| Message ID | 8d413750f5749773c033245a593394933b77372e.1692986355.git.pav@iki.fi (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Bluetooth: hci_conn: verify connection is to be aborted before doing it | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| tedd_an/CheckPatch | success | CheckPatch PASS |
| tedd_an/GitLint | fail | WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 15: B1 Line exceeds max length (88>80): "Closes: https://lore.kernel.org/linux-bluetooth/0000000000005ab984060371583e@google.com/" 26: B3 Line contains hard tab characters (\t): " 2874 conn = hci_conn_hash_lookup_handle(hdev, handle);" 27: B3 Line contains hard tab characters (\t): " 2875 if (!conn || WARN_ON(!conn->abort_reason))" 28: B3 Line contains hard tab characters (\t): " 2876 return 0;" |
| tedd_an/SubjectPrefix | success | Gitlint PASS |
| tedd_an/BuildKernel | success | BuildKernel PASS |
| tedd_an/CheckAllWarning | success | CheckAllWarning PASS |
| tedd_an/CheckSparse | success | CheckSparse PASS |
| tedd_an/CheckSmatch | success | CheckSparse PASS |
| tedd_an/BuildKernel32 | success | BuildKernel32 PASS |
| tedd_an/TestRunnerSetup | success | TestRunnerSetup PASS |
| tedd_an/TestRunner_l2cap-tester | success | TestRunner PASS |
| tedd_an/TestRunner_iso-tester | success | TestRunner PASS |
| tedd_an/TestRunner_bnep-tester | success | TestRunner PASS |
| tedd_an/TestRunner_mgmt-tester | success | TestRunner PASS |
| tedd_an/TestRunner_rfcomm-tester | success | TestRunner PASS |
| tedd_an/TestRunner_sco-tester | success | TestRunner PASS |
| tedd_an/TestRunner_ioctl-tester | success | TestRunner PASS |
| tedd_an/TestRunner_mesh-tester | success | TestRunner PASS |
| tedd_an/TestRunner_smp-tester | success | TestRunner PASS |
| tedd_an/TestRunner_userchan-tester | success | TestRunner PASS |
| tedd_an/IncrementalBuild | success | Incremental Build PASS |
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+a0c80b06ae2cb8895bc4@syzkaller.appspotmail.com Tested on: commit: 2a05334d Bluetooth: btusb: Do not call kfree_skb() und.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master console output: https://syzkaller.appspot.com/x/log.txt?x=1521e55ba80000 kernel config: https://syzkaller.appspot.com/x/.config?x=e532e371ba4b65ca dashboard link: https://syzkaller.appspot.com/bug?extid=a0c80b06ae2cb8895bc4 compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=11eaff5ba80000 Note: testing is done by a robot and is best-effort only.
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=779464 ---Test result--- Test Summary: CheckPatch PASS 0.89 seconds GitLint FAIL 0.59 seconds SubjectPrefix PASS 0.13 seconds BuildKernel PASS 32.03 seconds CheckAllWarning PASS 35.29 seconds CheckSparse PASS 40.36 seconds CheckSmatch PASS 113.12 seconds BuildKernel32 PASS 31.07 seconds TestRunnerSetup PASS 475.05 seconds TestRunner_l2cap-tester PASS 27.01 seconds TestRunner_iso-tester PASS 47.85 seconds TestRunner_bnep-tester PASS 10.34 seconds TestRunner_mgmt-tester PASS 217.79 seconds TestRunner_rfcomm-tester PASS 15.84 seconds TestRunner_sco-tester PASS 19.02 seconds TestRunner_ioctl-tester PASS 17.82 seconds TestRunner_mesh-tester PASS 12.97 seconds TestRunner_smp-tester PASS 14.03 seconds TestRunner_userchan-tester PASS 10.94 seconds IncrementalBuild PASS 29.67 seconds Details ############################## Test: GitLint - FAIL Desc: Run gitlint Output: Bluetooth: hci_conn: verify connection is to be aborted before doing it WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 15: B1 Line exceeds max length (88>80): "Closes: https://lore.kernel.org/linux-bluetooth/0000000000005ab984060371583e@google.com/" 26: B3 Line contains hard tab characters (\t): " 2874 conn = hci_conn_hash_lookup_handle(hdev, handle);" 27: B3 Line contains hard tab characters (\t): " 2875 if (!conn || WARN_ON(!conn->abort_reason))" 28: B3 Line contains hard tab characters (\t): " 2876 return 0;" --- Regards, Linux Bluetooth
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 9d5057cef30a..8622eddb946a 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -2886,12 +2886,25 @@ static int abort_conn_sync(struct hci_dev *hdev, void *data) { struct hci_conn *conn; u16 handle = PTR_UINT(data); + u8 reason; + int err; + + rcu_read_lock(); conn = hci_conn_hash_lookup_handle(hdev, handle); + if (conn) { + reason = READ_ONCE(conn->abort_reason); + conn = reason ? hci_conn_get(conn) : NULL; + } + + rcu_read_unlock(); + if (!conn) return 0; - return hci_abort_conn_sync(hdev, conn, conn->abort_reason); + err = hci_abort_conn_sync(hdev, conn, reason); + hci_conn_put(conn); + return err; } int hci_abort_conn(struct hci_conn *conn, u8 reason) @@ -2903,6 +2916,8 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason) */ if (conn->abort_reason) return 0; + if (WARN_ON(!reason)) + reason = HCI_ERROR_UNSPECIFIED; bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason); diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 9b93653c6197..a93096c5cbfd 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -5375,6 +5375,8 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason) u16 handle = conn->handle; struct hci_conn *c; + WARN_ON(!reason); + switch (conn->state) { case BT_CONNECTED: case BT_CONFIG:
There is a race condition where a connection handle is reused, after hci_abort_conn but before abort_conn_sync is processed in hci_sync. In this case, hci_abort_conn_sync ends up calling hci_connect_cfm with success status and then delete the connection, which causes use-after-free. Fix by checking abort_reason before calling hci_abort_conn_sync. Also fix some theoretical UAF / races, where something frees the conn while hci_abort_conn_sync is working on it. Fixes: a13f316e90fd ("Bluetooth: hci_conn: Consolidate code for aborting connections") Reported-by: syzbot+a0c80b06ae2cb8895bc4@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-bluetooth/0000000000005ab984060371583e@google.com/ Signed-off-by: Pauli Virtanen <pav@iki.fi> --- Notes: Not sure how you'd hit this condition in real controller, but syzbot does end up calling hci_abort_conn_sync with reason == 0 which then causes havoc. This can be verified: with a patch that changes abort_conn_sync to 2874 conn = hci_conn_hash_lookup_handle(hdev, handle); 2875 if (!conn || WARN_ON(!conn->abort_reason)) 2876 return 0; https://syzkaller.appspot.com/text?tag=Patch&x=16eff740680000 it hits that WARN_ON: https://syzkaller.appspot.com/x/log.txt?x=10affb97a80000 #syz test git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master net/bluetooth/hci_conn.c | 17 ++++++++++++++++- net/bluetooth/hci_sync.c | 2 ++ 2 files changed, 18 insertions(+), 1 deletion(-)