Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1415307pxb; Fri, 21 Jan 2022 18:09:52 -0800 (PST) X-Google-Smtp-Source: ABdhPJy1TPqS9J8G/xXCyexewgcTvZf8FKWkhYiq9zmGiHMglhJAmoBYHvXtszPFxM/PSeyYW+te X-Received: by 2002:a05:6a00:1a86:b0:4c1:3039:16a6 with SMTP id e6-20020a056a001a8600b004c1303916a6mr5806407pfv.5.1642817391992; Fri, 21 Jan 2022 18:09:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642817391; cv=none; d=google.com; s=arc-20160816; b=uvICE+AFcYdMz6RukK7u9rsp6VnWqE6aHyleTtktOsrm5eVd6R9KR1YOyUpQnGZ8fZ hOvEtINEDKrczbFl4gZYW0RKQjqEzhcIpeYbpRaZzcw6ZmitztlXLHCeDSo5TIxRIObq g+MbctZHGS+6aYIx7TBeKtLJqrKyLgRXc3cBXu6Pr3wR0e4TBd2cyJYSM0Asa8DrKQ/K /66xZuHizVrKB3WJ6Z2UU9lkTNv6JUzeJ2adnW0YoibrTas3ycZ/b9pq/aFc2f+W+KRr 3osqudLhjMukBhx9is7r2WqraSn66OsJj/4KpsAKUr5QanfntCt9XRuxYFIa9uNCU7FJ /sUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=JnVMxRGkK8h38h99f6bHU4Iy3lR/neWsXfjkTtLe2uk=; b=HU5+t/X+P2EXOZpGhmBJ8YQ7DXTIDi6W4Q6GIIKvb2FTJf6hR2ovBtbGO8FN6Ve3y4 jdd7mS+Wspt7x+iRVGOUShJpQIaQs6sfudAB8KuCCUgzcWLUA6FDQdXVubBi1jZx/x5G 3wdPxEY7DqkGdmcRtBBowYXwVTsvtckJHzhZeAGJ1g2EoAmsCqAfnVPmBffDCczpir44 k/ju/qr9nYEF/3Ni7wwc5N8HTW81qSLfuc7VmRruyR3Bx5ZqHNJDa+9FIe+kR6SaVUIR lOsFqmOjfFLkiJeeqzHCCvnceZIdNp/JAsxlUF7jYqtjECnHKjfBuh/SO7Ri5r3wP07o 7yMw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x11si8815890pgl.231.2022.01.21.18.09.18; Fri, 21 Jan 2022 18:09:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236001AbiAUSWO (ORCPT + 99 others); Fri, 21 Jan 2022 13:22:14 -0500 Received: from giacobini.uberspace.de ([185.26.156.129]:38912 "EHLO giacobini.uberspace.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235976AbiAUSWO (ORCPT ); Fri, 21 Jan 2022 13:22:14 -0500 Received: (qmail 15978 invoked by uid 990); 21 Jan 2022 18:22:11 -0000 Authentication-Results: giacobini.uberspace.de; auth=pass (plain) Message-ID: <4f3d6dcf-c142-9a99-df97-6190c8f2abc9@eknoes.de> Date: Fri, 21 Jan 2022 19:22:10 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: [RFC PATCH] Bluetooth: hci_event: Ignore multiple conn complete events Content-Language: en-US To: Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , Jakub Kicinski Cc: linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <20220121173622.192744-1-soenke.huster@eknoes.de> From: =?UTF-8?Q?S=c3=b6nke_Huster?= In-Reply-To: <20220121173622.192744-1-soenke.huster@eknoes.de> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Bar: - X-Rspamd-Report: MIME_GOOD(-0.1) BAYES_HAM(-2.999992) SUSPICIOUS_RECIPS(1.5) X-Rspamd-Score: -1.599992 Received: from unknown (HELO unkown) (::1) by giacobini.uberspace.de (Haraka/2.8.28) with ESMTPSA; Fri, 21 Jan 2022 19:22:11 +0100 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org I just noticed that just checking for handle does not work, as obviously 0x0 could also be a handle value and therefore it can't be distinguished, whether it is not set yet or it is 0x0. On 21.01.22 18:36, Soenke Huster wrote: > When a HCI_CONNECTION_COMPLETE event is received multiple times > for the same handle, the device is registered multiple times which leads > to memory corruptions. Therefore, consequent events for a single > connection are ignored. > > The conn->state can hold different values so conn->handle is > checked to detect whether a connection is already set up. > > Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497 > Signed-off-by: Soenke Huster > --- > This fixes the referenced bug and several use-after-free issues I discovered. > I tagged it as RFC, as I am not 100% sure if checking the existence of the > handle is the correct approach, but to the best of my knowledge it must be > set for the first time in this function for valid connections of this event, > therefore it should be fine. > > net/bluetooth/hci_event.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index 681c623aa380..71ccb12c928d 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -3106,6 +3106,17 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, > } > } > > + /* The HCI_Connection_Complete event is only sent once per connection. > + * Processing it more than once per connection can corrupt kernel memory. > + * > + * As the connection handle is set here for the first time, it indicates > + * whether the connection is already set up. > + */ > + if (conn->handle) { > + bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); > + goto unlock; > + } > + > if (!ev->status) { > conn->handle = __le16_to_cpu(ev->handle); >