* RE: Bluetooth: Fix double free in hci_conn_cleanup
2023-03-09 7:46 [PATCH] " ZhengHan Wang
@ 2023-03-09 8:43 ` bluez.test.bot
0 siblings, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2023-03-09 8:43 UTC (permalink / raw)
To: linux-bluetooth, wzhmmmmm
[-- Attachment #1: Type: text/plain, Size: 3164 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=728135
---Test result---
Test Summary:
CheckPatch PASS 0.79 seconds
GitLint FAIL 0.66 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 46.02 seconds
CheckAllWarning PASS 50.61 seconds
CheckSparse PASS 56.37 seconds
CheckSmatch PASS 151.79 seconds
BuildKernel32 PASS 44.10 seconds
TestRunnerSetup PASS 629.37 seconds
TestRunner_l2cap-tester PASS 20.59 seconds
TestRunner_iso-tester PASS 22.83 seconds
TestRunner_bnep-tester PASS 8.18 seconds
TestRunner_mgmt-tester FAIL 146.90 seconds
TestRunner_rfcomm-tester PASS 12.44 seconds
TestRunner_sco-tester PASS 11.54 seconds
TestRunner_ioctl-tester FAIL 13.13 seconds
TestRunner_mesh-tester PASS 10.25 seconds
TestRunner_smp-tester PASS 10.93 seconds
TestRunner_userchan-tester PASS 8.58 seconds
IncrementalBuild PASS 41.29 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: Fix double free in hci_conn_cleanup
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B2 Line has trailing whitespace: "After releasing an object using hci_conn_del_sysfs in the "
5: B2 Line has trailing whitespace: "hci_conn_cleanup function, releasing the same object again "
28: B2 Line has trailing whitespace: "This patch drop the hci_dev_put and hci_conn_put function "
29: B2 Line has trailing whitespace: "call in hci_conn_cleanup function, because the object is "
32: B1 Line exceeds max length (87>80): "Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]"
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 5, Not Run: 0
Failed Test Cases
Read Ext Controller Info 1 Failed 0.168 seconds
Read Ext Controller Info 2 Failed 0.196 seconds
Read Ext Controller Info 3 Failed 0.172 seconds
Read Ext Controller Info 4 Failed 0.184 seconds
Read Ext Controller Info 5 Failed 0.220 seconds
##############################
Test: TestRunner_ioctl-tester - FAIL
Desc: Run ioctl-tester with test-runner
Output:
No test result found
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Bluetooth: Fix double free in hci_conn_cleanup
2023-03-09 9:34 [PATCH] " ZhengHan Wang
@ 2023-03-09 10:02 ` bluez.test.bot
0 siblings, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2023-03-09 10:02 UTC (permalink / raw)
To: linux-bluetooth, wzhmmmmm
[-- Attachment #1: Type: text/plain, Size: 2772 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=728193
---Test result---
Test Summary:
CheckPatch PASS 0.76 seconds
GitLint FAIL 0.76 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 39.46 seconds
CheckAllWarning PASS 43.50 seconds
CheckSparse PASS 48.67 seconds
CheckSmatch PASS 129.92 seconds
BuildKernel32 PASS 39.50 seconds
TestRunnerSetup PASS 543.39 seconds
TestRunner_l2cap-tester PASS 18.91 seconds
TestRunner_iso-tester PASS 24.66 seconds
TestRunner_bnep-tester PASS 7.19 seconds
TestRunner_mgmt-tester FAIL 130.80 seconds
TestRunner_rfcomm-tester PASS 10.79 seconds
TestRunner_sco-tester PASS 10.10 seconds
TestRunner_ioctl-tester FAIL 12.00 seconds
TestRunner_mesh-tester PASS 9.13 seconds
TestRunner_smp-tester PASS 9.75 seconds
TestRunner_userchan-tester PASS 7.58 seconds
IncrementalBuild PASS 36.34 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: Fix double free in hci_conn_cleanup
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
32: B1 Line exceeds max length (87>80): "Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]"
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 5, Not Run: 0
Failed Test Cases
Read Ext Controller Info 1 Failed 0.144 seconds
Read Ext Controller Info 2 Failed 0.176 seconds
Read Ext Controller Info 3 Failed 0.148 seconds
Read Ext Controller Info 4 Failed 0.144 seconds
Read Ext Controller Info 5 Failed 0.180 seconds
##############################
Test: TestRunner_ioctl-tester - FAIL
Desc: Run ioctl-tester with test-runner
Output:
No test result found
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] Bluetooth: Fix double free in hci_conn_cleanup
@ 2023-03-30 22:02 Luiz Augusto von Dentz
2023-03-30 22:32 ` bluez.test.bot
2023-03-31 15:09 ` [PATCH] " Jay Foster
0 siblings, 2 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2023-03-30 22:02 UTC (permalink / raw)
To: linux-bluetooth
From: ZhengHan Wang <wzhmmmmm@gmail.com>
syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:
hci_conn_del_sysfs:
hci_dev_put
put_device
kobject_put
kref_put
kobject_release
kobject_cleanup
kfree_const
kfree(name)
hci_dev_put:
...
kfree(name)
hci_conn_put:
put_device
...
kfree(name)
This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.
Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hci_conn.c | 6 ++----
net/bluetooth/hci_sysfs.c | 23 ++++++++++++-----------
2 files changed, 14 insertions(+), 15 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index e4aee5950c36..00d1e7201a44 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -168,13 +168,11 @@ static void hci_conn_cleanup(struct hci_conn *conn)
hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
}
- hci_conn_del_sysfs(conn);
-
debugfs_remove_recursive(conn->debugfs);
- hci_dev_put(hdev);
+ hci_conn_del_sysfs(conn);
- hci_conn_put(conn);
+ hci_dev_put(hdev);
}
static void le_scan_cleanup(struct work_struct *work)
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 08542dfc2dc5..633b82d54272 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -33,7 +33,7 @@ void hci_conn_init_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- BT_DBG("conn %p", conn);
+ bt_dev_dbg(hdev, "conn %p", conn);
conn->dev.type = &bt_link;
conn->dev.class = bt_class;
@@ -46,27 +46,30 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- BT_DBG("conn %p", conn);
+ bt_dev_dbg(hdev, "conn %p", conn);
if (device_is_registered(&conn->dev))
return;
dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
- if (device_add(&conn->dev) < 0) {
+ if (device_add(&conn->dev) < 0)
bt_dev_err(hdev, "failed to register connection device");
- return;
- }
-
- hci_dev_hold(hdev);
}
void hci_conn_del_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- if (!device_is_registered(&conn->dev))
+ bt_dev_dbg(hdev, "conn %p", conn);
+
+ if (!device_is_registered(&conn->dev)) {
+ /* If device_add() has *not* succeeded, use *only* put_device()
+ * to drop the reference count.
+ */
+ put_device(&conn->dev);
return;
+ }
while (1) {
struct device *dev;
@@ -78,9 +81,7 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
put_device(dev);
}
- device_del(&conn->dev);
-
- hci_dev_put(hdev);
+ device_unregister(&conn->dev);
}
static void bt_host_release(struct device *dev)
--
2.39.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* RE: Bluetooth: Fix double free in hci_conn_cleanup
2023-03-30 22:02 [PATCH] Bluetooth: Fix double free in hci_conn_cleanup Luiz Augusto von Dentz
@ 2023-03-30 22:32 ` bluez.test.bot
2023-03-31 15:09 ` [PATCH] " Jay Foster
1 sibling, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2023-03-30 22:32 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 2044 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=735596
---Test result---
Test Summary:
CheckPatch PASS 0.75 seconds
GitLint FAIL 0.53 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 31.29 seconds
CheckAllWarning PASS 34.91 seconds
CheckSparse PASS 39.07 seconds
CheckSmatch PASS 108.89 seconds
BuildKernel32 PASS 30.34 seconds
TestRunnerSetup PASS 435.71 seconds
TestRunner_l2cap-tester PASS 16.15 seconds
TestRunner_iso-tester PASS 15.63 seconds
TestRunner_bnep-tester PASS 5.10 seconds
TestRunner_mgmt-tester PASS 106.90 seconds
TestRunner_rfcomm-tester PASS 8.21 seconds
TestRunner_sco-tester PASS 7.51 seconds
TestRunner_ioctl-tester PASS 8.72 seconds
TestRunner_mesh-tester PASS 6.37 seconds
TestRunner_smp-tester PASS 7.38 seconds
TestRunner_userchan-tester PASS 5.29 seconds
IncrementalBuild PASS 28.65 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: Fix double free in hci_conn_cleanup
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
34: B1 Line exceeds max length (87>80): "Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]"
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Bluetooth: Fix double free in hci_conn_cleanup
2023-03-30 22:03 Luiz Augusto von Dentz
@ 2023-03-30 22:32 ` bluez.test.bot
0 siblings, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2023-03-30 22:32 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 3071 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=735599
---Test result---
Test Summary:
CheckPatch PASS 1.52 seconds
GitLint FAIL 0.92 seconds
SubjectPrefix PASS 0.25 seconds
BuildKernel PASS 31.54 seconds
CheckAllWarning PASS 34.24 seconds
CheckSparse WARNING 38.81 seconds
CheckSmatch WARNING 108.45 seconds
BuildKernel32 PASS 30.22 seconds
TestRunnerSetup PASS 432.40 seconds
TestRunner_l2cap-tester PASS 15.85 seconds
TestRunner_iso-tester PASS 15.51 seconds
TestRunner_bnep-tester PASS 5.08 seconds
TestRunner_mgmt-tester PASS 107.05 seconds
TestRunner_rfcomm-tester PASS 8.07 seconds
TestRunner_sco-tester PASS 7.52 seconds
TestRunner_ioctl-tester PASS 8.65 seconds
TestRunner_mesh-tester PASS 6.45 seconds
TestRunner_smp-tester PASS 7.39 seconds
TestRunner_userchan-tester PASS 5.30 seconds
IncrementalBuild PASS 33.27 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: Fix double free in hci_conn_cleanup
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
34: B1 Line exceeds max length (87>80): "Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]"
[2/2] Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
1: T1 Title exceeds max length (82>80): "[2/2] Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt"
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:149:35: warning: array of flexible structures
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:149:35: warning: array of flexible structures
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Bluetooth: Fix double free in hci_conn_cleanup
2023-03-30 22:02 [PATCH] Bluetooth: Fix double free in hci_conn_cleanup Luiz Augusto von Dentz
2023-03-30 22:32 ` bluez.test.bot
@ 2023-03-31 15:09 ` Jay Foster
1 sibling, 0 replies; 6+ messages in thread
From: Jay Foster @ 2023-03-31 15:09 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth
Do you think this might be the cause of
https://bugzilla.kernel.org/show_bug.cgi?id=201269 ?
Jay
On 3/30/23 3:02 PM, Luiz Augusto von Dentz wrote:
> From: ZhengHan Wang <wzhmmmmm@gmail.com>
>
> syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
> After releasing an object using hci_conn_del_sysfs in the
> hci_conn_cleanup function, releasing the same object again
> using the hci_dev_put and hci_conn_put functions causes a double free.
> Here's a simplified flow:
>
> hci_conn_del_sysfs:
> hci_dev_put
> put_device
> kobject_put
> kref_put
> kobject_release
> kobject_cleanup
> kfree_const
> kfree(name)
>
> hci_dev_put:
> ...
> kfree(name)
>
> hci_conn_put:
> put_device
> ...
> kfree(name)
>
> This patch drop the hci_dev_put and hci_conn_put function
> call in hci_conn_cleanup function, because the object is
> freed in hci_conn_del_sysfs function.
>
> Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
>
> Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/hci_conn.c | 6 ++----
> net/bluetooth/hci_sysfs.c | 23 ++++++++++++-----------
> 2 files changed, 14 insertions(+), 15 deletions(-)
>
> diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> index e4aee5950c36..00d1e7201a44 100644
> --- a/net/bluetooth/hci_conn.c
> +++ b/net/bluetooth/hci_conn.c
> @@ -168,13 +168,11 @@ static void hci_conn_cleanup(struct hci_conn *conn)
> hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
> }
>
> - hci_conn_del_sysfs(conn);
> -
> debugfs_remove_recursive(conn->debugfs);
>
> - hci_dev_put(hdev);
> + hci_conn_del_sysfs(conn);
>
> - hci_conn_put(conn);
> + hci_dev_put(hdev);
> }
>
> static void le_scan_cleanup(struct work_struct *work)
> diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
> index 08542dfc2dc5..633b82d54272 100644
> --- a/net/bluetooth/hci_sysfs.c
> +++ b/net/bluetooth/hci_sysfs.c
> @@ -33,7 +33,7 @@ void hci_conn_init_sysfs(struct hci_conn *conn)
> {
> struct hci_dev *hdev = conn->hdev;
>
> - BT_DBG("conn %p", conn);
> + bt_dev_dbg(hdev, "conn %p", conn);
>
> conn->dev.type = &bt_link;
> conn->dev.class = bt_class;
> @@ -46,27 +46,30 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
> {
> struct hci_dev *hdev = conn->hdev;
>
> - BT_DBG("conn %p", conn);
> + bt_dev_dbg(hdev, "conn %p", conn);
>
> if (device_is_registered(&conn->dev))
> return;
>
> dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
>
> - if (device_add(&conn->dev) < 0) {
> + if (device_add(&conn->dev) < 0)
> bt_dev_err(hdev, "failed to register connection device");
> - return;
> - }
> -
> - hci_dev_hold(hdev);
> }
>
> void hci_conn_del_sysfs(struct hci_conn *conn)
> {
> struct hci_dev *hdev = conn->hdev;
>
> - if (!device_is_registered(&conn->dev))
> + bt_dev_dbg(hdev, "conn %p", conn);
> +
> + if (!device_is_registered(&conn->dev)) {
> + /* If device_add() has *not* succeeded, use *only* put_device()
> + * to drop the reference count.
> + */
> + put_device(&conn->dev);
> return;
> + }
>
> while (1) {
> struct device *dev;
> @@ -78,9 +81,7 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
> put_device(dev);
> }
>
> - device_del(&conn->dev);
> -
> - hci_dev_put(hdev);
> + device_unregister(&conn->dev);
> }
>
> static void bt_host_release(struct device *dev)
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-03-31 15:09 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-30 22:02 [PATCH] Bluetooth: Fix double free in hci_conn_cleanup Luiz Augusto von Dentz
2023-03-30 22:32 ` bluez.test.bot
2023-03-31 15:09 ` [PATCH] " Jay Foster
-- strict thread matches above, loose matches on Subject: below --
2023-03-30 22:03 Luiz Augusto von Dentz
2023-03-30 22:32 ` bluez.test.bot
2023-03-09 9:34 [PATCH] " ZhengHan Wang
2023-03-09 10:02 ` bluez.test.bot
2023-03-09 7:46 [PATCH] " ZhengHan Wang
2023-03-09 8:43 ` bluez.test.bot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.