* [PATCH 1/2] Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL
@ 2023-08-03 18:16 Luiz Augusto von Dentz
2023-08-03 18:16 ` [PATCH 2/2] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync Luiz Augusto von Dentz
2023-08-03 19:05 ` [1/2] Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL bluez.test.bot
0 siblings, 2 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2023-08-03 18:16 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
When sending HCI_OP_CREATE_CONN_CANCEL it shall Wait for
HCI_EV_CONN_COMPLETE, not HCI_EV_CMD_STATUS, when the reason is
anything but HCI_ERROR_REMOTE_POWER_OFF. This reason is used when
suspending or powering off, where we don't want to wait for the peer's
response.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hci_sync.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 3348a1b0e3f7..420d25cce2b0 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5317,6 +5317,17 @@ static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn,
if (hdev->hci_ver < BLUETOOTH_VER_1_2)
return 0;
+ /* Wait for HCI_EV_CONN_COMPLETE, not HCI_EV_CMD_STATUS, when the
+ * reason is anything but HCI_ERROR_REMOTE_POWER_OFF. This reason is
+ * used when suspending or powering off, where we don't want to wait
+ * for the peer's response.
+ */
+ if (reason != HCI_ERROR_REMOTE_POWER_OFF)
+ return __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN_CANCEL,
+ 6, &conn->dst,
+ HCI_EV_CONN_COMPLETE,
+ HCI_CMD_TIMEOUT, NULL);
+
return __hci_cmd_sync_status(hdev, HCI_OP_CREATE_CONN_CANCEL,
6, &conn->dst, HCI_CMD_TIMEOUT);
}
--
2.41.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
2023-08-03 18:16 [PATCH 1/2] Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL Luiz Augusto von Dentz
@ 2023-08-03 18:16 ` Luiz Augusto von Dentz
2023-08-03 19:05 ` [1/2] Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL bluez.test.bot
1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2023-08-03 18:16 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Connections may be cleanup while waiting for the commands to complete so
this attempts to check if the connection handle remains valid in case of
errors that would lead to call hci_conn_failed:
BUG: KASAN: slab-use-after-free in hci_conn_failed+0x1f/0x160
Read of size 8 at addr ffff888001376958 by task kworker/u3:0/52
CPU: 0 PID: 52 Comm: kworker/u3:0 Not tainted
6.5.0-rc1-00527-g2dfe76d58d3a #5615
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.2-1.fc38 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x1d/0x70
print_report+0xce/0x620
? __virt_addr_valid+0xd4/0x150
? hci_conn_failed+0x1f/0x160
kasan_report+0xd1/0x100
? hci_conn_failed+0x1f/0x160
hci_conn_failed+0x1f/0x160
hci_abort_conn_sync+0x237/0x360
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hci_sync.c | 44 +++++++++++++++++++++++++---------------
1 file changed, 28 insertions(+), 16 deletions(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 420d25cce2b0..f7908044b411 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5385,25 +5385,17 @@ static int hci_reject_conn_sync(struct hci_dev *hdev, struct hci_conn *conn,
int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
{
- int err;
+ int err = 0;
+ u16 handle = conn->handle;
switch (conn->state) {
case BT_CONNECTED:
case BT_CONFIG:
- return hci_disconnect_sync(hdev, conn, reason);
+ err = hci_disconnect_sync(hdev, conn, reason);
+ break;
case BT_CONNECT:
err = hci_connect_cancel_sync(hdev, conn, reason);
- /* Cleanup hci_conn object if it cannot be cancelled as it
- * likelly means the controller and host stack are out of sync
- * or in case of LE it was still scanning so it can be cleanup
- * safely.
- */
- if (err) {
- hci_dev_lock(hdev);
- hci_conn_failed(conn, err);
- hci_dev_unlock(hdev);
- }
- return err;
+ break;
case BT_CONNECT2:
return hci_reject_conn_sync(hdev, conn, reason);
case BT_OPEN:
@@ -5413,13 +5405,33 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
hci_conn_failed(conn, reason);
hci_dev_unlock(hdev);
}
- break;
+ return 0;
default:
conn->state = BT_CLOSED;
- break;
+ return 0;
}
- return 0;
+ /* Cleanup hci_conn object if it cannot be cancelled as it
+ * likelly means the controller and host stack are out of sync
+ * or in case of LE it was still scanning so it can be cleanup
+ * safely.
+ */
+ if (err) {
+ struct hci_conn *c;
+
+ /* Check if the connection hasn't been cleanup while waiting
+ * commands to complete.
+ */
+ c = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!c || c != conn)
+ return 0;
+
+ hci_dev_lock(hdev);
+ hci_conn_failed(conn, err);
+ hci_dev_unlock(hdev);
+ }
+
+ return err;
}
static int hci_disconnect_all_sync(struct hci_dev *hdev, u8 reason)
--
2.41.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [1/2] Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL
2023-08-03 18:16 [PATCH 1/2] Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL Luiz Augusto von Dentz
2023-08-03 18:16 ` [PATCH 2/2] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync Luiz Augusto von Dentz
@ 2023-08-03 19:05 ` bluez.test.bot
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2023-08-03 19:05 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 1427 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=772760
---Test result---
Test Summary:
CheckPatch PASS 1.54 seconds
GitLint PASS 0.68 seconds
SubjectPrefix PASS 0.20 seconds
BuildKernel PASS 43.63 seconds
CheckAllWarning PASS 47.75 seconds
CheckSparse PASS 51.86 seconds
CheckSmatch PASS 137.76 seconds
BuildKernel32 PASS 40.27 seconds
TestRunnerSetup PASS 596.74 seconds
TestRunner_l2cap-tester PASS 29.42 seconds
TestRunner_iso-tester PASS 64.93 seconds
TestRunner_bnep-tester PASS 13.43 seconds
TestRunner_mgmt-tester PASS 244.77 seconds
TestRunner_rfcomm-tester PASS 20.17 seconds
TestRunner_sco-tester PASS 20.63 seconds
TestRunner_ioctl-tester PASS 23.07 seconds
TestRunner_mesh-tester PASS 17.45 seconds
TestRunner_smp-tester PASS 17.98 seconds
TestRunner_userchan-tester PASS 13.89 seconds
IncrementalBuild PASS 45.98 seconds
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-08-03 19:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-03 18:16 [PATCH 1/2] Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL Luiz Augusto von Dentz
2023-08-03 18:16 ` [PATCH 2/2] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync Luiz Augusto von Dentz
2023-08-03 19:05 ` [1/2] Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).