->action);
> > > > > > - list_del(¶ms->list);
> > > > > > - kfree(params);
> > > > > > + hci_conn_params_free(params);
> > > > > >
> > > > > > device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
> > > > > > } else {
> > > > > > @@ -7862,9 +7864,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
> > > > > > p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
> > > > > > continue;
> > > > > > }
> > > > > > - list_del(&p->action);
> > > > > > - list_del(&p->list);
> > > > > > - kfree(p);
> > > > > > + hci_conn_params_free(p);
> > > > > > }
> > > > > >
> > > > > > bt_dev_dbg(hdev, "All LE connection parameters were removed");
> > > > > > --
> > > > > > 2.40.1
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Luiz Augusto von Dentz
> > > >
> > > >
> > > >
> > >
> >
> >
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2023-06-15 22:33 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-13 18:06 [PATCH v2 0/3] Bluetooth: ISO-related concurrency fixes Pauli Virtanen
2023-06-13 18:06 ` [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync Pauli Virtanen
2023-06-13 18:35 ` Bluetooth: ISO-related concurrency fixes bluez.test.bot
2023-06-13 19:04 ` [PATCH v2 1/3] Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync Luiz Augusto von Dentz
2023-06-13 19:38 ` Luiz Augusto von Dentz
2023-06-13 23:07 ` Pauli Virtanen
2023-06-14 16:19 ` Luiz Augusto von Dentz
2023-06-15 20:10 ` Pauli Virtanen
2023-06-15 22:32 ` Luiz Augusto von Dentz
2023-06-13 18:06 ` [PATCH v2 2/3] Bluetooth: hci_event: call disconnect callback before deleting conn Pauli Virtanen
2023-06-13 18:06 ` [PATCH v2 3/3] Bluetooth: ISO: fix iso_conn related locking and validity issues Pauli Virtanen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.