Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp590328pxv; Thu, 22 Jul 2021 07:39:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyhvydOfo2yt6Dk5E4ls/+UgH9Ez0E/Q/w2wbV0bMXTbof00TnGdLpMFZmkc7B21xyq6CD0 X-Received: by 2002:a02:2b27:: with SMTP id h39mr36529401jaa.62.1626964797470; Thu, 22 Jul 2021 07:39:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626964797; cv=none; d=google.com; s=arc-20160816; b=iN4UzURa515LdW2Up3VS3XrQjzq7csolPdTsw3H0Y7vO9ao8KZ0SZJZZD94JbxMoOR 1+KGn8TuuXBjSetVz9oqvCofS6cT6xfqk6YM0ury9gdma/2CgbagxjzTPNvU9FEplZSS qRQ7kWx8Mhnn7OKInTuUQdQOeSOv4V2BtBGC9hH9SPOZ0+ZFBvJGifLmKttoSJ5xFpM5 GwelTZgEKm9LEschH2xllhSASN8EP25OzihUt4N06gG8GdeaxF3BXWdVl2+nCtrxk0MD eNhe7Ewtib5s0vxYtq7Ijs5rM8tO7ul1RQNQb5ZZwimEEt8vDg98MElPy9CQNPw0GZm3 nggg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=exdYlBJ3TPQSS5Q/6VeOPSBU5GywRe7FXS+62zYJNZo=; b=Vmbrz43FOkh7cnmBVAGf1UTJKJGax3nkaEiErlcONSbOQkndsHjTqn7q6QlJwMuVaD JeHvxlsMdh/iiSsBTpVFtGhokbI5S91YPGFIkwNEmWepUKgoolVdDNHxYrFfBRnVXSLG AgmtQqC0j6Ykwfpb+hhYR0v1nsCXG8RCjrjNIvbitisdCs0riu/IibeHKMiM5bk+lXl5 NRNQTBJidBCB139b0cyRp7GXT2496UluaSiOALfgYhiC8Fr+CSsIM49Opw8uL4JSF0DI lxt86gYQpAPjA8FhrpvZg2bek4+wUtYkbk0GqSO8HqFUIeDVWXZDFpE9mvMxBCOE2vwC FBuA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k5si28180433ioq.67.2021.07.22.07.39.44; Thu, 22 Jul 2021 07:39:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232105AbhGVN6j convert rfc822-to-8bit (ORCPT + 99 others); Thu, 22 Jul 2021 09:58:39 -0400 Received: from coyote.holtmann.net ([212.227.132.17]:47706 "EHLO mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230343AbhGVN6j (ORCPT ); Thu, 22 Jul 2021 09:58:39 -0400 Received: from smtpclient.apple (p5b3d2eb8.dip0.t-ipconnect.de [91.61.46.184]) by mail.holtmann.org (Postfix) with ESMTPSA id E3DF1CECDF; Thu, 22 Jul 2021 16:39:12 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\)) Subject: Re: [PATCH] Bluetooth: skip invalid hci_sync_conn_complete_evt From: Marcel Holtmann In-Reply-To: <20210721101710.82974-1-desmondcheongzx@gmail.com> Date: Thu, 22 Jul 2021 16:39:12 +0200 Cc: Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , Jakub Kicinski , linux-bluetooth , "open list:NETWORKING [GENERAL]" , open list , skhan@linuxfoundation.org, gregkh@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org, syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com Content-Transfer-Encoding: 8BIT Message-Id: References: <20210721101710.82974-1-desmondcheongzx@gmail.com> To: Desmond Cheong Zhi Xi X-Mailer: Apple Mail (2.3654.100.0.2.22) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Desmond, > Syzbot reported a corrupted list in kobject_add_internal [1]. This > happens when multiple HCI_EV_SYNC_CONN_COMPLETE event packets with > status 0 are sent for the same HCI connection. This causes us to > register the device more than once which corrupts the kset list. and that is actually forbidden by the spec. So we need to complain loudly that such a device is misbehaving. > To fix this, in hci_sync_conn_complete_evt, we check whether we're > trying to process the same HCI_EV_SYNC_CONN_COMPLETE event multiple > times for one connection. If that's the case, the event is invalid, so > we skip further processing and exit. > > Link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c [1] > Reported-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com > Tested-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com > Signed-off-by: Desmond Cheong Zhi Xi > --- > net/bluetooth/hci_event.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index 016b2999f219..091a92338492 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -4373,6 +4373,8 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, > > switch (ev->status) { > case 0x00: > + if (conn->state == BT_CONNECTED) > + goto unlock; /* Already connected, event not valid */ The comment has go above and be a lot more details since this is not expected behavior from valid hardware and we should add a bt_dev_err as well. > conn->handle = __le16_to_cpu(ev->handle); > conn->state = BT_CONNECTED; > conn->type = ev->link_type; Regards Marcel