* [PATCH] Bluetooth: Fix double free in hci_conn_cleanup
@ 2023-03-30 22:03 Luiz Augusto von Dentz
2023-03-30 22:03 ` [PATCH 1/2] Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm Luiz Augusto von Dentz
` (3 more replies)
0 siblings, 4 replies; 11+ messages in thread
From: Luiz Augusto von Dentz @ 2023-03-30 22:03 UTC (permalink / raw)
To: linux-bluetooth
From: ZhengHan Wang <wzhmmmmm@gmail.com>
syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:
hci_conn_del_sysfs:
hci_dev_put
put_device
kobject_put
kref_put
kobject_release
kobject_cleanup
kfree_const
kfree(name)
hci_dev_put:
...
kfree(name)
hci_conn_put:
put_device
...
kfree(name)
This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.
Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hci_conn.c | 6 ++----
net/bluetooth/hci_sysfs.c | 23 ++++++++++++-----------
2 files changed, 14 insertions(+), 15 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index e4aee5950c36..00d1e7201a44 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -168,13 +168,11 @@ static void hci_conn_cleanup(struct hci_conn *conn)
hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
}
- hci_conn_del_sysfs(conn);
-
debugfs_remove_recursive(conn->debugfs);
- hci_dev_put(hdev);
+ hci_conn_del_sysfs(conn);
- hci_conn_put(conn);
+ hci_dev_put(hdev);
}
static void le_scan_cleanup(struct work_struct *work)
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 08542dfc2dc5..633b82d54272 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -33,7 +33,7 @@ void hci_conn_init_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- BT_DBG("conn %p", conn);
+ bt_dev_dbg(hdev, "conn %p", conn);
conn->dev.type = &bt_link;
conn->dev.class = bt_class;
@@ -46,27 +46,30 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- BT_DBG("conn %p", conn);
+ bt_dev_dbg(hdev, "conn %p", conn);
if (device_is_registered(&conn->dev))
return;
dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
- if (device_add(&conn->dev) < 0) {
+ if (device_add(&conn->dev) < 0)
bt_dev_err(hdev, "failed to register connection device");
- return;
- }
-
- hci_dev_hold(hdev);
}
void hci_conn_del_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- if (!device_is_registered(&conn->dev))
+ bt_dev_dbg(hdev, "conn %p", conn);
+
+ if (!device_is_registered(&conn->dev)) {
+ /* If device_add() has *not* succeeded, use *only* put_device()
+ * to drop the reference count.
+ */
+ put_device(&conn->dev);
return;
+ }
while (1) {
struct device *dev;
@@ -78,9 +81,7 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
put_device(dev);
}
- device_del(&conn->dev);
-
- hci_dev_put(hdev);
+ device_unregister(&conn->dev);
}
static void bt_host_release(struct device *dev)
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 1/2] Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm
2023-03-30 22:03 [PATCH] Bluetooth: Fix double free in hci_conn_cleanup Luiz Augusto von Dentz
@ 2023-03-30 22:03 ` Luiz Augusto von Dentz
2023-03-30 22:35 ` [1/2] " bluez.test.bot
2023-03-31 22:10 ` [PATCH 1/2] " patchwork-bot+bluetooth
2023-03-30 22:03 ` [PATCH 2/2] Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt Luiz Augusto von Dentz
` (2 subsequent siblings)
3 siblings, 2 replies; 11+ messages in thread
From: Luiz Augusto von Dentz @ 2023-03-30 22:03 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This attempts to fix the following trace:
======================================================
WARNING: possible circular locking dependency detected
6.3.0-rc2-g0b93eeba4454 #4703 Not tainted
------------------------------------------------------
kworker/u3:0/46 is trying to acquire lock:
ffff888001fd9130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at:
sco_connect_cfm+0x118/0x4a0
but task is already holding lock:
ffffffff831e3340 (hci_cb_list_lock){+.+.}-{3:3}, at:
hci_sync_conn_complete_evt+0x1ad/0x3d0
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (hci_cb_list_lock){+.+.}-{3:3}:
__mutex_lock+0x13b/0xcc0
hci_sync_conn_complete_evt+0x1ad/0x3d0
hci_event_packet+0x55c/0x7c0
hci_rx_work+0x34c/0xa00
process_one_work+0x575/0x910
worker_thread+0x89/0x6f0
kthread+0x14e/0x180
ret_from_fork+0x2b/0x50
-> #1 (&hdev->lock){+.+.}-{3:3}:
__mutex_lock+0x13b/0xcc0
sco_sock_connect+0xfc/0x630
__sys_connect+0x197/0x1b0
__x64_sys_connect+0x37/0x50
do_syscall_64+0x42/0x90
entry_SYSCALL_64_after_hwframe+0x70/0xda
-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
__lock_acquire+0x18cc/0x3740
lock_acquire+0x151/0x3a0
lock_sock_nested+0x32/0x80
sco_connect_cfm+0x118/0x4a0
hci_sync_conn_complete_evt+0x1e6/0x3d0
hci_event_packet+0x55c/0x7c0
hci_rx_work+0x34c/0xa00
process_one_work+0x575/0x910
worker_thread+0x89/0x6f0
kthread+0x14e/0x180
ret_from_fork+0x2b/0x50
other info that might help us debug this:
Chain exists of:
sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> &hdev->lock --> hci_cb_list_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(hci_cb_list_lock);
lock(&hdev->lock);
lock(hci_cb_list_lock);
lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
*** DEADLOCK ***
4 locks held by kworker/u3:0/46:
#0: ffff8880028d1130 ((wq_completion)hci0#2){+.+.}-{0:0}, at:
process_one_work+0x4c0/0x910
#1: ffff8880013dfde0 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0},
at: process_one_work+0x4c0/0x910
#2: ffff8880025d8070 (&hdev->lock){+.+.}-{3:3}, at:
hci_sync_conn_complete_evt+0xa6/0x3d0
#3: ffffffffb79e3340 (hci_cb_list_lock){+.+.}-{3:3}, at:
hci_sync_conn_complete_evt+0x1ad/0x3d0
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/sco.c | 69 ++++++++++++++++++++++++++-------------------
1 file changed, 40 insertions(+), 29 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 1111da4e2f2b..f3a5ab9e4fa4 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -235,27 +235,41 @@ static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
return err;
}
-static int sco_connect(struct hci_dev *hdev, struct sock *sk)
+static int sco_connect(struct sock *sk)
{
struct sco_conn *conn;
struct hci_conn *hcon;
+ struct hci_dev *hdev;
int err, type;
BT_DBG("%pMR -> %pMR", &sco_pi(sk)->src, &sco_pi(sk)->dst);
+ hdev = hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src, BDADDR_BREDR);
+ if (!hdev)
+ return -EHOSTUNREACH;
+
+ hci_dev_lock(hdev);
+
if (lmp_esco_capable(hdev) && !disable_esco)
type = ESCO_LINK;
else
type = SCO_LINK;
if (sco_pi(sk)->setting == BT_VOICE_TRANSPARENT &&
- (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev)))
- return -EOPNOTSUPP;
+ (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev))) {
+ err = -EOPNOTSUPP;
+ goto unlock;
+ }
hcon = hci_connect_sco(hdev, type, &sco_pi(sk)->dst,
sco_pi(sk)->setting, &sco_pi(sk)->codec);
- if (IS_ERR(hcon))
- return PTR_ERR(hcon);
+ if (IS_ERR(hcon)) {
+ err = PTR_ERR(hcon);
+ goto unlock;
+ }
+
+ hci_dev_unlock(hdev);
+ hci_dev_put(hdev);
conn = sco_conn_add(hcon);
if (!conn) {
@@ -263,13 +277,15 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk)
return -ENOMEM;
}
- /* Update source addr of the socket */
- bacpy(&sco_pi(sk)->src, &hcon->src);
-
err = sco_chan_add(conn, sk, NULL);
if (err)
return err;
+ lock_sock(sk);
+
+ /* Update source addr of the socket */
+ bacpy(&sco_pi(sk)->src, &hcon->src);
+
if (hcon->state == BT_CONNECTED) {
sco_sock_clear_timer(sk);
sk->sk_state = BT_CONNECTED;
@@ -278,6 +294,13 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk)
sco_sock_set_timer(sk, sk->sk_sndtimeo);
}
+ release_sock(sk);
+
+ return err;
+
+unlock:
+ hci_dev_unlock(hdev);
+ hci_dev_put(hdev);
return err;
}
@@ -565,7 +588,6 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
{
struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
struct sock *sk = sock->sk;
- struct hci_dev *hdev;
int err;
BT_DBG("sk %p", sk);
@@ -574,37 +596,26 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
addr->sa_family != AF_BLUETOOTH)
return -EINVAL;
- lock_sock(sk);
- if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
- err = -EBADFD;
- goto done;
- }
+ if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
+ return -EBADFD;
- if (sk->sk_type != SOCK_SEQPACKET) {
+ if (sk->sk_type != SOCK_SEQPACKET)
err = -EINVAL;
- goto done;
- }
-
- hdev = hci_get_route(&sa->sco_bdaddr, &sco_pi(sk)->src, BDADDR_BREDR);
- if (!hdev) {
- err = -EHOSTUNREACH;
- goto done;
- }
- hci_dev_lock(hdev);
+ lock_sock(sk);
/* Set destination address and psm */
bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr);
+ release_sock(sk);
- err = sco_connect(hdev, sk);
- hci_dev_unlock(hdev);
- hci_dev_put(hdev);
+ err = sco_connect(sk);
if (err)
- goto done;
+ return err;
+
+ lock_sock(sk);
err = bt_sock_wait_state(sk, BT_CONNECTED,
sock_sndtimeo(sk, flags & O_NONBLOCK));
-done:
release_sock(sk);
return err;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 2/2] Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt
2023-03-30 22:03 [PATCH] Bluetooth: Fix double free in hci_conn_cleanup Luiz Augusto von Dentz
2023-03-30 22:03 ` [PATCH 1/2] Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm Luiz Augusto von Dentz
@ 2023-03-30 22:03 ` Luiz Augusto von Dentz
2023-03-30 22:32 ` Bluetooth: Fix double free in hci_conn_cleanup bluez.test.bot
2023-03-31 22:10 ` [PATCH] " patchwork-bot+bluetooth
3 siblings, 0 replies; 11+ messages in thread
From: Luiz Augusto von Dentz @ 2023-03-30 22:03 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This attempts to fix the following trace:
======================================================
WARNING: possible circular locking dependency detected
6.3.0-rc2-g68fcb3a7bf97 #4706 Not tainted
------------------------------------------------------
sco-tester/31 is trying to acquire lock:
ffff8880025b8070 (&hdev->lock){+.+.}-{3:3}, at:
sco_sock_getsockopt+0x1fc/0xa90
but task is already holding lock:
ffff888001eeb130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at:
sco_sock_getsockopt+0x104/0xa90
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
lock_sock_nested+0x32/0x80
sco_connect_cfm+0x118/0x4a0
hci_sync_conn_complete_evt+0x1e6/0x3d0
hci_event_packet+0x55c/0x7c0
hci_rx_work+0x34c/0xa00
process_one_work+0x575/0x910
worker_thread+0x89/0x6f0
kthread+0x14e/0x180
ret_from_fork+0x2b/0x50
-> #1 (hci_cb_list_lock){+.+.}-{3:3}:
__mutex_lock+0x13b/0xcc0
hci_sync_conn_complete_evt+0x1ad/0x3d0
hci_event_packet+0x55c/0x7c0
hci_rx_work+0x34c/0xa00
process_one_work+0x575/0x910
worker_thread+0x89/0x6f0
kthread+0x14e/0x180
ret_from_fork+0x2b/0x50
-> #0 (&hdev->lock){+.+.}-{3:3}:
__lock_acquire+0x18cc/0x3740
lock_acquire+0x151/0x3a0
__mutex_lock+0x13b/0xcc0
sco_sock_getsockopt+0x1fc/0xa90
__sys_getsockopt+0xe9/0x190
__x64_sys_getsockopt+0x5b/0x70
do_syscall_64+0x42/0x90
entry_SYSCALL_64_after_hwframe+0x70/0xda
other info that might help us debug this:
Chain exists of:
&hdev->lock --> hci_cb_list_lock --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
lock(hci_cb_list_lock);
lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
lock(&hdev->lock);
*** DEADLOCK ***
1 lock held by sco-tester/31:
#0: ffff888001eeb130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0},
at: sco_sock_getsockopt+0x104/0xa90
Fixes: 248733e87d50 ("Bluetooth: Allow querying of supported offload codecs over SCO socket")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/sco.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index f3a5ab9e4fa4..cd1a27ac555d 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -1140,6 +1140,8 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
break;
}
+ release_sock(sk);
+
/* find total buffer size required to copy codec + caps */
hci_dev_lock(hdev);
list_for_each_entry(c, &hdev->local_codecs, list) {
@@ -1157,15 +1159,13 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
buf_len += sizeof(struct bt_codecs);
if (buf_len > len) {
hci_dev_put(hdev);
- err = -ENOBUFS;
- break;
+ return -ENOBUFS;
}
ptr = optval;
if (put_user(num_codecs, ptr)) {
hci_dev_put(hdev);
- err = -EFAULT;
- break;
+ return -EFAULT;
}
ptr += sizeof(num_codecs);
@@ -1205,12 +1205,14 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
ptr += len;
}
- if (!err && put_user(buf_len, optlen))
- err = -EFAULT;
-
hci_dev_unlock(hdev);
hci_dev_put(hdev);
+ lock_sock(sk);
+
+ if (!err && put_user(buf_len, optlen))
+ err = -EFAULT;
+
break;
default:
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* RE: Bluetooth: Fix double free in hci_conn_cleanup
2023-03-30 22:03 [PATCH] Bluetooth: Fix double free in hci_conn_cleanup Luiz Augusto von Dentz
2023-03-30 22:03 ` [PATCH 1/2] Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm Luiz Augusto von Dentz
2023-03-30 22:03 ` [PATCH 2/2] Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt Luiz Augusto von Dentz
@ 2023-03-30 22:32 ` bluez.test.bot
2023-03-31 22:10 ` [PATCH] " patchwork-bot+bluetooth
3 siblings, 0 replies; 11+ messages in thread
From: bluez.test.bot @ 2023-03-30 22:32 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 3071 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=735599
---Test result---
Test Summary:
CheckPatch PASS 1.52 seconds
GitLint FAIL 0.92 seconds
SubjectPrefix PASS 0.25 seconds
BuildKernel PASS 31.54 seconds
CheckAllWarning PASS 34.24 seconds
CheckSparse WARNING 38.81 seconds
CheckSmatch WARNING 108.45 seconds
BuildKernel32 PASS 30.22 seconds
TestRunnerSetup PASS 432.40 seconds
TestRunner_l2cap-tester PASS 15.85 seconds
TestRunner_iso-tester PASS 15.51 seconds
TestRunner_bnep-tester PASS 5.08 seconds
TestRunner_mgmt-tester PASS 107.05 seconds
TestRunner_rfcomm-tester PASS 8.07 seconds
TestRunner_sco-tester PASS 7.52 seconds
TestRunner_ioctl-tester PASS 8.65 seconds
TestRunner_mesh-tester PASS 6.45 seconds
TestRunner_smp-tester PASS 7.39 seconds
TestRunner_userchan-tester PASS 5.30 seconds
IncrementalBuild PASS 33.27 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: Fix double free in hci_conn_cleanup
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
34: B1 Line exceeds max length (87>80): "Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]"
[2/2] Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
1: T1 Title exceeds max length (82>80): "[2/2] Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt"
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:149:35: warning: array of flexible structures
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:149:35: warning: array of flexible structures
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: [1/2] Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm
2023-03-30 22:03 ` [PATCH 1/2] Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm Luiz Augusto von Dentz
@ 2023-03-30 22:35 ` bluez.test.bot
2023-03-31 22:10 ` [PATCH 1/2] " patchwork-bot+bluetooth
1 sibling, 0 replies; 11+ messages in thread
From: bluez.test.bot @ 2023-03-30 22:35 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 2532 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=735600
---Test result---
Test Summary:
CheckPatch PASS 0.65 seconds
GitLint FAIL 0.60 seconds
SubjectPrefix PASS 0.06 seconds
BuildKernel PASS 37.70 seconds
CheckAllWarning PASS 40.95 seconds
CheckSparse WARNING 45.92 seconds
CheckSmatch WARNING 125.20 seconds
BuildKernel32 PASS 36.44 seconds
TestRunnerSetup PASS 513.59 seconds
TestRunner_l2cap-tester PASS 17.98 seconds
TestRunner_iso-tester PASS 18.34 seconds
TestRunner_bnep-tester PASS 6.32 seconds
TestRunner_mgmt-tester PASS 121.86 seconds
TestRunner_rfcomm-tester PASS 9.78 seconds
TestRunner_sco-tester PASS 8.97 seconds
TestRunner_ioctl-tester PASS 10.44 seconds
TestRunner_mesh-tester PASS 7.75 seconds
TestRunner_smp-tester PASS 8.86 seconds
TestRunner_userchan-tester PASS 6.47 seconds
IncrementalBuild PASS 34.31 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[1/2] Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
1: T1 Title exceeds max length (81>80): "[1/2] Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm"
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:149:35: warning: array of flexible structures
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:149:35: warning: array of flexible structures
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] Bluetooth: Fix double free in hci_conn_cleanup
2023-03-30 22:03 [PATCH] Bluetooth: Fix double free in hci_conn_cleanup Luiz Augusto von Dentz
` (2 preceding siblings ...)
2023-03-30 22:32 ` Bluetooth: Fix double free in hci_conn_cleanup bluez.test.bot
@ 2023-03-31 22:10 ` patchwork-bot+bluetooth
3 siblings, 0 replies; 11+ messages in thread
From: patchwork-bot+bluetooth @ 2023-03-31 22:10 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hello:
This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 30 Mar 2023 15:03:30 -0700 you wrote:
> From: ZhengHan Wang <wzhmmmmm@gmail.com>
>
> syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
> After releasing an object using hci_conn_del_sysfs in the
> hci_conn_cleanup function, releasing the same object again
> using the hci_dev_put and hci_conn_put functions causes a double free.
> Here's a simplified flow:
>
> [...]
Here is the summary with links:
- Bluetooth: Fix double free in hci_conn_cleanup
(no matching commit)
- [2/2] Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt
https://git.kernel.org/bluetooth/bluetooth-next/c/c545d02663ac
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/2] Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm
2023-03-30 22:03 ` [PATCH 1/2] Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm Luiz Augusto von Dentz
2023-03-30 22:35 ` [1/2] " bluez.test.bot
@ 2023-03-31 22:10 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 11+ messages in thread
From: patchwork-bot+bluetooth @ 2023-03-31 22:10 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 30 Mar 2023 15:03:31 -0700 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This attempts to fix the following trace:
>
> ======================================================
> WARNING: possible circular locking dependency detected
> 6.3.0-rc2-g0b93eeba4454 #4703 Not tainted
>
> [...]
Here is the summary with links:
- [1/2] Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm
https://git.kernel.org/bluetooth/bluetooth-next/c/53fd49a194f6
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] Bluetooth: Fix double free in hci_conn_cleanup
2023-03-30 22:02 Luiz Augusto von Dentz
@ 2023-03-31 15:09 ` Jay Foster
0 siblings, 0 replies; 11+ messages in thread
From: Jay Foster @ 2023-03-31 15:09 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth
Do you think this might be the cause of
https://bugzilla.kernel.org/show_bug.cgi?id=201269 ?
Jay
On 3/30/23 3:02 PM, Luiz Augusto von Dentz wrote:
> From: ZhengHan Wang <wzhmmmmm@gmail.com>
>
> syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
> After releasing an object using hci_conn_del_sysfs in the
> hci_conn_cleanup function, releasing the same object again
> using the hci_dev_put and hci_conn_put functions causes a double free.
> Here's a simplified flow:
>
> hci_conn_del_sysfs:
> hci_dev_put
> put_device
> kobject_put
> kref_put
> kobject_release
> kobject_cleanup
> kfree_const
> kfree(name)
>
> hci_dev_put:
> ...
> kfree(name)
>
> hci_conn_put:
> put_device
> ...
> kfree(name)
>
> This patch drop the hci_dev_put and hci_conn_put function
> call in hci_conn_cleanup function, because the object is
> freed in hci_conn_del_sysfs function.
>
> Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
>
> Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/hci_conn.c | 6 ++----
> net/bluetooth/hci_sysfs.c | 23 ++++++++++++-----------
> 2 files changed, 14 insertions(+), 15 deletions(-)
>
> diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> index e4aee5950c36..00d1e7201a44 100644
> --- a/net/bluetooth/hci_conn.c
> +++ b/net/bluetooth/hci_conn.c
> @@ -168,13 +168,11 @@ static void hci_conn_cleanup(struct hci_conn *conn)
> hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
> }
>
> - hci_conn_del_sysfs(conn);
> -
> debugfs_remove_recursive(conn->debugfs);
>
> - hci_dev_put(hdev);
> + hci_conn_del_sysfs(conn);
>
> - hci_conn_put(conn);
> + hci_dev_put(hdev);
> }
>
> static void le_scan_cleanup(struct work_struct *work)
> diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
> index 08542dfc2dc5..633b82d54272 100644
> --- a/net/bluetooth/hci_sysfs.c
> +++ b/net/bluetooth/hci_sysfs.c
> @@ -33,7 +33,7 @@ void hci_conn_init_sysfs(struct hci_conn *conn)
> {
> struct hci_dev *hdev = conn->hdev;
>
> - BT_DBG("conn %p", conn);
> + bt_dev_dbg(hdev, "conn %p", conn);
>
> conn->dev.type = &bt_link;
> conn->dev.class = bt_class;
> @@ -46,27 +46,30 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
> {
> struct hci_dev *hdev = conn->hdev;
>
> - BT_DBG("conn %p", conn);
> + bt_dev_dbg(hdev, "conn %p", conn);
>
> if (device_is_registered(&conn->dev))
> return;
>
> dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
>
> - if (device_add(&conn->dev) < 0) {
> + if (device_add(&conn->dev) < 0)
> bt_dev_err(hdev, "failed to register connection device");
> - return;
> - }
> -
> - hci_dev_hold(hdev);
> }
>
> void hci_conn_del_sysfs(struct hci_conn *conn)
> {
> struct hci_dev *hdev = conn->hdev;
>
> - if (!device_is_registered(&conn->dev))
> + bt_dev_dbg(hdev, "conn %p", conn);
> +
> + if (!device_is_registered(&conn->dev)) {
> + /* If device_add() has *not* succeeded, use *only* put_device()
> + * to drop the reference count.
> + */
> + put_device(&conn->dev);
> return;
> + }
>
> while (1) {
> struct device *dev;
> @@ -78,9 +81,7 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
> put_device(dev);
> }
>
> - device_del(&conn->dev);
> -
> - hci_dev_put(hdev);
> + device_unregister(&conn->dev);
> }
>
> static void bt_host_release(struct device *dev)
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH] Bluetooth: Fix double free in hci_conn_cleanup
@ 2023-03-30 22:02 Luiz Augusto von Dentz
2023-03-31 15:09 ` Jay Foster
0 siblings, 1 reply; 11+ messages in thread
From: Luiz Augusto von Dentz @ 2023-03-30 22:02 UTC (permalink / raw)
To: linux-bluetooth
From: ZhengHan Wang <wzhmmmmm@gmail.com>
syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:
hci_conn_del_sysfs:
hci_dev_put
put_device
kobject_put
kref_put
kobject_release
kobject_cleanup
kfree_const
kfree(name)
hci_dev_put:
...
kfree(name)
hci_conn_put:
put_device
...
kfree(name)
This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.
Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hci_conn.c | 6 ++----
net/bluetooth/hci_sysfs.c | 23 ++++++++++++-----------
2 files changed, 14 insertions(+), 15 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index e4aee5950c36..00d1e7201a44 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -168,13 +168,11 @@ static void hci_conn_cleanup(struct hci_conn *conn)
hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
}
- hci_conn_del_sysfs(conn);
-
debugfs_remove_recursive(conn->debugfs);
- hci_dev_put(hdev);
+ hci_conn_del_sysfs(conn);
- hci_conn_put(conn);
+ hci_dev_put(hdev);
}
static void le_scan_cleanup(struct work_struct *work)
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 08542dfc2dc5..633b82d54272 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -33,7 +33,7 @@ void hci_conn_init_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- BT_DBG("conn %p", conn);
+ bt_dev_dbg(hdev, "conn %p", conn);
conn->dev.type = &bt_link;
conn->dev.class = bt_class;
@@ -46,27 +46,30 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- BT_DBG("conn %p", conn);
+ bt_dev_dbg(hdev, "conn %p", conn);
if (device_is_registered(&conn->dev))
return;
dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
- if (device_add(&conn->dev) < 0) {
+ if (device_add(&conn->dev) < 0)
bt_dev_err(hdev, "failed to register connection device");
- return;
- }
-
- hci_dev_hold(hdev);
}
void hci_conn_del_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- if (!device_is_registered(&conn->dev))
+ bt_dev_dbg(hdev, "conn %p", conn);
+
+ if (!device_is_registered(&conn->dev)) {
+ /* If device_add() has *not* succeeded, use *only* put_device()
+ * to drop the reference count.
+ */
+ put_device(&conn->dev);
return;
+ }
while (1) {
struct device *dev;
@@ -78,9 +81,7 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
put_device(dev);
}
- device_del(&conn->dev);
-
- hci_dev_put(hdev);
+ device_unregister(&conn->dev);
}
static void bt_host_release(struct device *dev)
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH] Bluetooth: Fix double free in hci_conn_cleanup
@ 2023-03-09 9:34 ZhengHan Wang
0 siblings, 0 replies; 11+ messages in thread
From: ZhengHan Wang @ 2023-03-09 9:34 UTC (permalink / raw)
To: linux-bluetooth; +Cc: ZhengHan Wang
syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:
hci_conn_del_sysfs:
hci_dev_put
put_device
kobject_put
kref_put
kobject_release
kobject_cleanup
kfree_const
kfree(name)
hci_dev_put:
...
kfree(name)
hci_conn_put:
put_device
...
kfree(name)
This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.
Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
---
net/bluetooth/hci_conn.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index acf563fbdfd9..a0ccbef34bc2 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -152,10 +152,6 @@ static void hci_conn_cleanup(struct hci_conn *conn)
hci_conn_del_sysfs(conn);
debugfs_remove_recursive(conn->debugfs);
-
- hci_dev_put(hdev);
-
- hci_conn_put(conn);
}
static void le_scan_cleanup(struct work_struct *work)
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH] Bluetooth: Fix double free in hci_conn_cleanup
@ 2023-03-09 7:46 ZhengHan Wang
0 siblings, 0 replies; 11+ messages in thread
From: ZhengHan Wang @ 2023-03-09 7:46 UTC (permalink / raw)
To: marcel, johan.hedberg, luiz.dentz
Cc: linux-bluetooth, netdev, linux-kernel, ZhengHan Wang
syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:
hci_conn_del_sysfs:
hci_dev_put
put_device
kobject_put
kref_put
kobject_release
kobject_cleanup
kfree_const
kfree(name)
hci_dev_put:
...
kfree(name)
hci_conn_put:
put_device
...
kfree(name)
This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.
Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
---
net/bluetooth/hci_conn.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index acf563fbdfd9..a0ccbef34bc2 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -152,10 +152,6 @@ static void hci_conn_cleanup(struct hci_conn *conn)
hci_conn_del_sysfs(conn);
debugfs_remove_recursive(conn->debugfs);
-
- hci_dev_put(hdev);
-
- hci_conn_put(conn);
}
static void le_scan_cleanup(struct work_struct *work)
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2023-03-31 22:10 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-30 22:03 [PATCH] Bluetooth: Fix double free in hci_conn_cleanup Luiz Augusto von Dentz
2023-03-30 22:03 ` [PATCH 1/2] Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm Luiz Augusto von Dentz
2023-03-30 22:35 ` [1/2] " bluez.test.bot
2023-03-31 22:10 ` [PATCH 1/2] " patchwork-bot+bluetooth
2023-03-30 22:03 ` [PATCH 2/2] Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt Luiz Augusto von Dentz
2023-03-30 22:32 ` Bluetooth: Fix double free in hci_conn_cleanup bluez.test.bot
2023-03-31 22:10 ` [PATCH] " patchwork-bot+bluetooth
-- strict thread matches above, loose matches on Subject: below --
2023-03-30 22:02 Luiz Augusto von Dentz
2023-03-31 15:09 ` Jay Foster
2023-03-09 9:34 ZhengHan Wang
2023-03-09 7:46 ZhengHan Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).