* [PATCH v1] Bluetooth: MGMT: Use RCU-protected in mgmt_pending list
@ 2025-05-28 18:44 Luiz Augusto von Dentz
2025-05-28 19:08 ` [v1] " bluez.test.bot
0 siblings, 1 reply; 2+ messages in thread
From: Luiz Augusto von Dentz @ 2025-05-28 18:44 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This uses RCU procedures to protect from concurrent access of
mgmt_pending list which can cause crashes like:
==================================================================
BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5405
Read of size 8 at addr ffff888048891a18 by task kworker/u5:8/5333
CPU: 0 UID: 0 PID: 5333 Comm: kworker/u5:8 Not tainted 6.15.0-rc5-syzkaller-00197-gea34704d6ad7 #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xb4/0x290 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5405
hci_cmd_sync_work+0x25e/0x3a0 net/bluetooth/hci_sync.c:334
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 5702:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252
mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279
remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5453
hci_mgmt_cmd+0x9c6/0xef0 net/bluetooth/hci_sock.c:1712
hci_sock_sendmsg+0x6ca/0xee0 net/bluetooth/hci_sock.c:1832
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
sock_write_iter+0x258/0x330 net/socket.c:1131
new_sync_write fs/read_write.c:591 [inline]
vfs_write+0x548/0xa90 fs/read_write.c:684
ksys_write+0x145/0x250 fs/read_write.c:736
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5700:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2380 [inline]
slab_free mm/slub.c:4642 [inline]
kfree+0x193/0x440 mm/slub.c:4841
mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242
mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9362
hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1307
__sys_bind_socket net/socket.c:1810 [inline]
__sys_bind+0x2c3/0x3e0 net/socket.c:1841
__do_sys_bind net/socket.c:1846 [inline]
__se_sys_bind net/socket.c:1844 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1844
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: a380b6cff1a2 ("Bluetooth: Add generic mgmt helper API")
Closes: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/mgmt_util.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index 3713ff490c65..c2dc8ddf5f78 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -219,13 +219,20 @@ struct mgmt_pending_cmd *mgmt_pending_find(unsigned short channel, u16 opcode,
{
struct mgmt_pending_cmd *cmd;
- list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
+ rcu_read_lock();
+
+ list_for_each_entry_rcu(cmd, &hdev->mgmt_pending, list) {
if (hci_sock_get_channel(cmd->sk) != channel)
continue;
- if (cmd->opcode == opcode)
+
+ if (cmd->opcode == opcode) {
+ rcu_read_unlock();
return cmd;
+ }
}
+ rcu_read_unlock();
+
return NULL;
}
@@ -233,14 +240,11 @@ void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev,
void (*cb)(struct mgmt_pending_cmd *cmd, void *data),
void *data)
{
- struct mgmt_pending_cmd *cmd, *tmp;
-
- list_for_each_entry_safe(cmd, tmp, &hdev->mgmt_pending, list) {
- if (opcode > 0 && cmd->opcode != opcode)
- continue;
+ struct mgmt_pending_cmd *cmd;
+ cmd = mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
+ if (cmd)
cb(cmd, data);
- }
}
struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode,
@@ -280,7 +284,7 @@ struct mgmt_pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
if (!cmd)
return NULL;
- list_add_tail(&cmd->list, &hdev->mgmt_pending);
+ list_add_tail_rcu(&cmd->list, &hdev->mgmt_pending);
return cmd;
}
@@ -294,7 +298,8 @@ void mgmt_pending_free(struct mgmt_pending_cmd *cmd)
void mgmt_pending_remove(struct mgmt_pending_cmd *cmd)
{
- list_del(&cmd->list);
+ list_del_rcu(&cmd->list);
+ synchronize_rcu();
mgmt_pending_free(cmd);
}
--
2.49.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* RE: [v1] Bluetooth: MGMT: Use RCU-protected in mgmt_pending list
2025-05-28 18:44 [PATCH v1] Bluetooth: MGMT: Use RCU-protected in mgmt_pending list Luiz Augusto von Dentz
@ 2025-05-28 19:08 ` bluez.test.bot
0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2025-05-28 19:08 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 3725 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=967103
---Test result---
Test Summary:
CheckPatch PENDING 0.43 seconds
GitLint PENDING 0.27 seconds
SubjectPrefix PASS 0.07 seconds
BuildKernel PASS 24.39 seconds
CheckAllWarning PASS 26.89 seconds
CheckSparse PASS 30.18 seconds
BuildKernel32 PASS 24.17 seconds
TestRunnerSetup PASS 458.19 seconds
TestRunner_l2cap-tester PASS 25.53 seconds
TestRunner_iso-tester PASS 55.87 seconds
TestRunner_bnep-tester PASS 5.78 seconds
TestRunner_mgmt-tester FAIL 156.18 seconds
TestRunner_rfcomm-tester PASS 50.24 seconds
TestRunner_sco-tester PASS 55.79 seconds
TestRunner_ioctl-tester PASS 9.90 seconds
TestRunner_mesh-tester FAIL 7.41 seconds
TestRunner_smp-tester PASS 8.43 seconds
TestRunner_userchan-tester PASS 6.00 seconds
IncrementalBuild PENDING 0.94 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 490, Passed: 470 (95.9%), Failed: 17, Not Run: 3
Failed Test Cases
Stop Discovery - Success 1 Failed 0.155 seconds
Pairing Acceptor - SMP over BR/EDR 2 Timed out 2.503 seconds
Add Ext Advertising - Success 1 (Powered, Add Adv Inst) Failed 0.133 seconds
Add Ext Advertising - Success 6 (Scan Rsp Dta, Adv ok) Failed 0.128 seconds
Add Ext Advertising - Success 9 (General Discov Flag) Failed 2.153 seconds
Add Ext Advertising - Success 10 (Limited Discov Flag) Failed 0.140 seconds
Stop Discovery - (Ext Scan Disable) Failed 0.154 seconds
LL Privacy - Add Device 2 (2 Devices to AL) Failed 0.202 seconds
LL Privacy - Add Device 3 (AL is full) Failed 0.235 seconds
LL Privacy - Set Flags 1 (Add to RL) Failed 0.184 seconds
LL Privacy - Set Flags 2 (Enable RL) Failed 0.177 seconds
LL Privacy - Set Flags 3 (2 Devices to RL) Failed 0.209 seconds
LL Privacy - Set Flags 4 (RL is full) Failed 0.268 seconds
LL Privacy - Remove Device 1 (Remove from AL) Timed out 2.687 seconds
LL Privacy - Remove Device 2 (Remove from RL) Timed out 1.992 seconds
LL Privacy - Remove Device 4 (Disable Adv) Timed out 2.748 seconds
LL Privacy - Set Device Flag 1 (Device Privacy) Failed 0.165 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0
WARNING: CPU: 0 PID: 66 at kernel/workqueue.c:2257 __queue_work+0x93e/0xba0
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Failed 0.135 seconds
Mesh - Send cancel - 2 Failed 0.177 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-05-28 19:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-28 18:44 [PATCH v1] Bluetooth: MGMT: Use RCU-protected in mgmt_pending list Luiz Augusto von Dentz
2025-05-28 19:08 ` [v1] " bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox