From patchwork Tue May 2 21:25:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 678456 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2243C77B78 for ; Tue, 2 May 2023 21:25:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229776AbjEBVZd (ORCPT ); Tue, 2 May 2023 17:25:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33126 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229732AbjEBVZb (ORCPT ); Tue, 2 May 2023 17:25:31 -0400 Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A8A8910F3 for ; Tue, 2 May 2023 14:25:30 -0700 (PDT) Received: by mail-pf1-x431.google.com with SMTP id d2e1a72fcca58-63b70f0b320so4957550b3a.1 for ; Tue, 02 May 2023 14:25:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683062729; x=1685654729; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=fgeP9iViJu3wZuagkzymDfMYkLiOzZ5zvhKcpAeRDdU=; b=SHaCAIxyVDvgSYSaKVCHoJ28uAOm+c2MkygUM3kxRqB7qLirMnWoO1bSOCE4K2s3gt gLsD44kzl0haEjqSS7x1tDFD1C2DkQIdThizNCu7Dm0efbmslRwWc26m8Gv9JPioNjlp S63r7tZfEMt/5kO3ASWtbq3+k/+BdVFq+YVgpcGvVnVJtWixgF+hjWczOxC127DybeRH doiRW0IRh9dca9WRiX4V6nFBQ1dOn0t4hBlnJ5HlX9/nPF1fABPSiIelKy8jWHBFLJgI 2aSioUuwlYf6Yy8DpbzG5hq3YtTI3Y3kIYfEk0T6mcQvJzw0JMbcj5pp+YKejr8GNJh+ IiHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683062729; x=1685654729; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fgeP9iViJu3wZuagkzymDfMYkLiOzZ5zvhKcpAeRDdU=; b=gJ0BEJ1KbDVIeanscqb9FyhZHtG18YCRxf1aD74V3PZxRaUYuBBAX3zYPMGpHkzXCb pXHK1PkjaTqpDJdQC9clkEK5fAjzmG/tRQXAOtKDbtxMaoLj4dXG14agj3sc3epg4Nv1 zzc6Yd3VHRNsK6NrBjgwcabqRvKESAXxP7I0pzIjqoxVRwVdVn0cyxNtKCyZ5EB0tMU5 XDIBNarwZsh/qX4+c6f5tRS51vbaTB2LBQ/cxtqwGTd3qEgvQnpPNs3wflrwPwMUWSef C+2N+dinwd7HQxq8bSrSkMmo4wwTR0pgxgXUvtLKs6ZbOsICt2JoCllmlgomILgBx7ez drDQ== X-Gm-Message-State: AC+VfDw/StMvUX9GlmqnIulqF5ivNALM79Q3gpHadmcMLFRRqgAZaeJ+ VdwmCV3EVCa2HAeSbWYA30DiJtvUqU4= X-Google-Smtp-Source: ACHHUZ56EjstFT1a7iAO9nAuLiw02hcUPJzURNDTjiFLwljBO1xoyvvnFYNAL7b1v+08+9O30m7MGg== X-Received: by 2002:a05:6a20:6a26:b0:ef:2389:66ca with SMTP id p38-20020a056a206a2600b000ef238966camr24352446pzk.7.1683062729399; Tue, 02 May 2023 14:25:29 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id j9-20020a056a00234900b0063d3d776910sm22232459pfj.138.2023.05.02.14.25.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 14:25:28 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v3 1/4] Bluetooth: Fix potential double free caused by hci_conn_unlink Date: Tue, 2 May 2023 14:25:24 -0700 Message-Id: <20230502212527.1662896-1-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Ruihan Li The hci_conn_unlink function is being called by hci_conn_del, which means it should not call hci_conn_del with the input parameter conn again. If it does, conn may have already been released when hci_conn_unlink returns, leading to potential UAF and double-free issues. This patch resolves the problem by modifying hci_conn_unlink to release only conn's child links when necessary, but never release conn itself. Reported-by: syzbot+690b90b14f14f43f4688@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-bluetooth/000000000000484a8205faafe216@google.com/ Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") Signed-off-by: Ruihan Li Reported-by: syzbot+690b90b14f14f43f4688@syzkaller.appspotmail.com Reported-by: Luiz Augusto von Dentz Reported-by: syzbot+8bb72f86fc823817bc5d@syzkaller.appspotmail.com Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/hci_conn.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 640b951bf40a..70e1655a9df6 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1083,8 +1083,18 @@ static void hci_conn_unlink(struct hci_conn *conn) if (!conn->parent) { struct hci_link *link, *t; - list_for_each_entry_safe(link, t, &conn->link_list, list) - hci_conn_unlink(link->conn); + list_for_each_entry_safe(link, t, &conn->link_list, list) { + struct hci_conn *child = link->conn; + + hci_conn_unlink(child); + + /* Due to race, SCO connection might be not established + * yet at this point. Delete it now, otherwise it is + * possible for it to be stuck and can't be deleted. + */ + if (child->handle == HCI_CONN_HANDLE_UNSET) + hci_conn_del(child); + } return; } @@ -1100,13 +1110,6 @@ static void hci_conn_unlink(struct hci_conn *conn) kfree(conn->link); conn->link = NULL; - - /* Due to race, SCO connection might be not established - * yet at this point. Delete it now, otherwise it is - * possible for it to be stuck and can't be deleted. - */ - if (conn->handle == HCI_CONN_HANDLE_UNSET) - hci_conn_del(conn); } int hci_conn_del(struct hci_conn *conn) From patchwork Tue May 2 21:25:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 679165 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A357EC77B75 for ; Tue, 2 May 2023 21:25:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229881AbjEBVZe (ORCPT ); Tue, 2 May 2023 17:25:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33132 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229732AbjEBVZd (ORCPT ); Tue, 2 May 2023 17:25:33 -0400 Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D13C10EF for ; Tue, 2 May 2023 14:25:32 -0700 (PDT) Received: by mail-pf1-x42f.google.com with SMTP id d2e1a72fcca58-63b5465fc13so3338239b3a.3 for ; Tue, 02 May 2023 14:25:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683062731; x=1685654731; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=M5PgbJGedD8HlcmGT/8oN+fJ8K2DKtJGmVsb+pq6khc=; b=oCc82gv8uGuZTArFI7/6ki9iFPIHQw5KtXNWLcX6BoV8lTiYLeoWESVMm1maOIzHvw 3HV4WpA2TAA1+qZ/9tIF89FSwv24KAM/5J9u6vE29mqUwfVJvzxUEXK0af5su0ZmSu0o tvn4OayKxhz2B0SPSvU3NJzGm0YhQ4PmGXL1vm4IMTlPBjfNAXo2pZKFerN8++R+tSbY h/moDcbdHmDHUgLcjtVJhHJDhQqAfKQJkLlrpXzGMlgcB0Dud18ewkSN7qp/RMAtlYm8 NUr9XFNQ25+gU7TvjBoJLyjkItx+W/o+4fka47+JFkXQeGvvlnA/1ccZ94aLGoa5ijFe If9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683062731; x=1685654731; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M5PgbJGedD8HlcmGT/8oN+fJ8K2DKtJGmVsb+pq6khc=; b=DcdYclkvx1B11yBQSxEvx2x/WpRYkXWn1l98EhILhZ/R5WZRt+86CSaZpNkYQ+3ZMV VQdPheGxbIoYabv703JUvZvh3WIlMHEY/zNiE1WdGTMuape/U2I5gVF8vsS7wc457BYI tbt1zHzXiA11rVDOEp795sGxFx8Tw9nuK6bGpEvqc3BkeJ4VmSgOtHBDboh5MF2h9aSK bREX9utLu8RLFO2gSDMeO54bG0MX49fPMgGESe3hK+quwXiiXIbZn6duGnAVToDFE+5Z 2SfVvp5BMNjEzPFatU8QafXtVq9/jR/F7H7+jf+oFLlbEbnb8/9gwE532CYbDzgFIaJv fHyg== X-Gm-Message-State: AC+VfDwTDKcvA2xC9PR1xG+Y5rkKFRSjlDXyfSwqHXL1mjk5tdesHclI 6JzpcWy+L+S/WqNwupeF/fBnLNKZtgQ= X-Google-Smtp-Source: ACHHUZ799N+PAnKioUsby+fSL3w43vV1eDjY46vX6C5dPRpcY3exYBYBXFr5Qpz4P0M/xpLc2tlcdA== X-Received: by 2002:a05:6a20:918d:b0:fa:3347:6e1 with SMTP id v13-20020a056a20918d00b000fa334706e1mr14139509pzd.51.1683062731120; Tue, 02 May 2023 14:25:31 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id j9-20020a056a00234900b0063d3d776910sm22232459pfj.138.2023.05.02.14.25.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 14:25:29 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v3 2/4] Bluetooth: Refcnt drop must be placed last in hci_conn_unlink Date: Tue, 2 May 2023 14:25:25 -0700 Message-Id: <20230502212527.1662896-2-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230502212527.1662896-1-luiz.dentz@gmail.com> References: <20230502212527.1662896-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Ruihan Li If hci_conn_put(conn->parent) reduces conn->parent's reference count to zero, it can immediately deallocate conn->parent. At the same time, conn->link->list has its head in conn->parent, causing use-after-free problems in the latter list_del_rcu(&conn->link->list). This problem can be easily solved by reordering the two operations, i.e., first performing the list removal with list_del_rcu and then decreasing the refcnt with hci_conn_put. Reported-by: Luiz Augusto von Dentz Closes: https://lore.kernel.org/linux-bluetooth/CABBYNZ+1kce8_RJrLNOXd_8=Mdpb=2bx4Nto-hFORk=qiOkoCg@mail.gmail.com/ Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") Signed-off-by: Ruihan Li Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/hci_conn.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 70e1655a9df6..44d0643fc681 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1102,12 +1102,12 @@ static void hci_conn_unlink(struct hci_conn *conn) if (!conn->link) return; - hci_conn_put(conn->parent); - conn->parent = NULL; - list_del_rcu(&conn->link->list); synchronize_rcu(); + hci_conn_put(conn->parent); + conn->parent = NULL; + kfree(conn->link); conn->link = NULL; } From patchwork Tue May 2 21:25:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 678455 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96686C7EE21 for ; Tue, 2 May 2023 21:25:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229883AbjEBVZh (ORCPT ); Tue, 2 May 2023 17:25:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229732AbjEBVZg (ORCPT ); Tue, 2 May 2023 17:25:36 -0400 Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 881DA1734 for ; Tue, 2 May 2023 14:25:34 -0700 (PDT) Received: by mail-pf1-x434.google.com with SMTP id d2e1a72fcca58-63b7096e2e4so3468016b3a.2 for ; Tue, 02 May 2023 14:25:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683062733; x=1685654733; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=70Rh+2ZpfORm90qgVv/tSVn6I2FZ1MSGL8nzIsbeT5Y=; b=Z9+useJO9jwOsY01+7O0Irpjf0WH81hCihJL1b944/gFubDyorF5OFGCByb1WmRSG0 /cUWH+BzrOtpdmt0ijDwQ0l8iAE6svAoXit0DN84Sz31rb43pxIGyNM4fUnxcsJbYICG lc/h3nP5K0bp2AjL0VJt+rOFdoGPfO2AzC2+htkAEoqZJcVs6IbivJaXs4oKadrxH1M3 bmp00SJWNTSbtd5CE4ztBaBNE17ooIh0unUyACOjB8YyvAhsjQtOjreCw0DVZDBH9dW2 gcfinAK1ji6qDwOYrLJaXshMABw0jokWpaLf0NOsH64/GrQlSldFQTec15ltbTK2yKz5 MVxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683062733; x=1685654733; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=70Rh+2ZpfORm90qgVv/tSVn6I2FZ1MSGL8nzIsbeT5Y=; b=E94RBu4/GVG1RdSJxtsTgbu904tR032AzGtSiWWcG+13IkvFa0FRKA9kX1A7pdWF/j AQ8JxfQpyjx0Txs4cM283puGbJcJVKY6vltJ6sFriowlbUp95dxVh+lyHDLE17sK8Mjd NfXQgdxqUxQC7x37nHqpxg+MPbrcY00uARm7hsIeTp/KrJ7Scetz2u4p0WcIU+bA+NJI KqMDw+PvhnCAI7Srl7jjbU2ibqnuGQmF9dEf92Ob2aWHwN9xkQ+NfF0G7vWFDLIwa0vg Ul6oAZSmOy462NbRCssaW2xcvkJhtBCMMjogSFKiwQ9USL5YAb1yo5cePl1o/lEZjmLH VdDw== X-Gm-Message-State: AC+VfDyVlUi9jU6KjXRVcSvnWxPFXhMjs2rPs5d5zhljH7FXuSHYCJkx +J40YGHhff0irl/bOTFPb3y28tXMBHg= X-Google-Smtp-Source: ACHHUZ7rlKYxiXD44KxoPTKjJesUoZWP0R7nxPTnp29DwJ/VeIjKHGgoCnD1tn07lyjQRCk5lwArVw== X-Received: by 2002:aa7:8890:0:b0:63b:85a0:142a with SMTP id z16-20020aa78890000000b0063b85a0142amr28384407pfe.3.1683062733086; Tue, 02 May 2023 14:25:33 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id j9-20020a056a00234900b0063d3d776910sm22232459pfj.138.2023.05.02.14.25.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 14:25:31 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v3 3/4] Bluetooth: Fix UAF in hci_conn_hash_flush again Date: Tue, 2 May 2023 14:25:26 -0700 Message-Id: <20230502212527.1662896-3-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230502212527.1662896-1-luiz.dentz@gmail.com> References: <20230502212527.1662896-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Ruihan Li Commit 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") reintroduced a previously fixed bug [1] ("KASAN: slab-use-after-free Read in hci_conn_hash_flush"). This bug was originally fixed by commit 5dc7d23e167e ("Bluetooth: hci_conn: Fix possible UAF"). The hci_conn_unlink function was added to avoid invalidating the link traversal caused by successive hci_conn_del operations releasing extra connections. However, currently hci_conn_unlink itself also releases extra connections, resulted in the reintroduced bug. This patch follows a more robust solution for cleaning up all connections, by repeatedly removing the first connection until there are none left. This approach does not rely on the inner workings of hci_conn_del and ensures proper cleanup of all connections. Meanwhile, we need to make sure that hci_conn_del never fails. Indeed it doesn't, as it now always returns zero. To make this a bit clearer, this patch also changes its return type to void. Reported-by: syzbot+8bb72f86fc823817bc5d@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-bluetooth/000000000000aa920505f60d25ad@google.com/ Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") Signed-off-by: Ruihan Li Signed-off-by: Luiz Augusto von Dentz --- include/net/bluetooth/hci_core.h | 2 +- net/bluetooth/hci_conn.c | 33 +++++++++++++++++++++----------- 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h index a6c8aee2f256..8baf34639939 100644 --- a/include/net/bluetooth/hci_core.h +++ b/include/net/bluetooth/hci_core.h @@ -1327,7 +1327,7 @@ int hci_le_create_cis(struct hci_conn *conn); struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, u8 role); -int hci_conn_del(struct hci_conn *conn); +void hci_conn_del(struct hci_conn *conn); void hci_conn_hash_flush(struct hci_dev *hdev); void hci_conn_check_pending(struct hci_dev *hdev); diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 44d0643fc681..ce588359b290 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1088,6 +1088,14 @@ static void hci_conn_unlink(struct hci_conn *conn) hci_conn_unlink(child); + /* If hdev is down it means + * hci_dev_close_sync/hci_conn_hash_flush is in progress + * and links don't need to be cleanup as all connections + * would be cleanup. + */ + if (!test_bit(HCI_UP, &hdev->flags)) + continue; + /* Due to race, SCO connection might be not established * yet at this point. Delete it now, otherwise it is * possible for it to be stuck and can't be deleted. @@ -1112,7 +1120,7 @@ static void hci_conn_unlink(struct hci_conn *conn) conn->link = NULL; } -int hci_conn_del(struct hci_conn *conn) +void hci_conn_del(struct hci_conn *conn) { struct hci_dev *hdev = conn->hdev; @@ -1163,8 +1171,6 @@ int hci_conn_del(struct hci_conn *conn) * rest of hci_conn_del. */ hci_conn_cleanup(conn); - - return 0; } struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type) @@ -2465,22 +2471,27 @@ void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active) /* Drop all connection on the device */ void hci_conn_hash_flush(struct hci_dev *hdev) { - struct hci_conn_hash *h = &hdev->conn_hash; - struct hci_conn *c, *n; + struct list_head *head = &hdev->conn_hash.list; + struct hci_conn *conn; BT_DBG("hdev %s", hdev->name); - list_for_each_entry_safe(c, n, &h->list, list) { - c->state = BT_CLOSED; - - hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM); + /* We should not traverse the list here, because hci_conn_del + * can remove extra links, which may cause the list traversal + * to hit items that have already been released. + */ + while ((conn = list_first_entry_or_null(head, + struct hci_conn, + list)) != NULL) { + conn->state = BT_CLOSED; + hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM); /* Unlink before deleting otherwise it is possible that * hci_conn_del removes the link which may cause the list to * contain items already freed. */ - hci_conn_unlink(c); - hci_conn_del(c); + hci_conn_unlink(conn); + hci_conn_del(conn); } } From patchwork Tue May 2 21:25:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 679164 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D929C77B75 for ; Tue, 2 May 2023 21:25:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229891AbjEBVZi (ORCPT ); Tue, 2 May 2023 17:25:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229889AbjEBVZh (ORCPT ); Tue, 2 May 2023 17:25:37 -0400 Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4613010EF for ; Tue, 2 May 2023 14:25:36 -0700 (PDT) Received: by mail-pf1-x434.google.com with SMTP id d2e1a72fcca58-64115e652eeso367782b3a.0 for ; Tue, 02 May 2023 14:25:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683062735; x=1685654735; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5Ka/SwIDHwEHrJuqFX1XIh48oMlHgMa3gOezG3it4Bk=; b=Zgvi5vPCxzCrmjN49/vGxfjzHtxRrYNcse/MjRqB13tFz1VNH81l4CxErXEKqxzKvX nFasVU2+FjAA383J7Ov3e4c5boylFFItnBwq004ejmBsy7427DE7wa+ukKeJROURDRgm r59FnXUi13mpmAZ1s3EM2ocvRa39YpXEkH85mU69azxvRXc/ZivnnzcA4RBCSdCWK7Zb VqGBT+SfKEC0YvgAYod1JzQq12nhLgdWpH9mCJlhHpJCpUWB3jz+++W1H6Tvm8/IPcdI Qd5ohI3FpsKAK0njXYKDinRR16x+BOI0jdvs9HcTIkbOenVE1yY+x0wxpp6WaS9kInCW 7moQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683062735; x=1685654735; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5Ka/SwIDHwEHrJuqFX1XIh48oMlHgMa3gOezG3it4Bk=; b=A3PV3x6ssk+OB47nngZmGEw/y8DfKFdNitz8zqJcegLrd6HzzJp874DBkG8bujTp2B sBt41qSwuJHkOckZXwTrPoWZ81yRSSjARsMKP/ekXOFsF2SngU5opTpRlUi0e9gB0MNi 0kRUdY6m7XTydnzm+hK6vwJXww2uviBh94wG61mLYmrq/t5FtvqMejPkDMgiwurOzDFU I7KDn18VUQKroUldkUWLV2ZsCNCpp+AKEB5eqOVvgKg9G2zQVz7HXG8bHhbL41mRPchu x4C2HT2TrNqdNDCynR0hY/k9xSupJVMTumlsxEj8Jku8T+VwZskPATMn6gxGkMPn7WBw XSHw== X-Gm-Message-State: AC+VfDz9FR5h+EIRTupZ+88UwNCx3GfaYv6qamO4m5H9fcUeYLrg1W2F Qt1PzHcHAdXYCGG/l21c4gxIc4VgP8s= X-Google-Smtp-Source: ACHHUZ5rbCWi3v268uIKpLBOMI91xKpYfxl/TjVKmX8X+YNs3wVLaUkgNWUijTVLD2H9lEPBN/wPxg== X-Received: by 2002:aa7:8b49:0:b0:63f:32ed:92b1 with SMTP id i9-20020aa78b49000000b0063f32ed92b1mr20353403pfd.7.1683062734955; Tue, 02 May 2023 14:25:34 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id j9-20020a056a00234900b0063d3d776910sm22232459pfj.138.2023.05.02.14.25.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 14:25:33 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v3 4/4] Bluetooth: Unlink CISes when LE disconnects in hci_conn_del Date: Tue, 2 May 2023 14:25:27 -0700 Message-Id: <20230502212527.1662896-4-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230502212527.1662896-1-luiz.dentz@gmail.com> References: <20230502212527.1662896-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz Currently, hci_conn_del calls hci_conn_unlink for BR/EDR, (e)SCO, and CIS connections, i.e., everything except LE connections. However, if (e)SCO connections are unlinked when BR/EDR disconnects, CIS connections should also be unlinked when LE disconnects. In terms of disconnection behavior, CIS and (e)SCO connections are not too different. One peculiarity of CIS is that when CIS connections are disconnected, the CIS handle isn't deleted, as per [BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E] 7.1.6 Disconnect command: All SCO, eSCO, and CIS connections on a physical link should be disconnected before the ACL connection on the same physical connection is disconnected. If it does not, they will be implicitly disconnected as part of the ACL disconnection. ... Note: As specified in Section 7.7.5, on the Central, the handle for a CIS remains valid even after disconnection and, therefore, the Host can recreate a disconnected CIS at a later point in time using the same connection handle. Since hci_conn_link invokes both hci_conn_get and hci_conn_hold, hci_conn_unlink should perform both hci_conn_put and hci_conn_drop as well. However, currently it performs only hci_conn_put. This patch makes hci_conn_unlink call hci_conn_drop as well, which simplifies the logic in hci_conn_del a bit and may benefit future users of hci_conn_unlink. But it is noted that this change additionally implies that hci_conn_unlink can queue disc_work on conn itself, with the following call stack: hci_conn_unlink(conn) [conn->parent == NULL] -> hci_conn_unlink(child) [child->parent == conn] -> hci_conn_drop(child->parent) -> queue_delayed_work(&conn->disc_work) Queued disc_work after hci_conn_del can be spurious, so during the process of hci_conn_del, it is necessary to make the call to cancel_delayed_work(&conn->disc_work) after invoking hci_conn_unlink. Signed-off-by: Ruihan Li Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/hci_conn.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index ce588359b290..f75ef12f18f7 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1100,7 +1100,9 @@ static void hci_conn_unlink(struct hci_conn *conn) * yet at this point. Delete it now, otherwise it is * possible for it to be stuck and can't be deleted. */ - if (child->handle == HCI_CONN_HANDLE_UNSET) + if ((child->type == SCO_LINK || + child->type == ESCO_LINK) && + child->handle == HCI_CONN_HANDLE_UNSET) hci_conn_del(child); } @@ -1113,6 +1115,7 @@ static void hci_conn_unlink(struct hci_conn *conn) list_del_rcu(&conn->link->list); synchronize_rcu(); + hci_conn_drop(conn->parent); hci_conn_put(conn->parent); conn->parent = NULL; @@ -1126,12 +1129,13 @@ void hci_conn_del(struct hci_conn *conn) BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); + hci_conn_unlink(conn); + cancel_delayed_work_sync(&conn->disc_work); cancel_delayed_work_sync(&conn->auto_accept_work); cancel_delayed_work_sync(&conn->idle_work); if (conn->type == ACL_LINK) { - hci_conn_unlink(conn); /* Unacked frames */ hdev->acl_cnt += conn->sent; } else if (conn->type == LE_LINK) { @@ -1142,13 +1146,6 @@ void hci_conn_del(struct hci_conn *conn) else hdev->acl_cnt += conn->sent; } else { - struct hci_conn *acl = conn->parent; - - if (acl) { - hci_conn_unlink(conn); - hci_conn_drop(acl); - } - /* Unacked ISO frames */ if (conn->type == ISO_LINK) { if (hdev->iso_pkts) @@ -2485,12 +2482,6 @@ void hci_conn_hash_flush(struct hci_dev *hdev) list)) != NULL) { conn->state = BT_CLOSED; hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM); - - /* Unlink before deleting otherwise it is possible that - * hci_conn_del removes the link which may cause the list to - * contain items already freed. - */ - hci_conn_unlink(conn); hci_conn_del(conn); } }