Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp457918pxa; Fri, 21 Aug 2020 11:35:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwrObTS2YAht99x95Iwen6gXgM3Hl7KhUKpMvyQJWvpiu02bWKj6ZUT+n2rszvKgCMb20XU X-Received: by 2002:a17:906:8748:: with SMTP id hj8mr4182992ejb.477.1598034906737; Fri, 21 Aug 2020 11:35:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598034906; cv=none; d=google.com; s=arc-20160816; b=rEFwrzWp+YE2KCJAXL4z4w4iI7lXaHnXk6tG6t2SPnkSUwiFNB++hanoDBbEFSNPGL iVkmh/ooIiOkY46lxe5Y3Fjx59FTSOFJaiLjnbo18p9R2EX/dRpisT5XoDXGunEeZ+gH FMeZHbvRO/fV+x5glSmAcLfRlrON+JyV3I4oCcnE014N0HzLhmpkKfWyVSFr+NikpB7g pIYycbTsJZPuaHtEzOu31gfWQZUEmjmJXcrtkFjAh0DAJOehnRhpzEy/kDWTAhf8oO87 ubcTP36EjmNfo1kEBIxfvUdGj9vivhLdjCKD4tP3tDkSZxUTH9k+7szaJUg86wTclhWp NJDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=fr4MQvR1m+Ep3gAECVru7t5+/T/t18aHUrMbvW+Fi+Q=; b=IGCZfa0qWcynkwBGsFPOyWCOdK0MkXArNX2GmBIHWVkTzID7qz+cd/n60i8Wvpdlfl oZrBBll0nHQMMTZT7uws/u2w/b3HBEG9Kcbvt/oCawDS/eeimA8Q+eIU+201wiuHsE9x T6Tj890eUOwDGBnt282b/c57eE99P9JYuDSDwBKJ+/RQjWTLhLXsb6ftLTSo9i6IiUfM jWZYFXwZxhpbHfqjAOq6MgQTX32ifKxzXVxgFaZp6iqXwYTmCJplhDk0iwBHUNUuwNSj w3k5WIMDsQ9R6i4gaMsb1VhakGoArWrWc99tzXBFnN6KQvkiaR2RaVImUr/LnozBtWMz EWSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=MJV1VMO0; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dn9si790035edb.55.2020.08.21.11.34.42; Fri, 21 Aug 2020 11:35:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=MJV1VMO0; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725821AbgHUSeg (ORCPT + 99 others); Fri, 21 Aug 2020 14:34:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54096 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725802AbgHUSeg (ORCPT ); Fri, 21 Aug 2020 14:34:36 -0400 Received: from mail-ed1-x544.google.com (mail-ed1-x544.google.com [IPv6:2a00:1450:4864:20::544]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 987ACC061573 for ; Fri, 21 Aug 2020 11:34:35 -0700 (PDT) Received: by mail-ed1-x544.google.com with SMTP id w14so1755812eds.0 for ; Fri, 21 Aug 2020 11:34:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fr4MQvR1m+Ep3gAECVru7t5+/T/t18aHUrMbvW+Fi+Q=; b=MJV1VMO0bbg6z8FuF9ucxo2muc6KnyEDVNNJti0he6uZFnNPJVI69x6iN7Ins24z2Q bKHtGLOz+AYKjihD1NIcibZueaSwkIYbQVvtA9DgqbOjt4SnhYYuT20QjgTLmC3fDwnp rFHxVqnoldYL7jVGQDUf988pfHktwX3gL3YUM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fr4MQvR1m+Ep3gAECVru7t5+/T/t18aHUrMbvW+Fi+Q=; b=eL6LEYN1CjCAfeHa583CRE5btoKr4CCdqj9nAjaYPR4aPYhw+jiL0/LFUO+Wc8qfcm HEGE93jMIOXGv1ZaajpctfVCMR1juA8MfaCXNguOj4Yg0MJv1PJ2VzNd9XzZw61EpKnE 7WU87HdGBR2S8JikirDXqA+zbIBPMtwSYVDK97YirTilRF2UIBE3/z9JSZgMWvsHBqqL CK6dBve6j3aY5ITes4sBK/tJNWi+25YfhM3L3/KLKnXfM5E4xLoWG7+zGm4MPwXMTKcu greWGa7cZEZuJE0tm7h9ky84RvD8mAU88b6mXEhargSY2SNXo+uDqvHB11I0OlWxcSR3 M8Mw== X-Gm-Message-State: AOAM533+0IaLNNa4G1mqteqDkGn28TuFisS3bxxi+buOxAq57eCboIqA ccjrSIyHsOlCSPZjdyuN/csCxsF/pVb/nQ== X-Received: by 2002:aa7:c70b:: with SMTP id i11mr4102876edq.272.1598034873870; Fri, 21 Aug 2020 11:34:33 -0700 (PDT) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com. [209.85.221.41]) by smtp.gmail.com with ESMTPSA id sb9sm1755758ejb.90.2020.08.21.11.34.33 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 21 Aug 2020 11:34:33 -0700 (PDT) Received: by mail-wr1-f41.google.com with SMTP id w13so2495940wrk.5 for ; Fri, 21 Aug 2020 11:34:33 -0700 (PDT) X-Received: by 2002:a5d:42c5:: with SMTP id t5mr3897237wrr.370.1598034872695; Fri, 21 Aug 2020 11:34:32 -0700 (PDT) MIME-Version: 1.0 References: <20200821063844.17349-1-sonnysasaka@chromium.org> In-Reply-To: From: Sonny Sasaka Date: Fri, 21 Aug 2020 11:34:20 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH BlueZ] device: Cleanup att of a device object before assigning a new one. To: Luiz Augusto von Dentz Cc: "linux-bluetooth@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Luiz, I sent an incomplete patch. I realized that there was a follow up to this patch and I have sent the revision titled "device: Disconnect att before creating a new one". It contains the explanation why the kernel reports connected 2 times as well. Please ignore this patch and review the other patch instead. Thanks. On Fri, Aug 21, 2020 at 10:04 AM Luiz Augusto von Dentz wrote: > > Hi Sonny, > > On Thu, Aug 20, 2020 at 11:40 PM Sonny Sasaka wrote: > > > > For some unknown reason, sometimes the controller replies "Command > > Disallowed" to a Disconnect command. When this happens, bluez kernel > > strangely reports 2 MGMT_EV_DEVICE_CONNECTED events to bluetoothd. > > Unfortunately bluetoothd doesn't handle this case so this situation will > > lead to bluetoothd crashing due to UAF at later time. > > > > This patch protects this situation by always cleaning up the att of a > > device object before assigning a new one. This way the old att will not > > at later time fire disconnect event which would operate on the already > > freed device pointer. > > > > Tested by repeatedly connecting/disconnecting to a device until the > > situation happens and checking that bluetoothd doesn't crash. > > > > --- > > src/device.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/src/device.c b/src/device.c > > index 7b7808405..e696ba1c6 100644 > > --- a/src/device.c > > +++ b/src/device.c > > @@ -5304,6 +5304,12 @@ bool device_attach_att(struct btd_device *dev, GIOChannel *io) > > return false; > > } > > > > + // This may be reached when the device already has att attached to it. > > + // In this case cleanup the att first before assigning the new one, > > + // otherwise the old att may fire a disconnect event at later time > > + // and will invoke operations on the already freed device pointer. > > + if (dev->attrib || dev->att) > > + attio_cleanup(dev); > > It might be better just returning instead of cleaning up just to > recreate the instance below or is there a problem reusing the existing > instance? btw we need to investigate why the kernel is reporting > connected 2 times in a row since that is probably a bug there. > > > dev->attrib = attrib; > > dev->att = g_attrib_get_att(attrib); > > > > -- > > 2.26.2 > > > > > -- > Luiz Augusto von Dentz