From patchwork Tue May 2 20:15:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 679167 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 70BFAC77B73 for ; Tue, 2 May 2023 20:15:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229809AbjEBUP6 (ORCPT ); Tue, 2 May 2023 16:15:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48684 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229916AbjEBUP5 (ORCPT ); Tue, 2 May 2023 16:15:57 -0400 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 545691BE5 for ; Tue, 2 May 2023 13:15:39 -0700 (PDT) Received: by mail-pl1-x631.google.com with SMTP id d9443c01a7336-1ab13da70a3so7856915ad.1 for ; Tue, 02 May 2023 13:15:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683058537; x=1685650537; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=fgeP9iViJu3wZuagkzymDfMYkLiOzZ5zvhKcpAeRDdU=; b=YXMoYfbJIJQadFkk0/NrNCQcMZbihyXUBJGHXs8jqNv99Wud4KJBtaz5+WHyyQLFJc LjpLR5X63sAXJ+2gujnyN+BbEjD5V0n1Q44JHqEl1b/pfyhrbU5QbwxfshjhkXD1JqWR uAjJxsMoujOmqr5HwJuGbgDGlye8dfIX++/fRFSJxb6eDDioEni2V+pH84xh6ub3Osnn XYygBfxFgfdWIC7aGN0vlVEgEcPBSTWP8PEd/PN+yXmXYsVXfNaZsUUiI3jYEybcxGjU M41RoALc+Jfjo4jGnPzQgbE7rL7pLykiTv9HGxk5n3GqYG0emdnTeVvlOAQb0R4eeAhk aQZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683058537; x=1685650537; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fgeP9iViJu3wZuagkzymDfMYkLiOzZ5zvhKcpAeRDdU=; b=ZPT4Z5pXCjMQIqBihZdDMbP1SfdzyTnLp1G9ADh6R3cKOYZpNWsmyJsVXxyJr4RO0j TgOKLKUqBOLY0pfxxqHjssRfd3B9OdwOp8bN4PusNHjB7YR/veEME2S8Oc8hMnNii1QS 2Ggv0noE4X+KIoiSq8Jnh4SzTsszWvAs0Hx8tDryR/pEuu7zvi/wxOdO4gj5I8O3erlC ZjBLalH0ansIzM9zoGJFccn7U4niOuZ0KBRcX2AP4WYOa9fjOSlJtXustkYc23eJbCMw ubQo0zBXcRlVy9MIBip0ruVr+fSgJBZJkwHmO513oXtsIK5x/3Hlk303OJY4nvUF9fWx Zf1g== X-Gm-Message-State: AC+VfDwR5E1DnQm0htXYs7zC5UUA5P700E/h4BPgQD6ndyOuez17lSp/ lzNQV1ojurhZJE000eWx9aFgr5V3Z8M= X-Google-Smtp-Source: ACHHUZ6h6S+dfhUaKfvtZykdQ/Q0nfLK1ekAYnZQFrH2awNWHYXnIRe6g6GivxFxDrjJt1uCEUktWw== X-Received: by 2002:a17:902:ce05:b0:1a9:2ae4:6c1e with SMTP id k5-20020a170902ce0500b001a92ae46c1emr18884327plg.4.1683058537419; Tue, 02 May 2023 13:15:37 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id p9-20020a1709028a8900b0019cb6222691sm20133364plo.133.2023.05.02.13.15.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 13:15:36 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 1/4] Bluetooth: Fix potential double free caused by hci_conn_unlink Date: Tue, 2 May 2023 13:15:31 -0700 Message-Id: <20230502201534.1500462-1-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Ruihan Li The hci_conn_unlink function is being called by hci_conn_del, which means it should not call hci_conn_del with the input parameter conn again. If it does, conn may have already been released when hci_conn_unlink returns, leading to potential UAF and double-free issues. This patch resolves the problem by modifying hci_conn_unlink to release only conn's child links when necessary, but never release conn itself. Reported-by: syzbot+690b90b14f14f43f4688@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-bluetooth/000000000000484a8205faafe216@google.com/ Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") Signed-off-by: Ruihan Li Reported-by: syzbot+690b90b14f14f43f4688@syzkaller.appspotmail.com Reported-by: Luiz Augusto von Dentz Reported-by: syzbot+8bb72f86fc823817bc5d@syzkaller.appspotmail.com Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/hci_conn.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 640b951bf40a..70e1655a9df6 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1083,8 +1083,18 @@ static void hci_conn_unlink(struct hci_conn *conn) if (!conn->parent) { struct hci_link *link, *t; - list_for_each_entry_safe(link, t, &conn->link_list, list) - hci_conn_unlink(link->conn); + list_for_each_entry_safe(link, t, &conn->link_list, list) { + struct hci_conn *child = link->conn; + + hci_conn_unlink(child); + + /* Due to race, SCO connection might be not established + * yet at this point. Delete it now, otherwise it is + * possible for it to be stuck and can't be deleted. + */ + if (child->handle == HCI_CONN_HANDLE_UNSET) + hci_conn_del(child); + } return; } @@ -1100,13 +1110,6 @@ static void hci_conn_unlink(struct hci_conn *conn) kfree(conn->link); conn->link = NULL; - - /* Due to race, SCO connection might be not established - * yet at this point. Delete it now, otherwise it is - * possible for it to be stuck and can't be deleted. - */ - if (conn->handle == HCI_CONN_HANDLE_UNSET) - hci_conn_del(conn); } int hci_conn_del(struct hci_conn *conn) From patchwork Tue May 2 20:15:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 678458 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE31BC77B78 for ; Tue, 2 May 2023 20:16:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229911AbjEBUP7 (ORCPT ); Tue, 2 May 2023 16:15:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48512 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229482AbjEBUP6 (ORCPT ); Tue, 2 May 2023 16:15:58 -0400 Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 15D90210E for ; Tue, 2 May 2023 13:15:41 -0700 (PDT) Received: by mail-pl1-x636.google.com with SMTP id d9443c01a7336-1ab05018381so18848805ad.2 for ; Tue, 02 May 2023 13:15:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683058540; x=1685650540; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=M5PgbJGedD8HlcmGT/8oN+fJ8K2DKtJGmVsb+pq6khc=; b=Aj4ohmxSDdXcFj6mCf2IViXweAs6fnspJYUn9WwHF9PkoJXkHNUzYoG1h1HEBslVtb lYjT2IOlG7/dkjsgOUhRWQ74DG4r/yQdFjFVBM7Z07J+TVKsuB0ikVjSNhZw2S5RfU1l B+sjLDAbDDs+WNi2M+Dy4By6JdIROJwMYpxTKB0fxchEt1LoSQ1uuluABEVrG9/mhaNo SxgMKOURaCWzknj/ooFbV53j18Xf54C/4pFpzRdkJTnphVu9NTULjthoi8rrlwe9omRA wVisxtArOrZV5di5ZB9tWIH25maRHIpRtaRTecOufor9lF9whvJG6/zu7nmwxvGvzNnU 7WDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683058540; x=1685650540; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M5PgbJGedD8HlcmGT/8oN+fJ8K2DKtJGmVsb+pq6khc=; b=l5PhzaS6puCZWc3jFc7+Rm8HBiX6H86j4mkeHUi8/x8hvKR/WMagKVy97ojAIuqykK fRSh9vtbD8xdQR68I8hl0I2XUuMgDYBsK+FLGPcyMhepGCSavN3OldY8zIw+PgOUA94S HLwG2VpmWhh6Qatg7pMdK9/FElEYKSodm5EkVPTMztuvbI0h67xuiPvOBhrD2wRQEDwM uUmJeEUd4K/oBzJy4oKG5crevQdwpEa4y6Mbx24O6x9CXRYgBbNa7KxdhXO0LMAeAUH6 Y9lQkhDxHpJrox9S4OVmzBGphXIdm7b7kM3GLzK8IlnH1iLyYAq2EZW3gVlK3P1suRfR fuZQ== X-Gm-Message-State: AC+VfDxF1u5nrTUiyiUTzbOb2i8Fm4HMYrO3tq1NHvRm32hf5/mbHfxU n2jSX2XYV/GkpSmb6TArPuw4RPGuWqI= X-Google-Smtp-Source: ACHHUZ4pRxBbgujyNXnhWl3EUe28JjLHKwQZnJXpBo6ZK4B/bCBs1qmKc+5ezidJMuSVqXCHRtqmNg== X-Received: by 2002:a17:903:2310:b0:19c:fc41:2dfd with SMTP id d16-20020a170903231000b0019cfc412dfdmr24459218plh.29.1683058539665; Tue, 02 May 2023 13:15:39 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id p9-20020a1709028a8900b0019cb6222691sm20133364plo.133.2023.05.02.13.15.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 13:15:37 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 2/4] Bluetooth: Refcnt drop must be placed last in hci_conn_unlink Date: Tue, 2 May 2023 13:15:32 -0700 Message-Id: <20230502201534.1500462-2-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230502201534.1500462-1-luiz.dentz@gmail.com> References: <20230502201534.1500462-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Ruihan Li If hci_conn_put(conn->parent) reduces conn->parent's reference count to zero, it can immediately deallocate conn->parent. At the same time, conn->link->list has its head in conn->parent, causing use-after-free problems in the latter list_del_rcu(&conn->link->list). This problem can be easily solved by reordering the two operations, i.e., first performing the list removal with list_del_rcu and then decreasing the refcnt with hci_conn_put. Reported-by: Luiz Augusto von Dentz Closes: https://lore.kernel.org/linux-bluetooth/CABBYNZ+1kce8_RJrLNOXd_8=Mdpb=2bx4Nto-hFORk=qiOkoCg@mail.gmail.com/ Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") Signed-off-by: Ruihan Li Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/hci_conn.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 70e1655a9df6..44d0643fc681 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1102,12 +1102,12 @@ static void hci_conn_unlink(struct hci_conn *conn) if (!conn->link) return; - hci_conn_put(conn->parent); - conn->parent = NULL; - list_del_rcu(&conn->link->list); synchronize_rcu(); + hci_conn_put(conn->parent); + conn->parent = NULL; + kfree(conn->link); conn->link = NULL; } From patchwork Tue May 2 20:15:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 678457 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DDE2C7EE21 for ; Tue, 2 May 2023 20:16:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229916AbjEBUQB (ORCPT ); Tue, 2 May 2023 16:16:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48496 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229928AbjEBUP7 (ORCPT ); Tue, 2 May 2023 16:15:59 -0400 Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D71E91FE3 for ; Tue, 2 May 2023 13:15:42 -0700 (PDT) Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1aaef97652fso22319835ad.0 for ; Tue, 02 May 2023 13:15:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683058541; x=1685650541; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/jGjRdSM45bNUBJFmbAVw08c7UDEaSwJ+p/sRBnUNBc=; b=FAbGKTaWIQU8cvEQ2R/oAlqkHEPBOG4Q9fDbDevuLH9/oWNqy+KsXP7uTzAtT/aL2K thTddXZuHQ0rbe5a3r76J2WTCFNDILmnGqpV6okOw9AL/O1uvTmnxgTqcWboszVigWX5 s+NdYFrwhCia6Rbd6Q1fF6WujVjw3Hr69hjd/WIIcjXYUv0djESetHtRTZAuuSJIgw/k jUAJ4NtstZaCAIS3yPuVoQube6gQ/yXf1GLknN//kjcYJbxJqIUcubGJjx6SyLdmbaWC kwjuQ5BKtXEDXluGFLiwg1uqsgZs4lV45s47j1b9SjxJZKZgXsvDtcxdgQ8BOoo6Whed zLAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683058541; x=1685650541; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/jGjRdSM45bNUBJFmbAVw08c7UDEaSwJ+p/sRBnUNBc=; b=DH3d6CS7k9mwEIYZ5rW8pjUSqTNeXc8uSMlBxCW+buoCmnXowOmBGkUxNDlzWLMisr HkajLGqaUrlL76RXm+k1lr9q20Hx/NQ5B345ZTAbSDXQ+fEUQuB6WG9sgDyF6i4IDto6 5FkyG7Vcc2q0RxRONLsfwQ1g2mSx8vhQShQ9+fvzCVe1Ar9Z7Dv9YZvhIhIMPp4cOzLG 1vuwmV/+iUMZr4B+BniBNLrzUeLrGrmnKebhxRwH7fIOjZHT+k2AtGkRPUWVGqn6wM3J Zp/qluTM/9yJYyJ0yTxk2l/9BozUIMwfIzM2t20hIJ9nZOg8y8Z7pwdUsA+B9FKGbJbY lFjg== X-Gm-Message-State: AC+VfDxmkLFxH3PjNFh9jKp1zfltIxMvslDzIvyOY78Wi3R7OMciY6qQ u3h+fcONhAd52coYW46fQswUyF8jmlE= X-Google-Smtp-Source: ACHHUZ4v9wq5D5MggBRwtN7Vyn9BLAXGGACtc/CM9UFzeRcWZUhOy9gG+gylpRVM1kTInD0og8IUGQ== X-Received: by 2002:a17:902:ecc5:b0:1a1:b440:3773 with SMTP id a5-20020a170902ecc500b001a1b4403773mr23543955plh.27.1683058541461; Tue, 02 May 2023 13:15:41 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id p9-20020a1709028a8900b0019cb6222691sm20133364plo.133.2023.05.02.13.15.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 13:15:40 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 3/4] Bluetooth: Fix UAF in hci_conn_hash_flush again Date: Tue, 2 May 2023 13:15:33 -0700 Message-Id: <20230502201534.1500462-3-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230502201534.1500462-1-luiz.dentz@gmail.com> References: <20230502201534.1500462-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Ruihan Li Commit 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") reintroduced a previously fixed bug [1] ("KASAN: slab-use-after-free Read in hci_conn_hash_flush"). This bug was originally fixed by commit 5dc7d23e167e ("Bluetooth: hci_conn: Fix possible UAF"). The hci_conn_unlink function was added to avoid invalidating the link traversal caused by successive hci_conn_del operations releasing extra connections. However, currently hci_conn_unlink itself also releases extra connections, resulted in the reintroduced bug. This patch follows a more robust solution for cleaning up all connections, by repeatedly removing the first connection until there are none left. This approach does not rely on the inner workings of hci_conn_del and ensures proper cleanup of all connections. Meanwhile, we need to make sure that hci_conn_del never fails. Indeed it doesn't, as it now always returns zero. To make this a bit clearer, this patch also changes its return type to void. Reported-by: syzbot+8bb72f86fc823817bc5d@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-bluetooth/000000000000aa920505f60d25ad@google.com/ Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") Signed-off-by: Ruihan Li Signed-off-by: Luiz Augusto von Dentz --- include/net/bluetooth/hci_core.h | 2 +- net/bluetooth/hci_conn.c | 33 +++++++++++++++++++++----------- 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h index a6c8aee2f256..8baf34639939 100644 --- a/include/net/bluetooth/hci_core.h +++ b/include/net/bluetooth/hci_core.h @@ -1327,7 +1327,7 @@ int hci_le_create_cis(struct hci_conn *conn); struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst, u8 role); -int hci_conn_del(struct hci_conn *conn); +void hci_conn_del(struct hci_conn *conn); void hci_conn_hash_flush(struct hci_dev *hdev); void hci_conn_check_pending(struct hci_dev *hdev); diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 44d0643fc681..1e8910c50bef 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1083,6 +1083,14 @@ static void hci_conn_unlink(struct hci_conn *conn) if (!conn->parent) { struct hci_link *link, *t; + /* If hdev is down it means + * hci_dev_close_sync/hci_conn_hash_flush is in progress + * and links don't need to be cleanup as all connections would + * be cleanup. + */ + if (!test_bit(HCI_UP, &hdev->flags)) + return; + list_for_each_entry_safe(link, t, &conn->link_list, list) { struct hci_conn *child = link->conn; @@ -1112,7 +1120,7 @@ static void hci_conn_unlink(struct hci_conn *conn) conn->link = NULL; } -int hci_conn_del(struct hci_conn *conn) +void hci_conn_del(struct hci_conn *conn) { struct hci_dev *hdev = conn->hdev; @@ -1163,8 +1171,6 @@ int hci_conn_del(struct hci_conn *conn) * rest of hci_conn_del. */ hci_conn_cleanup(conn); - - return 0; } struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type) @@ -2465,22 +2471,27 @@ void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active) /* Drop all connection on the device */ void hci_conn_hash_flush(struct hci_dev *hdev) { - struct hci_conn_hash *h = &hdev->conn_hash; - struct hci_conn *c, *n; + struct list_head *head = &hdev->conn_hash.list; + struct hci_conn *conn; BT_DBG("hdev %s", hdev->name); - list_for_each_entry_safe(c, n, &h->list, list) { - c->state = BT_CLOSED; - - hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM); + /* We should not traverse the list here, because hci_conn_del + * can remove extra links, which may cause the list traversal + * to hit items that have already been released. + */ + while ((conn = list_first_entry_or_null(head, + struct hci_conn, + list)) != NULL) { + conn->state = BT_CLOSED; + hci_disconn_cfm(conn, HCI_ERROR_LOCAL_HOST_TERM); /* Unlink before deleting otherwise it is possible that * hci_conn_del removes the link which may cause the list to * contain items already freed. */ - hci_conn_unlink(c); - hci_conn_del(c); + hci_conn_unlink(conn); + hci_conn_del(conn); } } From patchwork Tue May 2 20:15:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 679166 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC1E3C7EE24 for ; Tue, 2 May 2023 20:16:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229598AbjEBUQC (ORCPT ); Tue, 2 May 2023 16:16:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48512 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229920AbjEBUQA (ORCPT ); Tue, 2 May 2023 16:16:00 -0400 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A00721FC3 for ; Tue, 2 May 2023 13:15:44 -0700 (PDT) Received: by mail-pj1-x1036.google.com with SMTP id 98e67ed59e1d1-24e24b0193fso1187610a91.2 for ; Tue, 02 May 2023 13:15:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683058543; x=1685650543; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=9BFwpSW7WSPxSuB/p2o9rzOoGAMdZNpn0wLc1+Av00M=; b=d39t6R9wPjIU8LCr3Gdyg4/pBaLAfPpqNZ1OgOeDo20EBn/+GilGk7Y1Fv7QZt7NEF LVkparK/lj3qLqL4DflyzCwLBVT6zR87I8Zvt2OyPByD8VDtqxvZeYNNo2ooi01cY0oW UwDWfogfJWZnQHtWXPU+dL3X4Y1i25853tjo4oaOy3N/4uOWiFZ9LBhj1NANuVosjIP1 ZvSZaLr377gnIq5Gs/byNvozh5gA8fht3Tj3LekQ5CHuzz6615dUQjV+nMfM6l28xuSa an6pVEzejgzIuALm4jsm2Od70FlVZ3pQGyqSN6Jalpw4ncMlHOvH3uVH65vYLyPq0FA+ JL3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683058543; x=1685650543; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9BFwpSW7WSPxSuB/p2o9rzOoGAMdZNpn0wLc1+Av00M=; b=KHbyTfzYQIM6EBeF0h1a50Oq+P5JYbvtuAH0W9xNbZ2V/LyjE+q5QwRVeoBxdrYIJJ a3HkUSq/ZAsiMH9zptbA4yg/FFF52LblWhogge/WgaWHBZEN8qCN7b0BcWL9Nl8SNihN zqWpeLbxV7wwWz0mxByxnXZchiuhK7+TT4PNtP0Wix4qMC77PsNZWacmCSgJA3i1foij 2Apfs5qz8bAOgX/x9/AAz//WYb6JMjHdqQ1rFRmMGDqezcWJL6FZvoJj4YQqG+jiQB9h gs/Kc8+ayRbZgJYb5Mbe19xXxt6jBiIiUgib6YdjifTqXhSEnAY0mVO875xxbSxaCEbb e0Fg== X-Gm-Message-State: AC+VfDyiS0ZlbyY0YqfKRNTL45TFWyLcNuCGW3ytD7/H+Mm7Vz4DbhL7 a9BRKNPt4qP7HAW5RHtx+REZEO71+Og= X-Google-Smtp-Source: ACHHUZ7e0lDJnRbDPkDTMP6DkigE4iGHlJtvsuR7HLlU6V/ITDAAJGFxuFDhST9EwoXflgf//VOjhg== X-Received: by 2002:a17:90a:858b:b0:24d:f802:9172 with SMTP id m11-20020a17090a858b00b0024df8029172mr9413567pjn.19.1683058543301; Tue, 02 May 2023 13:15:43 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id p9-20020a1709028a8900b0019cb6222691sm20133364plo.133.2023.05.02.13.15.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 13:15:42 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 4/4] Bluetooth: Unlink CISes when LE disconnects in hci_conn_del Date: Tue, 2 May 2023 13:15:34 -0700 Message-Id: <20230502201534.1500462-4-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230502201534.1500462-1-luiz.dentz@gmail.com> References: <20230502201534.1500462-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz Currently, hci_conn_del calls hci_conn_unlink for BR/EDR, (e)SCO, and CIS connections, i.e., everything except LE connections. However, if (e)SCO connections are unlinked when BR/EDR disconnects, CIS connections should also be unlinked when LE disconnects. In terms of disconnection behavior, CIS and (e)SCO connections are not too different. One peculiarity of CIS is that when CIS connections are disconnected, the CIS handle isn't deleted, as per [BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E] 7.1.6 Disconnect command: All SCO, eSCO, and CIS connections on a physical link should be disconnected before the ACL connection on the same physical connection is disconnected. If it does not, they will be implicitly disconnected as part of the ACL disconnection. ... Note: As specified in Section 7.7.5, on the Central, the handle for a CIS remains valid even after disconnection and, therefore, the Host can recreate a disconnected CIS at a later point in time using the same connection handle. Since hci_conn_link invokes both hci_conn_get and hci_conn_hold, hci_conn_unlink should perform both hci_conn_put and hci_conn_drop as well. However, currently it performs only hci_conn_put. This patch makes hci_conn_unlink call hci_conn_drop as well, which simplifies the logic in hci_conn_del a bit and may benefit future users of hci_conn_unlink. But it is noted that this change additionally implies that hci_conn_unlink can queue disc_work on conn itself, with the following call stack: hci_conn_unlink(conn) [conn->parent == NULL] -> hci_conn_unlink(child) [child->parent == conn] -> hci_conn_drop(child->parent) -> queue_delayed_work(&conn->disc_work) Queued disc_work after hci_conn_del can be spurious, so during the process of hci_conn_del, it is necessary to make the call to cancel_delayed_work(&conn->disc_work) after invoking hci_conn_unlink. Signed-off-by: Ruihan Li Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/hci_conn.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 1e8910c50bef..6414f64334aa 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1100,7 +1100,9 @@ static void hci_conn_unlink(struct hci_conn *conn) * yet at this point. Delete it now, otherwise it is * possible for it to be stuck and can't be deleted. */ - if (child->handle == HCI_CONN_HANDLE_UNSET) + if ((child->type == SCO_LINK || + child->type == ESCO_LINK) && + child->handle == HCI_CONN_HANDLE_UNSET) hci_conn_del(child); } @@ -1113,6 +1115,7 @@ static void hci_conn_unlink(struct hci_conn *conn) list_del_rcu(&conn->link->list); synchronize_rcu(); + hci_conn_drop(conn->parent); hci_conn_put(conn->parent); conn->parent = NULL; @@ -1126,12 +1129,13 @@ void hci_conn_del(struct hci_conn *conn) BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); + hci_conn_unlink(conn); + cancel_delayed_work_sync(&conn->disc_work); cancel_delayed_work_sync(&conn->auto_accept_work); cancel_delayed_work_sync(&conn->idle_work); if (conn->type == ACL_LINK) { - hci_conn_unlink(conn); /* Unacked frames */ hdev->acl_cnt += conn->sent; } else if (conn->type == LE_LINK) { @@ -1142,13 +1146,6 @@ void hci_conn_del(struct hci_conn *conn) else hdev->acl_cnt += conn->sent; } else { - struct hci_conn *acl = conn->parent; - - if (acl) { - hci_conn_unlink(conn); - hci_conn_drop(acl); - } - /* Unacked ISO frames */ if (conn->type == ISO_LINK) { if (hdev->iso_pkts)