[PATCH v2 1/1] Bluetooth: fix race condition in hidp_session

linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2 1/1] Bluetooth: fix race condition in hidp_session_thread
@ 2023-03-04 14:23 Min Li
  2023-03-04 14:57 ` [v2,1/1] " bluez.test.bot
  2023-03-07 18:40 ` [PATCH v2 1/1] " patchwork-bot+bluetooth
  0 siblings, 2 replies; 3+ messages in thread
From: Min Li @ 2023-03-04 14:23 UTC (permalink / raw)
  To: luiz.dentz
  Cc: marcel, johan.hedberg, davem, edumazet, kuba, pabeni, jkosina,
	hdegoede, david.rheinsberg, wsa+renesas, linux, linux-bluetooth,
	netdev, linux-kernel

There is a potential race condition in hidp_session_thread that may
lead to use-after-free. For instance, the timer is active while
hidp_del_timer is called in hidp_session_thread(). After hidp_session_put,
then 'session' will be freed, causing kernel panic when hidp_idle_timeout
is running.

The solution is to use del_timer_sync instead of del_timer.

Here is the call trace:

? hidp_session_probe+0x780/0x780
call_timer_fn+0x2d/0x1e0
__run_timers.part.0+0x569/0x940
hidp_session_probe+0x780/0x780
call_timer_fn+0x1e0/0x1e0
ktime_get+0x5c/0xf0
lapic_next_deadline+0x2c/0x40
clockevents_program_event+0x205/0x320
run_timer_softirq+0xa9/0x1b0
__do_softirq+0x1b9/0x641
__irq_exit_rcu+0xdc/0x190
irq_exit_rcu+0xe/0x20
sysvec_apic_timer_interrupt+0xa1/0xc0

v2:
  - Fixed code style issues

Signed-off-by: Min Li <lm0963hack@gmail.com>
---
 net/bluetooth/hidp/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index bed1a7b9205c..707f229f896a 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -433,7 +433,7 @@ static void hidp_set_timer(struct hidp_session *session)
 static void hidp_del_timer(struct hidp_session *session)
 {
 	if (session->idle_to > 0)
-		del_timer(&session->timer);
+		del_timer_sync(&session->timer);
 }

 static void hidp_process_report(struct hidp_session *session, int type,
-- 
2.25.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: [v2,1/1] Bluetooth: fix race condition in hidp_session_thread
  2023-03-04 14:23 [PATCH v2 1/1] Bluetooth: fix race condition in hidp_session_thread Min Li
@ 2023-03-04 14:57 ` bluez.test.bot
  2023-03-07 18:40 ` [PATCH v2 1/1] " patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2023-03-04 14:57 UTC (permalink / raw)
  To: linux-bluetooth, lm0963hack

[-- Attachment #1: Type: text/plain, Size: 1420 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=726625

---Test result---

Test Summary:
CheckPatch                    PASS      0.69 seconds
GitLint                       PASS      0.35 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      32.22 seconds
CheckAllWarning               PASS      34.86 seconds
CheckSparse                   PASS      40.03 seconds
CheckSmatch                   PASS      107.74 seconds
BuildKernel32                 PASS      31.24 seconds
TestRunnerSetup               PASS      446.15 seconds
TestRunner_l2cap-tester       PASS      16.82 seconds
TestRunner_iso-tester         PASS      17.77 seconds
TestRunner_bnep-tester        PASS      5.76 seconds
TestRunner_mgmt-tester        PASS      113.05 seconds
TestRunner_rfcomm-tester      PASS      9.26 seconds
TestRunner_sco-tester         PASS      8.43 seconds
TestRunner_ioctl-tester       PASS      9.86 seconds
TestRunner_mesh-tester        PASS      7.29 seconds
TestRunner_smp-tester         PASS      8.35 seconds
TestRunner_userchan-tester    PASS      6.00 seconds
IncrementalBuild              PASS      29.26 seconds



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2 1/1] Bluetooth: fix race condition in hidp_session_thread
  2023-03-04 14:23 [PATCH v2 1/1] Bluetooth: fix race condition in hidp_session_thread Min Li
  2023-03-04 14:57 ` [v2,1/1] " bluez.test.bot
@ 2023-03-07 18:40 ` patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2023-03-07 18:40 UTC (permalink / raw)
  To: Min Li
  Cc: luiz.dentz, marcel, johan.hedberg, davem, edumazet, kuba, pabeni,
	jkosina, hdegoede, david.rheinsberg, wsa+renesas, linux,
	linux-bluetooth, netdev, linux-kernel

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sat,  4 Mar 2023 22:23:30 +0800 you wrote:
> There is a potential race condition in hidp_session_thread that may
> lead to use-after-free. For instance, the timer is active while
> hidp_del_timer is called in hidp_session_thread(). After hidp_session_put,
> then 'session' will be freed, causing kernel panic when hidp_idle_timeout
> is running.
> 
> The solution is to use del_timer_sync instead of del_timer.
> 
> [...]

Here is the summary with links:
  - [v2,1/1] Bluetooth: fix race condition in hidp_session_thread
    https://git.kernel.org/bluetooth/bluetooth-next/c/4bbfb9fefadf

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2023-03-07 18:52 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-04 14:23 [PATCH v2 1/1] Bluetooth: fix race condition in hidp_session_thread Min Li
2023-03-04 14:57 ` [v2,1/1] " bluez.test.bot
2023-03-07 18:40 ` [PATCH v2 1/1] " patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).