Received: by 2002:ab2:7988:0:b0:1f4:b336:87c4 with SMTP id g8csp93510lqj; Thu, 11 Apr 2024 10:43:11 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWZT1pVzLX1M3WJOKfSOlZ4POz9BCUKkzL0bg29nL48Z4ZYq+iAENpjJSI8tDFPioVaeLzSHkj3vrk+8lqHqPOTEfFAkyC6em9l+7gKKA== X-Google-Smtp-Source: AGHT+IHEPiQJgz2l5XbZ+yffkTDQ8+AgBwRsC5R98lch1af2DwTHqYdvgsFrH9UWXo52REVrko/c X-Received: by 2002:a05:6214:11a2:b0:69b:246b:4bff with SMTP id u2-20020a05621411a200b0069b246b4bffmr421674qvv.33.1712857390832; Thu, 11 Apr 2024 10:43:10 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712857390; cv=pass; d=google.com; s=arc-20160816; b=HnP40Ebjq1uXkkcX+VhUpT7ef8XnJNvhP7Vd0QCpNw4yGggGbBAXbFPqiXZy3MAxZ5 MuxMrnMvoBT63YpEKAGYX89ZRIfDm1Wiv1ImkK5iHYZrFCtd+gmYNem2lnxE0dM6/vx3 x37gMupA1hDDATYIA4xvEHT4l3I4bSy0ALj3ZcFtl179YKBJD8k5MQ2NcLBeLIYdo3Fs zNlAcf/IrP9f2R1w4MnGCOi+oGdvWSGrBzTL8bFi7nBivLQJAVDa9yPw9ncXpMUc5NJ1 t9/sMmb7l3z1ealsLs5eaEnLb+EKG3uUDkj2Fe24/02SIx/d3GdpSHDzp7g1ZsqrNL2H k3iA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=gct5oE4B/F1dbjTWVI3KFZEPwvEsEI1384MVLvqb4PU=; fh=XAt6/7kticcIeSp0wlD3R79Hgr06FY3TaXdYXwEiB0k=; b=eepp99iEmhkMFzvnJARbW9Y9O4azyIuVGExIfd8CoUYptZRtI2Q5BJCL2L9qRV2CT6 vWCHak3kdelaBmEsW4m06U4Bgxn3Pcg9+n6sSPZVRCvyOJT7wOghWQQKlyzI2oN8mA+P LOdFOwuAlGdriwfHQkypWfct9pEvpg4QRaHKIqmdZC+OtptCzN9JZ6OXCcsDVOfewSEZ BGBAD7mtiYK+qsbAzPgNHB0XT7OwBqemaKIL6bCrlkIh8lhiyBQT9kZt8nuZYuvcB+IW uOoT/DIBgvC25hBWBIyt/eRC7399dY8XWDGksuk5B1Z2RWMkgyMSZGqjlrsLD8FJKcEB FHSQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=altlinux.org); spf=pass (google.com: domain of linux-kernel+bounces-141298-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-141298-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id 5-20020ad45b85000000b0069b20f80456si2034615qvp.274.2024.04.11.10.43.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Apr 2024 10:43:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-141298-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=altlinux.org); spf=pass (google.com: domain of linux-kernel+bounces-141298-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-141298-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 899121C2040E for ; Thu, 11 Apr 2024 17:43:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DF09015CD73; Thu, 11 Apr 2024 16:14:40 +0000 (UTC) Received: from air.basealt.ru (air.basealt.ru [194.107.17.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2AAA925575; Thu, 11 Apr 2024 16:14:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=194.107.17.39 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712852080; cv=none; b=EbfENGqs+jLsSOZOiUcyAbqRbM8Nl0lQMvAHDV5byV+9UXerQCz8k7TmaEUOaAqUD+PLyB0ElJWXe9N/f5brSyLchakM4npuOqWIcda7zfGOq6bQrz7BgS2U2ULqKCUPQzOtLqaq6BHqNkZqRcXHORTbzsN9P5sLbrIHohGYekw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712852080; c=relaxed/simple; bh=zQ5fre0BsKd5TeAzHpaKWKI/8r8nMue9kRfrAZYhBWI=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=FJk5CF2CNfClLK4F0u/eZE5znuxAucC7+Z5/5hrPppeyZWA3L2/bKqFIGM2cUBz8pkLofXozHKUZjKLfqcnHw636lIt5jSVpyLqAiD3dAafpmUdTIa0/YAXCNEDLRXuRrWDELJUTQszGMer+QOqzlj+zfkcG22v+o1SUqupYIV4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org; spf=pass smtp.mailfrom=altlinux.org; arc=none smtp.client-ip=194.107.17.39 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=altlinux.org Received: by air.basealt.ru (Postfix, from userid 490) id 33B452F20242; Thu, 11 Apr 2024 16:14:36 +0000 (UTC) X-Spam-Level: Received: from [10.88.128.156] (obninsk.basealt.ru [217.15.195.17]) by air.basealt.ru (Postfix) with ESMTPSA id 341862F2022C; Thu, 11 Apr 2024 16:14:34 +0000 (UTC) Message-ID: Date: Thu, 11 Apr 2024 19:14:34 +0300 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: [PATCH net] Bluetooth: hci_event: fix possible multiple drops by marked conn->state after hci_disconnect() Content-Language: en-US To: marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org References: <20240411151929.403263-1-kovalev@altlinux.org> From: kovalev@altlinux.org In-Reply-To: <20240411151929.403263-1-kovalev@altlinux.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit 11.04.2024 18:19, kovalev@altlinux.org wrote: > From: Vasiliy Kovalev > > When returning from the hci_disconnect() function, the conn->state > continues to be set to BT_CONNECTED and hci_conn_drop() is executed, > which decrements the conn->refcnt. Syzkaller C reproducer: https://lore.kernel.org/all/f8bb62a7-5845-53ed-7fbe-c0557c2745f2@basealt.ru/#t During debugging, the value conn->refcnt goes down to -1000 and less. > Syzkaller has generated a reproducer that results in multiple calls to > hci_encrypt_change_evt() of the same conn object. > -- > hci_encrypt_change_evt(){ > // conn->state == BT_CONNECTED > hci_disconnect(){ > hci_abort_conn(); > } > hci_conn_drop(); > // conn->state == BT_CONNECTED > } > -- > This behavior can cause the conn->refcnt to go far into negative values > and cause problems. To get around this, you need to change the conn->state, > namely to BT_DISCONN, as it was before. > Fixes: a13f316e90fd ("Bluetooth: hci_conn: Consolidate code for aborting connections") > Cc: stable@vger.kernel.org > Signed-off-by: Vasiliy Kovalev > --- > net/bluetooth/hci_event.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index 64477e1bde7cec..e0477021183f9b 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -2989,6 +2989,7 @@ static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) > > hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); > hci_conn_drop(conn); > + conn->state = BT_DISCONN; > > unlock: > hci_dev_unlock(hdev); > @@ -3654,6 +3655,7 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data, > hci_encrypt_cfm(conn, ev->status); > hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); > hci_conn_drop(conn); > + conn->state = BT_DISCONN; > goto unlock; > } > > @@ -5248,6 +5250,7 @@ static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data, > if (ev->status && conn->state == BT_CONNECTED) { > hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); > hci_conn_drop(conn); > + conn->state = BT_DISCONN; > goto unlock; > } > -- Regards, Vasiliy Kovalev