From: Peter Hurley <peter@hurleysoftware.com>
To: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
Gianluca Anzolin <gianluca@sottospazio.it>,
Alexander Holler <holler@ahsoftware.de>,
Andrey Vihrov <andrey.vihrov@gmail.com>,
Sander Eikelenboom <linux@eikelenboom.it>,
linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
Peter Hurley <peter@hurleysoftware.com>
Subject: [PATCH 15/24] Bluetooth: Fix unsafe RFCOMM device parenting
Date: Sun, 9 Feb 2014 20:59:15 -0500 [thread overview]
Message-ID: <1391997564-1805-16-git-send-email-peter@hurleysoftware.com> (raw)
In-Reply-To: <1391997564-1805-1-git-send-email-peter@hurleysoftware.com>
Accessing the results of hci_conn_hash_lookup_ba() is unsafe without
holding the hci_dev_lock() during the lookup. For example:
CPU 0 | CPU 1
hci_conn_hash_lookup_ba | hci_conn_del
rcu_read_lock | hci_conn_hash_del
list_for_each_entry_rcu | list_del_rcu
if (.....) | synchronize_rcu
rcu_read_unlock |
| hci_conn_del_sysfs
| hci_dev_put
| hci_conn_put
| put_device (last reference)
| bt_link_release
| kfree(conn)
return p << just freed |
Even if a hci_conn reference were taken (via hci_conn_get), would
not guarantee the lifetime of the sysfs device, but only safe
access to the in-memory structure.
Ensure the hci_conn device stays valid while the rfcomm device
is reparented; rename rfcomm_get_device() to rfcomm_reparent_device()
and perform the reparenting within the function while holding the
hci_dev_lock.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
net/bluetooth/rfcomm/tty.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index a58d693..2975bc4 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -167,20 +167,29 @@ static struct rfcomm_dev *rfcomm_dev_get(int id)
return dev;
}
-static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
+static void rfcomm_reparent_device(struct rfcomm_dev *dev)
{
struct hci_dev *hdev;
struct hci_conn *conn;
hdev = hci_get_route(&dev->dst, &dev->src);
if (!hdev)
- return NULL;
+ return;
+ /* The lookup results are unsafe to access without the
+ * hci device lock (FIXME: why is this not documented?)
+ */
+ hci_dev_lock(hdev);
conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
- hci_dev_put(hdev);
+ /* Just because the acl link is in the hash table is no
+ * guarantee the sysfs device has been added ...
+ */
+ if (conn && device_is_registered(&conn->dev))
+ device_move(dev->tty_dev, &conn->dev, DPM_ORDER_DEV_AFTER_PARENT);
- return conn ? &conn->dev : NULL;
+ hci_dev_unlock(hdev);
+ hci_dev_put(hdev);
}
static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
@@ -589,8 +598,7 @@ static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
dev->err = err;
if (dlc->state == BT_CONNECTED) {
- device_move(dev->tty_dev, rfcomm_get_device(dev),
- DPM_ORDER_DEV_AFTER_PARENT);
+ rfcomm_reparent_device(dev);
wake_up_interruptible(&dev->port.open_wait);
} else if (dlc->state == BT_CLOSED)
--
1.8.1.2
next prev parent reply other threads:[~2014-02-10 2:20 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-10 1:59 [PATCH 00/24] rfcomm fixes Peter Hurley
2014-02-10 1:59 ` [PATCH 01/24] Revert "Bluetooth: Remove rfcomm_carrier_raised()" Peter Hurley
2014-02-10 1:59 ` [PATCH 02/24] Revert "Bluetooth: Always wait for a connection on RFCOMM open()" Peter Hurley
2014-02-10 1:59 ` [PATCH 03/24] Revert "Bluetooth: Move rfcomm_get_device() before rfcomm_dev_activate()" Peter Hurley
2014-02-10 1:59 ` [PATCH 04/24] tty: Fix ref counting for port krefs Peter Hurley
2014-02-13 18:36 ` Greg Kroah-Hartman
2014-02-10 1:59 ` [PATCH 05/24] Bluetooth: Fix racy acquire of rfcomm_dev reference Peter Hurley
2014-02-10 1:59 ` [PATCH 06/24] Bluetooth: Exclude released devices from RFCOMMGETDEVLIST ioctl Peter Hurley
2014-02-10 1:59 ` [PATCH 07/24] Bluetooth: Release rfcomm_dev only once Peter Hurley
2014-02-10 1:59 ` [PATCH 08/24] Bluetooth: Fix unreleased rfcomm_dev reference Peter Hurley
2014-02-10 1:59 ` [PATCH 09/24] Bluetooth: Fix RFCOMM tty teardown race Peter Hurley
2014-02-10 1:59 ` [PATCH 10/24] Bluetooth: Verify dlci not in use before rfcomm_dev create Peter Hurley
2014-02-10 1:59 ` [PATCH 11/24] Bluetooth: Simplify RFCOMM session state eval Peter Hurley
2014-02-10 1:59 ` [PATCH 12/24] Bluetooth: Refactor deferred setup test in rfcomm_dlc_close() Peter Hurley
2014-02-10 1:59 ` [PATCH 13/24] Bluetooth: Refactor dlc disconnect logic " Peter Hurley
2014-02-10 1:59 ` [PATCH 14/24] Bluetooth: Directly close dlc for not yet started RFCOMM session Peter Hurley
2014-02-10 1:59 ` Peter Hurley [this message]
2014-02-10 1:59 ` [PATCH 16/24] Bluetooth: Fix RFCOMM parent device for reused dlc Peter Hurley
2014-02-10 1:59 ` [PATCH 17/24] Bluetooth: Rename __rfcomm_dev_get() to __rfcomm_dev_lookup() Peter Hurley
2014-02-10 1:59 ` [PATCH 18/24] Bluetooth: Serialize RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls Peter Hurley
2014-02-10 1:59 ` [PATCH 19/24] Bluetooth: Refactor rfcomm_dev_add() Peter Hurley
2014-02-10 1:59 ` [PATCH 20/24] Bluetooth: Cleanup RFCOMM device registration error handling Peter Hurley
2014-02-10 1:59 ` [PATCH 21/24] Bluetooth: Force -EIO from tty read/write if .activate() fails Peter Hurley
2014-02-10 1:59 ` [PATCH 22/24] Bluetooth: Don't fail RFCOMM tty writes Peter Hurley
2014-02-10 1:59 ` [PATCH 23/24] Bluetooth: Refactor write_room() calculation Peter Hurley
2014-02-10 1:59 ` [PATCH 24/24] Bluetooth: Fix " Peter Hurley
2014-02-10 22:09 ` [PATCH 00/24] rfcomm fixes Marcel Holtmann
2014-02-10 23:00 ` Peter Hurley
2014-02-12 22:58 ` Marcel Holtmann
2014-02-13 0:38 ` Peter Hurley
2014-02-13 21:48 ` Alexander Holler
2014-02-12 11:06 ` Sander Eikelenboom
2014-03-03 19:38 ` Sander Eikelenboom
2014-03-10 8:38 ` [RC6 Bell Chime] " Sander Eikelenboom
2014-03-10 15:08 ` John W. Linville
2014-03-11 15:14 ` [RC6 Bell Chime] " Marcel Holtmann
2014-03-14 0:49 ` Sander Eikelenboom
2014-03-14 1:28 ` Marcel Holtmann
2014-03-14 1:29 ` Peter Hurley
2014-03-15 13:51 ` Sander Eikelenboom
2014-03-15 17:53 ` Linus Torvalds
2014-03-15 20:45 ` Peter Hurley
2014-03-15 22:20 ` Sander Eikelenboom
2014-03-16 0:16 ` Linus Torvalds
2014-02-13 21:41 ` Alexander Holler
2014-02-14 21:45 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1391997564-1805-16-git-send-email-peter@hurleysoftware.com \
--to=peter@hurleysoftware.com \
--cc=andrey.vihrov@gmail.com \
--cc=gianluca@sottospazio.it \
--cc=gustavo@padovan.org \
--cc=holler@ahsoftware.de \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@eikelenboom.it \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox