|
Lee, Chun-Yi |
fcfbe5 |
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
|
|
Lee, Chun-Yi |
fcfbe5 |
Date: Mon, 12 Sep 2022 01:21:42 +0900
|
|
Lee, Chun-Yi |
fcfbe5 |
Subject: Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()
|
|
Lee, Chun-Yi |
fcfbe5 |
Patch-mainline: v6.1-rc1
|
|
Lee, Chun-Yi |
fcfbe5 |
Git-commit: f74ca25d6d6629ffd4fd80a1a73037253b57d06b
|
|
Lee, Chun-Yi |
fcfbe5 |
References: jsc#PED-1407
|
|
Lee, Chun-Yi |
fcfbe5 |
|
|
Lee, Chun-Yi |
fcfbe5 |
syzbot is again reporting attempt to cancel uninitialized work
|
|
Lee, Chun-Yi |
fcfbe5 |
at mgmt_index_removed() [1], for setting of HCI_MGMT flag from
|
|
Lee, Chun-Yi |
fcfbe5 |
mgmt_init_hdev() from hci_mgmt_cmd() from hci_sock_sendmsg() can
|
|
Lee, Chun-Yi |
fcfbe5 |
race with testing of HCI_MGMT flag from mgmt_index_removed() from
|
|
Lee, Chun-Yi |
fcfbe5 |
hci_sock_bind() due to lack of serialization via hci_dev_lock().
|
|
Lee, Chun-Yi |
fcfbe5 |
|
|
Lee, Chun-Yi |
fcfbe5 |
Since mgmt_init_hdev() is called with mgmt_chan_list_lock held, we can
|
|
Lee, Chun-Yi |
fcfbe5 |
safely split hci_dev_test_and_set_flag() into hci_dev_test_flag() and
|
|
Lee, Chun-Yi |
fcfbe5 |
hci_dev_set_flag(). Thus, in order to close this race, set HCI_MGMT flag
|
|
Lee, Chun-Yi |
fcfbe5 |
after INIT_DELAYED_WORK() completed.
|
|
Lee, Chun-Yi |
fcfbe5 |
|
|
Lee, Chun-Yi |
fcfbe5 |
This is a local fix based on mgmt_chan_list_lock. Lack of serialization
|
|
Lee, Chun-Yi |
fcfbe5 |
via hci_dev_lock() might be causing different race conditions somewhere
|
|
Lee, Chun-Yi |
fcfbe5 |
else. But a global fix based on hci_dev_lock() should deserve a future
|
|
Lee, Chun-Yi |
fcfbe5 |
patch.
|
|
Lee, Chun-Yi |
fcfbe5 |
|
|
Lee, Chun-Yi |
fcfbe5 |
Link: https://syzkaller.appspot.com/bug?extid=844c7bf1b1aa4119c5de
|
|
Lee, Chun-Yi |
fcfbe5 |
Reported-by: syzbot+844c7bf1b1aa4119c5de@syzkaller.appspotmail.com
|
|
Lee, Chun-Yi |
fcfbe5 |
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
|
|
Lee, Chun-Yi |
fcfbe5 |
Fixes: 3f2893d3c142986a ("Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed()")
|
|
Lee, Chun-Yi |
fcfbe5 |
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
|
Lee, Chun-Yi |
fcfbe5 |
Acked-by: Lee, Chun-Yi <jlee@suse.com>
|
|
Lee, Chun-Yi |
fcfbe5 |
---
|
|
Lee, Chun-Yi |
fcfbe5 |
net/bluetooth/mgmt.c | 4 +++-
|
|
Lee, Chun-Yi |
fcfbe5 |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
Lee, Chun-Yi |
fcfbe5 |
|
|
Lee, Chun-Yi |
fcfbe5 |
--- a/net/bluetooth/mgmt.c
|
|
Lee, Chun-Yi |
fcfbe5 |
+++ b/net/bluetooth/mgmt.c
|
|
Lee, Chun-Yi |
fcfbe5 |
@@ -1050,7 +1050,7 @@ static void discov_off(struct work_struc
|
|
Lee, Chun-Yi |
fcfbe5 |
|
|
Lee, Chun-Yi |
fcfbe5 |
static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
|
|
Lee, Chun-Yi |
fcfbe5 |
{
|
|
Lee, Chun-Yi |
fcfbe5 |
- if (hci_dev_test_and_set_flag(hdev, HCI_MGMT))
|
|
Lee, Chun-Yi |
fcfbe5 |
+ if (hci_dev_test_flag(hdev, HCI_MGMT))
|
|
Lee, Chun-Yi |
fcfbe5 |
return;
|
|
Lee, Chun-Yi |
fcfbe5 |
|
|
Lee, Chun-Yi |
fcfbe5 |
BT_INFO("MGMT ver %d.%d", MGMT_VERSION, MGMT_REVISION);
|
|
Lee, Chun-Yi |
fcfbe5 |
@@ -1065,6 +1065,8 @@ static void mgmt_init_hdev(struct sock *
|
|
Lee, Chun-Yi |
fcfbe5 |
* it
|
|
Lee, Chun-Yi |
fcfbe5 |
*/
|
|
Lee, Chun-Yi |
fcfbe5 |
hci_dev_clear_flag(hdev, HCI_BONDABLE);
|
|
Lee, Chun-Yi |
fcfbe5 |
+
|
|
Lee, Chun-Yi |
fcfbe5 |
+ hci_dev_set_flag(hdev, HCI_MGMT);
|
|
Lee, Chun-Yi |
fcfbe5 |
}
|
|
Lee, Chun-Yi |
fcfbe5 |
|
|
Lee, Chun-Yi |
fcfbe5 |
static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
|