Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1613965pxb; Sat, 22 Jan 2022 01:20:22 -0800 (PST) X-Google-Smtp-Source: ABdhPJwYnxh+jcL3TbV56UJ2g18E3cHDPfV6ajTuRE184Ig8HZwhmbax4bH3rYNd3I14UzhJQYMK X-Received: by 2002:a63:4f41:: with SMTP id p1mr5428805pgl.495.1642843222435; Sat, 22 Jan 2022 01:20:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642843222; cv=none; d=google.com; s=arc-20160816; b=oMpc7tjJbmvb6Cz3RTyAq/htcEiSnDPgamUyrCqbXXWPx2QRkN4rUB69M21vak4BpN nAYhsn0M3NQhLiMyw1iiyXibrZ0DddWjphTtWh5hYWpfdwoiNyroPfNrSSqyjX9lzgX0 Z/E4a2Az2OQkY57tOHfzgMs16ERFOsP9t6vDuF/f8f8ya/fgLMRJ/WFa8fhcJ6LOfKBr 3CyF7tSbkejgOOCNVACpCIyozhST1nsQqwtE0NElVObJkFO/YkXkynUtshnna3tG7K9A h9+T2pGNQMXO9XHX+LmPnKj1pKEn39HGq0GLBhyg6DX0RrpJPRdpjTRPMNC4fSmSveqV qlJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=XBPXrK5d4Q3kr1rY61LzklnjBEDewcTywkOFDOQFUkc=; b=HHhlCDRQo1Lkk4aHnGYEpD72bD84uvVmWbVOf7RvoDx6oTTfdxvDY4KDfy4WU3ZwmR Y1H6d9MNBO2F6MmbDHISfTVi2YOryzCZxcnXJxZ3CEajLO2WKwehMjDWZTftDYrXAi5z k8Oaz8aQUakVBrgdPyJW+4atWUxlsqiL2Y5aqUX/0n5IJacHHuRwxtkEL0/WZ9VeqlXl z7kETYVmKvxjHx40T68w9xo4OPg2ZoKOQPwI9TTop4XxIvy5e9e5WnUlXgPcdUO+Yu68 4z6Sh4jfhUv/vigTS1a954X599gkaZioZkfU/Te3+x5UtHz/YL8yTfGqZmugE5JU1eM1 hTKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=emvhjIOr; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n1si9472931plc.156.2022.01.22.01.20.09; Sat, 22 Jan 2022 01:20:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=emvhjIOr; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229847AbiAUVbh (ORCPT + 99 others); Fri, 21 Jan 2022 16:31:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55710 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229798AbiAUVbh (ORCPT ); Fri, 21 Jan 2022 16:31:37 -0500 Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E88A3C06173B; Fri, 21 Jan 2022 13:31:36 -0800 (PST) Received: by mail-yb1-xb31.google.com with SMTP id p5so31091332ybd.13; Fri, 21 Jan 2022 13:31:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=XBPXrK5d4Q3kr1rY61LzklnjBEDewcTywkOFDOQFUkc=; b=emvhjIOrkbLkLK7QtoKAezEOQhTjn6XimYAssH9ANqpKpBVzZUO8qo+0n/4HO2bT1Z UjSa8pHCocY/PZZ6+ZCtgarsqa0yFJz/eZPsZL/6u2lnfFPukQKGRJzBGFpmd7mTz3CE qxcffHvPp3TSy2glIKET5KlOUENx/WHlbBKghYsVTWh+LF7YDkfiMzTz046rgztkBC04 fo1wkJiOu8TPhz0Z7nnb3UvV/eUEqCz5KbjFsJ0fMljNbko+ecdjeSyEL2qJ9aCV/Wwj nvKmP1Sbu58tHUi5MlxcTI0fnjFeUexm1SH9g7bnkNp9f1aFkntCZisC5E7uZ1CHgwQP Y1xA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=XBPXrK5d4Q3kr1rY61LzklnjBEDewcTywkOFDOQFUkc=; b=kgzwdXvOMVWcjHe8XaM2KqI0soKO4m5k1F1mAppXisAfH9U6jhxrNRjlHv59u8ED5O fwKSOo3wQWEG0+zJGF8Uu2oY+URrFuHT5yZMRy7SBubLcFkFpu7mA9cRo/ja2EeBkyNJ i9TrKcBuEqDDUwHZ/2n638Dln/r4L8M2Bnsct/HsaW3+U6eMvnbW+hu3gqp2NMCpbQYf jYfTacFMKLSdP+YAtyibvj8OTYwLSV6wwGIbUdaWsiPaUbODHEyixsQKbwzw2aNRH1M5 GVySLfhqCkJ5sNCnH4s+wMkokfY8L/ZY31VD/iUZppRgfQqe0hMf9BenlJEBDXN5y6NA ru+g== X-Gm-Message-State: AOAM532siZoDg/VZgyytL3cmCaFwWP625dLFWQ5KRqMYayQHfGGXU10E 6A6dFld98LOjlOkLQx8inCyQgrrSJ7LIk48seG8= X-Received: by 2002:a25:bd8d:: with SMTP id f13mr8920942ybh.573.1642800696041; Fri, 21 Jan 2022 13:31:36 -0800 (PST) MIME-Version: 1.0 References: <20220121173622.192744-1-soenke.huster@eknoes.de> <4f3d6dcf-c142-9a99-df97-6190c8f2abc9@eknoes.de> In-Reply-To: <4f3d6dcf-c142-9a99-df97-6190c8f2abc9@eknoes.de> From: Luiz Augusto von Dentz Date: Fri, 21 Jan 2022 13:31:25 -0800 Message-ID: Subject: Re: [RFC PATCH] Bluetooth: hci_event: Ignore multiple conn complete events To: =?UTF-8?Q?S=C3=B6nke_Huster?= Cc: Marcel Holtmann , Johan Hedberg , "David S. Miller" , Jakub Kicinski , "linux-bluetooth@vger.kernel.org" , "open list:NETWORKING [GENERAL]" , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi S=C3=B6nke, On Fri, Jan 21, 2022 at 10:22 AM S=C3=B6nke Huster wrote: > > I just noticed that just checking for handle does not work, as obviously = 0x0 could also be a handle value and therefore it can't be distinguished, w= hether it is not set yet or it is 0x0. Yep, we should probably check its state, check for state !=3D BT_OPEN since that is what hci_conn_add initialize the state. > On 21.01.22 18:36, Soenke Huster wrote: > > When a HCI_CONNECTION_COMPLETE event is received multiple times > > for the same handle, the device is registered multiple times which lead= s > > to memory corruptions. Therefore, consequent events for a single > > connection are ignored. > > > > The conn->state can hold different values so conn->handle is > > checked to detect whether a connection is already set up. > > > > Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=3D215497 > > Signed-off-by: Soenke Huster > > --- > > This fixes the referenced bug and several use-after-free issues I disco= vered. > > I tagged it as RFC, as I am not 100% sure if checking the existence of = the > > handle is the correct approach, but to the best of my knowledge it must= be > > set for the first time in this function for valid connections of this e= vent, > > therefore it should be fine. > > > > net/bluetooth/hci_event.c | 11 +++++++++++ > > 1 file changed, 11 insertions(+) > > > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > > index 681c623aa380..71ccb12c928d 100644 > > --- a/net/bluetooth/hci_event.c > > +++ b/net/bluetooth/hci_event.c > > @@ -3106,6 +3106,17 @@ static void hci_conn_complete_evt(struct hci_dev= *hdev, void *data, > > } > > } > > > > + /* The HCI_Connection_Complete event is only sent once per connec= tion. > > + * Processing it more than once per connection can corrupt kernel= memory. > > + * > > + * As the connection handle is set here for the first time, it in= dicates > > + * whether the connection is already set up. > > + */ > > + if (conn->handle) { > > + bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for ex= isting connection"); > > + goto unlock; > > + } > > + > > if (!ev->status) { > > conn->handle =3D __le16_to_cpu(ev->handle); > > --=20 Luiz Augusto von Dentz