* [PATCH v3 1/6] Bluetooth: Fix potential double free caused by hci_conn_unlink
2023-05-02 14:57 [PATCH v3 0/6] Bluetooth: Fix potential double free caused by hci_conn_unlink Ruihan Li
@ 2023-05-02 14:57 ` Ruihan Li
2023-05-02 15:35 ` bluez.test.bot
2023-05-02 14:57 ` [PATCH v3 2/6] Bluetooth: Refcnt drop must be placed last in hci_conn_unlink Ruihan Li
` (4 subsequent siblings)
5 siblings, 1 reply; 12+ messages in thread
From: Ruihan Li @ 2023-05-02 14:57 UTC (permalink / raw)
To: linux-bluetooth
Cc: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz, Ruihan Li,
syzbot+690b90b14f14f43f4688
The hci_conn_unlink function is being called by hci_conn_del, which
means it should not call hci_conn_del with the input parameter conn
again. If it does, conn may have already been released when
hci_conn_unlink returns, leading to potential UAF and double-free
issues.
This patch resolves the problem by modifying hci_conn_unlink to release
only conn's child links when necessary, but never release conn itself.
Reported-by: syzbot+690b90b14f14f43f4688@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/000000000000484a8205faafe216@google.com/
Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
---
net/bluetooth/hci_conn.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 640b951bf..70e1655a9 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1083,8 +1083,18 @@ static void hci_conn_unlink(struct hci_conn *conn)
if (!conn->parent) {
struct hci_link *link, *t;
- list_for_each_entry_safe(link, t, &conn->link_list, list)
- hci_conn_unlink(link->conn);
+ list_for_each_entry_safe(link, t, &conn->link_list, list) {
+ struct hci_conn *child = link->conn;
+
+ hci_conn_unlink(child);
+
+ /* Due to race, SCO connection might be not established
+ * yet at this point. Delete it now, otherwise it is
+ * possible for it to be stuck and can't be deleted.
+ */
+ if (child->handle == HCI_CONN_HANDLE_UNSET)
+ hci_conn_del(child);
+ }
return;
}
@@ -1100,13 +1110,6 @@ static void hci_conn_unlink(struct hci_conn *conn)
kfree(conn->link);
conn->link = NULL;
-
- /* Due to race, SCO connection might be not established
- * yet at this point. Delete it now, otherwise it is
- * possible for it to be stuck and can't be deleted.
- */
- if (conn->handle == HCI_CONN_HANDLE_UNSET)
- hci_conn_del(conn);
}
int hci_conn_del(struct hci_conn *conn)
--
2.40.0
^ permalink raw reply related [flat|nested] 12+ messages in thread* RE: Bluetooth: Fix potential double free caused by hci_conn_unlink
2023-05-02 14:57 ` [PATCH v3 1/6] " Ruihan Li
@ 2023-05-02 15:35 ` bluez.test.bot
0 siblings, 0 replies; 12+ messages in thread
From: bluez.test.bot @ 2023-05-02 15:35 UTC (permalink / raw)
To: linux-bluetooth, lrh2000
[-- Attachment #1: Type: text/plain, Size: 8849 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=744426
---Test result---
Test Summary:
CheckPatch FAIL 4.18 seconds
GitLint FAIL 2.05 seconds
SubjectPrefix PASS 0.60 seconds
BuildKernel PASS 32.22 seconds
CheckAllWarning PASS 35.05 seconds
CheckSparse PASS 39.69 seconds
CheckSmatch PASS 110.75 seconds
BuildKernel32 PASS 31.05 seconds
TestRunnerSetup PASS 440.47 seconds
TestRunner_l2cap-tester PASS 16.56 seconds
TestRunner_iso-tester PASS 20.35 seconds
TestRunner_bnep-tester PASS 5.36 seconds
TestRunner_mgmt-tester PASS 113.08 seconds
TestRunner_rfcomm-tester PASS 8.52 seconds
TestRunner_sco-tester PASS 7.90 seconds
TestRunner_ioctl-tester PASS 9.26 seconds
TestRunner_mesh-tester PASS 6.76 seconds
TestRunner_smp-tester PASS 7.93 seconds
TestRunner_userchan-tester PASS 5.61 seconds
IncrementalBuild PASS 75.99 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v3,1/6] Bluetooth: Fix potential double free caused by hci_conn_unlink
WARNING: Reported-by: should be immediately followed by Link: with a URL to the report
#83:
Reported-by: syzbot+690b90b14f14f43f4688@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/000000000000484a8205faafe216@google.com/
WARNING: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#84:
Closes: https://lore.kernel.org/linux-bluetooth/000000000000484a8205faafe216@google.com/
WARNING: Unknown link reference 'Closes:', use 'Link:' instead
#84:
Closes: https://lore.kernel.org/linux-bluetooth/000000000000484a8205faafe216@google.com/
total: 0 errors, 3 warnings, 0 checks, 33 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13229025.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
[v3,2/6] Bluetooth: Refcnt drop must be placed last in hci_conn_unlink
WARNING: Reported-by: should be immediately followed by Link: with a URL to the report
#82:
Reported-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Closes: https://lore.kernel.org/linux-bluetooth/CABBYNZ+1kce8_RJrLNOXd_8=Mdpb=2bx4Nto-hFORk=qiOkoCg@mail.gmail.com/
WARNING: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#83:
Closes: https://lore.kernel.org/linux-bluetooth/CABBYNZ+1kce8_RJrLNOXd_8=Mdpb=2bx4Nto-hFORk=qiOkoCg@mail.gmail.com/
WARNING: Unknown link reference 'Closes:', use 'Link:' instead
#83:
Closes: https://lore.kernel.org/linux-bluetooth/CABBYNZ+1kce8_RJrLNOXd_8=Mdpb=2bx4Nto-hFORk=qiOkoCg@mail.gmail.com/
total: 0 errors, 3 warnings, 0 checks, 15 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13229023.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
[v3,3/6] Bluetooth: Fix UAF in hci_conn_hash_flush again
WARNING: Reported-by: should be immediately followed by Link: with a URL to the report
#93:
Reported-by: syzbot+8bb72f86fc823817bc5d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/000000000000aa920505f60d25ad@google.com/
WARNING: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#94:
Closes: https://lore.kernel.org/linux-bluetooth/000000000000aa920505f60d25ad@google.com/
WARNING: Unknown link reference 'Closes:', use 'Link:' instead
#94:
Closes: https://lore.kernel.org/linux-bluetooth/000000000000aa920505f60d25ad@google.com/
total: 0 errors, 3 warnings, 0 checks, 58 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13229024.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v3,1/6] Bluetooth: Fix potential double free caused by hci_conn_unlink
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
13: B1 Line exceeds max length (88>80): "Closes: https://lore.kernel.org/linux-bluetooth/000000000000484a8205faafe216@google.com/"
[v3,2/6] Bluetooth: Refcnt drop must be placed last in hci_conn_unlink
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
13: B1 Line exceeds max length (115>80): "Closes: https://lore.kernel.org/linux-bluetooth/CABBYNZ+1kce8_RJrLNOXd_8=Mdpb=2bx4Nto-hFORk=qiOkoCg@mail.gmail.com/"
[v3,3/6] Bluetooth: Fix UAF in hci_conn_hash_flush again
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
24: B1 Line exceeds max length (88>80): "Closes: https://lore.kernel.org/linux-bluetooth/000000000000aa920505f60d25ad@google.com/"
[v3,4/6] Bluetooth: Perform hci_conn_drop in hci_conn_unlink
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
13: B3 Line contains hard tab characters (\t): " hci_conn_unlink(conn) [conn->parent == NULL]"
14: B3 Line contains hard tab characters (\t): " -> hci_conn_unlink(child) [child->parent == conn]"
15: B3 Line contains hard tab characters (\t): " -> hci_conn_drop(child->parent)"
16: B3 Line contains hard tab characters (\t): " -> queue_delayed_work(&conn->disc_work)"
[v3,5/6] Bluetooth: Unlink CISes when LE disconnects in hci_conn_del
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
13: B3 Line contains hard tab characters (\t): " All SCO, eSCO, and CIS connections on a physical link should be"
14: B3 Line contains hard tab characters (\t): " disconnected before the ACL connection on the same physical"
15: B3 Line contains hard tab characters (\t): " connection is disconnected. If it does not, they will be"
16: B3 Line contains hard tab characters (\t): " implicitly disconnected as part of the ACL disconnection."
17: B3 Line contains hard tab characters (\t): " ..."
18: B3 Line contains hard tab characters (\t): " Note: As specified in Section 7.7.5, on the Central, the handle"
19: B3 Line contains hard tab characters (\t): " for a CIS remains valid even after disconnection and, therefore,"
20: B3 Line contains hard tab characters (\t): " the Host can recreate a disconnected CIS at a later point in"
21: B3 Line contains hard tab characters (\t): " time using the same connection handle."
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v3 2/6] Bluetooth: Refcnt drop must be placed last in hci_conn_unlink
2023-05-02 14:57 [PATCH v3 0/6] Bluetooth: Fix potential double free caused by hci_conn_unlink Ruihan Li
2023-05-02 14:57 ` [PATCH v3 1/6] " Ruihan Li
@ 2023-05-02 14:57 ` Ruihan Li
2023-05-02 14:57 ` [PATCH v3 3/6] Bluetooth: Fix UAF in hci_conn_hash_flush again Ruihan Li
` (3 subsequent siblings)
5 siblings, 0 replies; 12+ messages in thread
From: Ruihan Li @ 2023-05-02 14:57 UTC (permalink / raw)
To: linux-bluetooth
Cc: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz, Ruihan Li
If hci_conn_put(conn->parent) reduces conn->parent's reference count to
zero, it can immediately deallocate conn->parent. At the same time,
conn->link->list has its head in conn->parent, causing use-after-free
problems in the latter list_del_rcu(&conn->link->list).
This problem can be easily solved by reordering the two operations,
i.e., first performing the list removal with list_del_rcu and then
decreasing the refcnt with hci_conn_put.
Reported-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Closes: https://lore.kernel.org/linux-bluetooth/CABBYNZ+1kce8_RJrLNOXd_8=Mdpb=2bx4Nto-hFORk=qiOkoCg@mail.gmail.com/
Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
---
net/bluetooth/hci_conn.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 70e1655a9..44d0643fc 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1102,12 +1102,12 @@ static void hci_conn_unlink(struct hci_conn *conn)
if (!conn->link)
return;
- hci_conn_put(conn->parent);
- conn->parent = NULL;
-
list_del_rcu(&conn->link->list);
synchronize_rcu();
+ hci_conn_put(conn->parent);
+ conn->parent = NULL;
+
kfree(conn->link);
conn->link = NULL;
}
--
2.40.0
^ permalink raw reply related [flat|nested] 12+ messages in thread* [PATCH v3 3/6] Bluetooth: Fix UAF in hci_conn_hash_flush again
2023-05-02 14:57 [PATCH v3 0/6] Bluetooth: Fix potential double free caused by hci_conn_unlink Ruihan Li
2023-05-02 14:57 ` [PATCH v3 1/6] " Ruihan Li
2023-05-02 14:57 ` [PATCH v3 2/6] Bluetooth: Refcnt drop must be placed last in hci_conn_unlink Ruihan Li
@ 2023-05-02 14:57 ` Ruihan Li
2023-05-02 14:57 ` [PATCH v3 4/6] Bluetooth: Perform hci_conn_drop in hci_conn_unlink Ruihan Li
` (2 subsequent siblings)
5 siblings, 0 replies; 12+ messages in thread
From: Ruihan Li @ 2023-05-02 14:57 UTC (permalink / raw)
To: linux-bluetooth
Cc: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz, Ruihan Li,
syzbot+8bb72f86fc823817bc5d
Commit 06149746e720 ("Bluetooth: hci_conn: Add support for linking
multiple hcon") reintroduced a previously fixed bug [1] ("KASAN:
slab-use-after-free Read in hci_conn_hash_flush"). This bug was
originally fixed by commit 5dc7d23e167e ("Bluetooth: hci_conn: Fix
possible UAF").
The hci_conn_unlink function was added to avoid invalidating the link
traversal caused by successive hci_conn_del operations releasing extra
connections. However, currently hci_conn_unlink itself also releases
extra connections, resulted in the reintroduced bug.
This patch follows a more robust solution for cleaning up all
connections, by repeatedly removing the first connection until there are
none left. This approach does not rely on the inner workings of
hci_conn_del and ensures proper cleanup of all connections.
Meanwhile, we need to make sure that hci_conn_del never fails. Indeed it
doesn't, as it now always returns zero. To make this a bit clearer, this
patch also changes its return type to void.
Reported-by: syzbot+8bb72f86fc823817bc5d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/000000000000aa920505f60d25ad@google.com/
Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
---
include/net/bluetooth/hci_core.h | 2 +-
net/bluetooth/hci_conn.c | 29 +++++++++++++----------------
2 files changed, 14 insertions(+), 17 deletions(-)
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index a6c8aee2f..8baf34639 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -1327,7 +1327,7 @@ int hci_le_create_cis(struct hci_conn *conn);
struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
u8 role);
-int hci_conn_del(struct hci_conn *conn);
+void hci_conn_del(struct hci_conn *conn);
void hci_conn_hash_flush(struct hci_dev *hdev);
void hci_conn_check_pending(struct hci_dev *hdev);
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 44d0643fc..eef148291 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1112,7 +1112,7 @@ static void hci_conn_unlink(struct hci_conn *conn)
conn->link = NULL;
}
-int hci_conn_del(struct hci_conn *conn)
+void hci_conn_del(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
@@ -1163,8 +1163,6 @@ int hci_conn_del(struct hci_conn *conn)
* rest of hci_conn_del.
*/
hci_conn_cleanup(conn);
-
- return 0;
}
struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
@@ -2465,22 +2463,21 @@ void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
/* Drop all connection on the device */
void hci_conn_hash_flush(struct hci_dev *hdev)
{
- struct hci_conn_hash *h = &hdev->conn_hash;
- struct hci_conn *c, *n;
+ struct list_head *head = &hdev->conn_hash.list;
+ struct hci_conn *conn;
BT_DBG("hdev %s", hdev->name);
- list_for_each_entry_safe(c, n, &h->list, list) {
- c->state = BT_CLOSED;
-
- hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
-
- /* Unlink before deleting otherwise it is possible that
- * hci_conn_del removes the link which may cause the list to
- * contain items already freed.
- */
- hci_conn_unlink(c);
- hci_conn_del(c);
+ /* We should not traverse the list here, because hci_conn_del
+ * can remove extra links, which may cause the list traversal
+ * to hit items that have already been released.
+ */
+ while ((conn = list_first_entry_or_null(head,
+ struct hci_conn,
+ list)) != NULL) {
+ conn->state = BT_CLOSED;
+ hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM);
+ hci_conn_del(conn);
}
}
--
2.40.0
^ permalink raw reply related [flat|nested] 12+ messages in thread* [PATCH v3 4/6] Bluetooth: Perform hci_conn_drop in hci_conn_unlink
2023-05-02 14:57 [PATCH v3 0/6] Bluetooth: Fix potential double free caused by hci_conn_unlink Ruihan Li
` (2 preceding siblings ...)
2023-05-02 14:57 ` [PATCH v3 3/6] Bluetooth: Fix UAF in hci_conn_hash_flush again Ruihan Li
@ 2023-05-02 14:57 ` Ruihan Li
2023-05-02 16:22 ` Luiz Augusto von Dentz
2023-05-02 14:57 ` [PATCH v3 5/6] Bluetooth: Unlink CISes when LE disconnects in hci_conn_del Ruihan Li
2023-05-02 14:57 ` [PATCH v3 6/6] Bluetooth: Avoid recursion in hci_conn_unlink Ruihan Li
5 siblings, 1 reply; 12+ messages in thread
From: Ruihan Li @ 2023-05-02 14:57 UTC (permalink / raw)
To: linux-bluetooth
Cc: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz, Ruihan Li
Since hci_conn_link invokes both hci_conn_get and hci_conn_hold,
hci_conn_unlink should perform both hci_conn_put and hci_conn_drop as
well. However, currently it performs only hci_conn_put.
This patch makes hci_conn_unlink call hci_conn_drop as well, which
simplifies the logic in hci_conn_del a bit and may benefit future users
of hci_conn_unlink. But it is noted that this change additionally
implies that hci_conn_unlink can queue disc_work on conn itself, with
the following call stack:
hci_conn_unlink(conn) [conn->parent == NULL]
-> hci_conn_unlink(child) [child->parent == conn]
-> hci_conn_drop(child->parent)
-> queue_delayed_work(&conn->disc_work)
Queued disc_work after hci_conn_del can be spurious, so during the
process of hci_conn_del, it is necessary to make the call to
cancel_delayed_work(&conn->disc_work) after invoking hci_conn_unlink.
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
---
net/bluetooth/hci_conn.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index eef148291..e76ebb50d 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1105,6 +1105,7 @@ static void hci_conn_unlink(struct hci_conn *conn)
list_del_rcu(&conn->link->list);
synchronize_rcu();
+ hci_conn_drop(conn->parent);
hci_conn_put(conn->parent);
conn->parent = NULL;
@@ -1118,7 +1119,6 @@ void hci_conn_del(struct hci_conn *conn)
BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
- cancel_delayed_work_sync(&conn->disc_work);
cancel_delayed_work_sync(&conn->auto_accept_work);
cancel_delayed_work_sync(&conn->idle_work);
@@ -1134,12 +1134,7 @@ void hci_conn_del(struct hci_conn *conn)
else
hdev->acl_cnt += conn->sent;
} else {
- struct hci_conn *acl = conn->parent;
-
- if (acl) {
- hci_conn_unlink(conn);
- hci_conn_drop(acl);
- }
+ hci_conn_unlink(conn);
/* Unacked ISO frames */
if (conn->type == ISO_LINK) {
@@ -1152,6 +1147,11 @@ void hci_conn_del(struct hci_conn *conn)
}
}
+ /* hci_conn_unlink may trigger additional disc_work, so
+ * ensure to perform cancelling after that.
+ */
+ cancel_delayed_work_sync(&conn->disc_work);
+
if (conn->amp_mgr)
amp_mgr_put(conn->amp_mgr);
--
2.40.0
^ permalink raw reply related [flat|nested] 12+ messages in thread* Re: [PATCH v3 4/6] Bluetooth: Perform hci_conn_drop in hci_conn_unlink
2023-05-02 14:57 ` [PATCH v3 4/6] Bluetooth: Perform hci_conn_drop in hci_conn_unlink Ruihan Li
@ 2023-05-02 16:22 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 12+ messages in thread
From: Luiz Augusto von Dentz @ 2023-05-02 16:22 UTC (permalink / raw)
To: Ruihan Li; +Cc: linux-bluetooth, Marcel Holtmann, Johan Hedberg
Hi Ruihan,
On Tue, May 2, 2023 at 7:57 AM Ruihan Li <lrh2000@pku.edu.cn> wrote:
>
> Since hci_conn_link invokes both hci_conn_get and hci_conn_hold,
> hci_conn_unlink should perform both hci_conn_put and hci_conn_drop as
> well. However, currently it performs only hci_conn_put.
>
> This patch makes hci_conn_unlink call hci_conn_drop as well, which
> simplifies the logic in hci_conn_del a bit and may benefit future users
> of hci_conn_unlink. But it is noted that this change additionally
> implies that hci_conn_unlink can queue disc_work on conn itself, with
> the following call stack:
>
> hci_conn_unlink(conn) [conn->parent == NULL]
> -> hci_conn_unlink(child) [child->parent == conn]
> -> hci_conn_drop(child->parent)
> -> queue_delayed_work(&conn->disc_work)
>
> Queued disc_work after hci_conn_del can be spurious, so during the
> process of hci_conn_del, it is necessary to make the call to
> cancel_delayed_work(&conn->disc_work) after invoking hci_conn_unlink.
>
> Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
> ---
> net/bluetooth/hci_conn.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> index eef148291..e76ebb50d 100644
> --- a/net/bluetooth/hci_conn.c
> +++ b/net/bluetooth/hci_conn.c
> @@ -1105,6 +1105,7 @@ static void hci_conn_unlink(struct hci_conn *conn)
> list_del_rcu(&conn->link->list);
> synchronize_rcu();
>
> + hci_conn_drop(conn->parent);
> hci_conn_put(conn->parent);
> conn->parent = NULL;
>
> @@ -1118,7 +1119,6 @@ void hci_conn_del(struct hci_conn *conn)
>
> BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
>
> - cancel_delayed_work_sync(&conn->disc_work);
> cancel_delayed_work_sync(&conn->auto_accept_work);
> cancel_delayed_work_sync(&conn->idle_work);
>
> @@ -1134,12 +1134,7 @@ void hci_conn_del(struct hci_conn *conn)
> else
> hdev->acl_cnt += conn->sent;
> } else {
> - struct hci_conn *acl = conn->parent;
> -
> - if (acl) {
> - hci_conn_unlink(conn);
> - hci_conn_drop(acl);
> - }
> + hci_conn_unlink(conn);
>
> /* Unacked ISO frames */
> if (conn->type == ISO_LINK) {
> @@ -1152,6 +1147,11 @@ void hci_conn_del(struct hci_conn *conn)
> }
> }
>
> + /* hci_conn_unlink may trigger additional disc_work, so
> + * ensure to perform cancelling after that.
> + */
> + cancel_delayed_work_sync(&conn->disc_work);
Just merge the change where hci_conn_del calls hci_conn_unlink
unconditionally so we don't have to do this change independently just
to revert later.
> if (conn->amp_mgr)
> amp_mgr_put(conn->amp_mgr);
>
> --
> 2.40.0
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v3 5/6] Bluetooth: Unlink CISes when LE disconnects in hci_conn_del
2023-05-02 14:57 [PATCH v3 0/6] Bluetooth: Fix potential double free caused by hci_conn_unlink Ruihan Li
` (3 preceding siblings ...)
2023-05-02 14:57 ` [PATCH v3 4/6] Bluetooth: Perform hci_conn_drop in hci_conn_unlink Ruihan Li
@ 2023-05-02 14:57 ` Ruihan Li
2023-05-02 14:57 ` [PATCH v3 6/6] Bluetooth: Avoid recursion in hci_conn_unlink Ruihan Li
5 siblings, 0 replies; 12+ messages in thread
From: Ruihan Li @ 2023-05-02 14:57 UTC (permalink / raw)
To: linux-bluetooth
Cc: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz, Ruihan Li
Currently, hci_conn_del calls hci_conn_unlink for BR/EDR, (e)SCO, and
CIS connections, i.e., everything except LE connections. However, if
(e)SCO connections are unlinked when BR/EDR disconnects, CIS connections
should also be unlinked when LE disconnects.
In terms of disconnection behavior, CIS and (e)SCO connections are not
too different. One peculiarity of CIS is that when CIS connections are
disconnected, the CIS handle isn't deleted, as per [BLUETOOTH CORE
SPECIFICATION Version 5.4 | Vol 4, Part E] 7.1.6 Disconnect command:
All SCO, eSCO, and CIS connections on a physical link should be
disconnected before the ACL connection on the same physical
connection is disconnected. If it does not, they will be
implicitly disconnected as part of the ACL disconnection.
...
Note: As specified in Section 7.7.5, on the Central, the handle
for a CIS remains valid even after disconnection and, therefore,
the Host can recreate a disconnected CIS at a later point in
time using the same connection handle.
This peculiarity has nothing to do with the code, as long as the current
implementation always ties the CIS handle, the CIS connection, and the
LE connection together in hci_link, and manually performs CIS deletion
in cis_cleanup after CIS disconnections.
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
---
net/bluetooth/hci_conn.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index e76ebb50d..de553e062 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1092,7 +1092,9 @@ static void hci_conn_unlink(struct hci_conn *conn)
* yet at this point. Delete it now, otherwise it is
* possible for it to be stuck and can't be deleted.
*/
- if (child->handle == HCI_CONN_HANDLE_UNSET)
+ if ((child->type == SCO_LINK ||
+ child->type == ESCO_LINK) &&
+ child->handle == HCI_CONN_HANDLE_UNSET)
hci_conn_del(child);
}
@@ -1119,11 +1121,17 @@ void hci_conn_del(struct hci_conn *conn)
BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
+ hci_conn_unlink(conn);
+
+ /* hci_conn_unlink may trigger additional disc_work, so
+ * ensure to perform cancelling after that.
+ */
+ cancel_delayed_work_sync(&conn->disc_work);
+
cancel_delayed_work_sync(&conn->auto_accept_work);
cancel_delayed_work_sync(&conn->idle_work);
if (conn->type == ACL_LINK) {
- hci_conn_unlink(conn);
/* Unacked frames */
hdev->acl_cnt += conn->sent;
} else if (conn->type == LE_LINK) {
@@ -1134,8 +1142,6 @@ void hci_conn_del(struct hci_conn *conn)
else
hdev->acl_cnt += conn->sent;
} else {
- hci_conn_unlink(conn);
-
/* Unacked ISO frames */
if (conn->type == ISO_LINK) {
if (hdev->iso_pkts)
@@ -1147,11 +1153,6 @@ void hci_conn_del(struct hci_conn *conn)
}
}
- /* hci_conn_unlink may trigger additional disc_work, so
- * ensure to perform cancelling after that.
- */
- cancel_delayed_work_sync(&conn->disc_work);
-
if (conn->amp_mgr)
amp_mgr_put(conn->amp_mgr);
--
2.40.0
^ permalink raw reply related [flat|nested] 12+ messages in thread* [PATCH v3 6/6] Bluetooth: Avoid recursion in hci_conn_unlink
2023-05-02 14:57 [PATCH v3 0/6] Bluetooth: Fix potential double free caused by hci_conn_unlink Ruihan Li
` (4 preceding siblings ...)
2023-05-02 14:57 ` [PATCH v3 5/6] Bluetooth: Unlink CISes when LE disconnects in hci_conn_del Ruihan Li
@ 2023-05-02 14:57 ` Ruihan Li
2023-05-02 16:18 ` Luiz Augusto von Dentz
5 siblings, 1 reply; 12+ messages in thread
From: Ruihan Li @ 2023-05-02 14:57 UTC (permalink / raw)
To: linux-bluetooth
Cc: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz, Ruihan Li
Previously, hci_conn_unlink was implemented as a recursion function. To
unlink physical connections (e.g. ACL/LE), it calls itself to unlink all
its logical channels (e.g. SCO/eSCO/ISO).
Recursion is not required. This patch refactors hci_conn_unlink into two
functions, where hci_conn_unlink_parent takes a physical connection,
checks out all its logical channels, and calls hci_conn_unlink_child for
each logical channel to unlink it.
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
---
net/bluetooth/hci_conn.c | 55 +++++++++++++++++++++++-----------------
1 file changed, 32 insertions(+), 23 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index de553e062..243d68a64 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1074,34 +1074,13 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
return conn;
}
-static void hci_conn_unlink(struct hci_conn *conn)
+static void hci_conn_unlink_parent(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
bt_dev_dbg(hdev, "hcon %p", conn);
- if (!conn->parent) {
- struct hci_link *link, *t;
-
- list_for_each_entry_safe(link, t, &conn->link_list, list) {
- struct hci_conn *child = link->conn;
-
- hci_conn_unlink(child);
-
- /* Due to race, SCO connection might be not established
- * yet at this point. Delete it now, otherwise it is
- * possible for it to be stuck and can't be deleted.
- */
- if ((child->type == SCO_LINK ||
- child->type == ESCO_LINK) &&
- child->handle == HCI_CONN_HANDLE_UNSET)
- hci_conn_del(child);
- }
-
- return;
- }
-
- if (!conn->link)
+ if (WARN_ON(!conn->link))
return;
list_del_rcu(&conn->link->list);
@@ -1115,6 +1094,36 @@ static void hci_conn_unlink(struct hci_conn *conn)
conn->link = NULL;
}
+static void hci_conn_unlink_children(struct hci_conn *conn)
+{
+ struct hci_dev *hdev = conn->hdev;
+ struct hci_link *link, *t;
+
+ bt_dev_dbg(hdev, "hcon %p", conn);
+
+ list_for_each_entry_safe(link, t, &conn->link_list, list) {
+ struct hci_conn *child = link->conn;
+
+ hci_conn_unlink_parent(child);
+
+ /* Due to race, SCO connection might be not established
+ * yet at this point. Delete it now, otherwise it is
+ * possible for it to be stuck and can't be deleted.
+ */
+ if (child->type == SCO_LINK || child->type == ESCO_LINK)
+ if (child->handle == HCI_CONN_HANDLE_UNSET)
+ hci_conn_del(child);
+ }
+}
+
+static void hci_conn_unlink(struct hci_conn *conn)
+{
+ if (conn->parent)
+ hci_conn_unlink_parent(conn);
+ else
+ hci_conn_unlink_children(conn);
+}
+
void hci_conn_del(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
--
2.40.0
^ permalink raw reply related [flat|nested] 12+ messages in thread* Re: [PATCH v3 6/6] Bluetooth: Avoid recursion in hci_conn_unlink
2023-05-02 14:57 ` [PATCH v3 6/6] Bluetooth: Avoid recursion in hci_conn_unlink Ruihan Li
@ 2023-05-02 16:18 ` Luiz Augusto von Dentz
2023-05-03 13:15 ` Ruihan Li
0 siblings, 1 reply; 12+ messages in thread
From: Luiz Augusto von Dentz @ 2023-05-02 16:18 UTC (permalink / raw)
To: Ruihan Li; +Cc: linux-bluetooth, Marcel Holtmann, Johan Hedberg
Hi Ruihan,
On Tue, May 2, 2023 at 7:57 AM Ruihan Li <lrh2000@pku.edu.cn> wrote:
>
> Previously, hci_conn_unlink was implemented as a recursion function. To
> unlink physical connections (e.g. ACL/LE), it calls itself to unlink all
> its logical channels (e.g. SCO/eSCO/ISO).
>
> Recursion is not required. This patch refactors hci_conn_unlink into two
> functions, where hci_conn_unlink_parent takes a physical connection,
> checks out all its logical channels, and calls hci_conn_unlink_child for
> each logical channel to unlink it.
>
> Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
> ---
> net/bluetooth/hci_conn.c | 55 +++++++++++++++++++++++-----------------
> 1 file changed, 32 insertions(+), 23 deletions(-)
>
> diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> index de553e062..243d68a64 100644
> --- a/net/bluetooth/hci_conn.c
> +++ b/net/bluetooth/hci_conn.c
> @@ -1074,34 +1074,13 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
> return conn;
> }
>
> -static void hci_conn_unlink(struct hci_conn *conn)
> +static void hci_conn_unlink_parent(struct hci_conn *conn)
> {
> struct hci_dev *hdev = conn->hdev;
>
> bt_dev_dbg(hdev, "hcon %p", conn);
>
> - if (!conn->parent) {
> - struct hci_link *link, *t;
> -
> - list_for_each_entry_safe(link, t, &conn->link_list, list) {
> - struct hci_conn *child = link->conn;
> -
> - hci_conn_unlink(child);
> -
> - /* Due to race, SCO connection might be not established
> - * yet at this point. Delete it now, otherwise it is
> - * possible for it to be stuck and can't be deleted.
> - */
> - if ((child->type == SCO_LINK ||
> - child->type == ESCO_LINK) &&
> - child->handle == HCI_CONN_HANDLE_UNSET)
> - hci_conn_del(child);
> - }
> -
> - return;
> - }
> -
> - if (!conn->link)
> + if (WARN_ON(!conn->link))
> return;
>
> list_del_rcu(&conn->link->list);
> @@ -1115,6 +1094,36 @@ static void hci_conn_unlink(struct hci_conn *conn)
> conn->link = NULL;
> }
>
> +static void hci_conn_unlink_children(struct hci_conn *conn)
> +{
> + struct hci_dev *hdev = conn->hdev;
> + struct hci_link *link, *t;
> +
> + bt_dev_dbg(hdev, "hcon %p", conn);
> +
> + list_for_each_entry_safe(link, t, &conn->link_list, list) {
> + struct hci_conn *child = link->conn;
> +
> + hci_conn_unlink_parent(child);
> +
> + /* Due to race, SCO connection might be not established
> + * yet at this point. Delete it now, otherwise it is
> + * possible for it to be stuck and can't be deleted.
> + */
> + if (child->type == SCO_LINK || child->type == ESCO_LINK)
> + if (child->handle == HCI_CONN_HANDLE_UNSET)
> + hci_conn_del(child);
> + }
This is not quite right, when we are unlinking the children's hci_conn
it shall only unlink itself from the parent not everything.
> +}
> +
> +static void hci_conn_unlink(struct hci_conn *conn)
> +{
> + if (conn->parent)
> + hci_conn_unlink_parent(conn);
> + else
> + hci_conn_unlink_children(conn);
> +}
> +
> void hci_conn_del(struct hci_conn *conn)
> {
> struct hci_dev *hdev = conn->hdev;
> --
> 2.40.0
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [PATCH v3 6/6] Bluetooth: Avoid recursion in hci_conn_unlink
2023-05-02 16:18 ` Luiz Augusto von Dentz
@ 2023-05-03 13:15 ` Ruihan Li
0 siblings, 0 replies; 12+ messages in thread
From: Ruihan Li @ 2023-05-03 13:15 UTC (permalink / raw)
To: Luiz Augusto von Dentz
Cc: linux-bluetooth, Marcel Holtmann, Johan Hedberg, Ruihan Li
Hi Luiz,
On Tue, May 02, 2023 at 09:18:02AM -0700, Luiz Augusto von Dentz wrote:
> Hi Ruihan,
>
> On Tue, May 2, 2023 at 7:57 AM Ruihan Li <lrh2000@pku.edu.cn> wrote:
> >
> > Previously, hci_conn_unlink was implemented as a recursion function. To
> > unlink physical connections (e.g. ACL/LE), it calls itself to unlink all
> > its logical channels (e.g. SCO/eSCO/ISO).
> >
> > Recursion is not required. This patch refactors hci_conn_unlink into two
> > functions, where hci_conn_unlink_parent takes a physical connection,
> > checks out all its logical channels, and calls hci_conn_unlink_child for
> > each logical channel to unlink it.
> >
> > Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
> > ---
> > net/bluetooth/hci_conn.c | 55 +++++++++++++++++++++++-----------------
> > 1 file changed, 32 insertions(+), 23 deletions(-)
> >
> > diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> > index de553e062..243d68a64 100644
> > --- a/net/bluetooth/hci_conn.c
> > +++ b/net/bluetooth/hci_conn.c
> > @@ -1074,34 +1074,13 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
> > return conn;
> > }
> >
> > -static void hci_conn_unlink(struct hci_conn *conn)
> > +static void hci_conn_unlink_parent(struct hci_conn *conn)
> > {
> > struct hci_dev *hdev = conn->hdev;
> >
> > bt_dev_dbg(hdev, "hcon %p", conn);
> >
> > - if (!conn->parent) {
> > - struct hci_link *link, *t;
> > -
> > - list_for_each_entry_safe(link, t, &conn->link_list, list) {
> > - struct hci_conn *child = link->conn;
> > -
> > - hci_conn_unlink(child);
> > -
> > - /* Due to race, SCO connection might be not established
> > - * yet at this point. Delete it now, otherwise it is
> > - * possible for it to be stuck and can't be deleted.
> > - */
> > - if ((child->type == SCO_LINK ||
> > - child->type == ESCO_LINK) &&
> > - child->handle == HCI_CONN_HANDLE_UNSET)
> > - hci_conn_del(child);
> > - }
> > -
> > - return;
> > - }
> > -
> > - if (!conn->link)
> > + if (WARN_ON(!conn->link))
> > return;
> >
> > list_del_rcu(&conn->link->list);
> > @@ -1115,6 +1094,36 @@ static void hci_conn_unlink(struct hci_conn *conn)
> > conn->link = NULL;
> > }
> >
> > +static void hci_conn_unlink_children(struct hci_conn *conn)
> > +{
> > + struct hci_dev *hdev = conn->hdev;
> > + struct hci_link *link, *t;
> > +
> > + bt_dev_dbg(hdev, "hcon %p", conn);
> > +
> > + list_for_each_entry_safe(link, t, &conn->link_list, list) {
> > + struct hci_conn *child = link->conn;
> > +
> > + hci_conn_unlink_parent(child);
> > +
> > + /* Due to race, SCO connection might be not established
> > + * yet at this point. Delete it now, otherwise it is
> > + * possible for it to be stuck and can't be deleted.
> > + */
> > + if (child->type == SCO_LINK || child->type == ESCO_LINK)
> > + if (child->handle == HCI_CONN_HANDLE_UNSET)
> > + hci_conn_del(child);
> > + }
>
> This is not quite right, when we are unlinking the children's hci_conn
> it shall only unlink itself from the parent not everything.
My assumption is that each hci_conn is either
* a logical channel, which implies that it has a parent and no
children, or
* a physical link, which means that it has no parent and possibly some
children.
So here, as children of physical links, they must be logical channels
and thus cannot have more children, so just unlinking them from the
parent should be ok. We can add some assertions like
WARN_ON(!conn->parent || !conn->link) // conn has a parent
WARN_ON(!list_empty(&conn->link_list)) // conn has no children
in hci_conn_unlink_parent.
Do you think this assumption is wrong, or could become wrong in the
future? Otherwise, I don't think there are correctness problems.
In my opinion, separating the functions for logical channels and
physical links makes the code a bit cleaner. But it's my opinion, if you
think it actually makes the code harder to understand, I won't insist.
>
> > +}
> > +
> > +static void hci_conn_unlink(struct hci_conn *conn)
> > +{
> > + if (conn->parent)
> > + hci_conn_unlink_parent(conn);
> > + else
> > + hci_conn_unlink_children(conn);
> > +}
> > +
> > void hci_conn_del(struct hci_conn *conn)
> > {
> > struct hci_dev *hdev = conn->hdev;
> > --
> > 2.40.0
> >
>
>
> --
> Luiz Augusto von Dentz
Thanks,
Ruihan Li
^ permalink raw reply [flat|nested] 12+ messages in thread