Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp924947pxb; Wed, 6 Apr 2022 04:27:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxCgJry0bJpfAxx1QNU17oOWqFPJc1HAfv1UxmHYBSXk8XfVOt8dILd2CGSdnJVRsiOBC2f X-Received: by 2002:a63:7d13:0:b0:398:2d7d:cde2 with SMTP id y19-20020a637d13000000b003982d7dcde2mr6555648pgc.376.1649244447511; Wed, 06 Apr 2022 04:27:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649244447; cv=none; d=google.com; s=arc-20160816; b=GZGaBCH8PRswbEQwTtWZu+URAKNWtZMdRsKZq+FosuK2hnpNWzTlet2gZjorj75Wyn C7o3KAZ7Em1ln1eLOkSJYdtIIsp9faWz4ed5inAXWEFWC0VJiPuQ/f59mT4pZA3fch3y zq+IVKWTZobXb8KVoEFurGwdF4x7IMrSxOHTz50criBKfM0QQQo/WcPVPAxXJxON34fs oI9821SLxlBkxzXYFE/PRIhbjwP3bqNfwmAUhyYo4pFDNYY1YvBFvCJoEioh1zy1Lw4+ Cjxi5fNbvBw6Ns1Vwq+n6hqSWMWdlJWDMXrjDq5mNebu15S7mft9HuDoovBbWLdsOCtS LRLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=xLVz7574Yz3r8CHT5vC31YHNfJiYum3ahiMTLtve+70=; b=PUg26LjMEtF+NvZ/6ExqFlRycbDZzVCWGTsk0pLsTZ/3sqCZPYRl6K++yfG5kb3Ud2 SQPCkcBqb93HjqVFcFxJ2b7qJiawaK5HD5ErWCJp5itAJZwSQ149czUPBQoggomhER8W 17L+RbzoSMmsR5Ed8Ej/tnB0BJgMEZhUYXaQULpXyPyKrSUAzqCe/qQgKZfAdMU78Ne3 CGQD1B+CNGJ8oEhHu27lqBn1bxiTGAPvlRyY2oUhg76zPpv25P8DaO24hUx25HHsGv3/ d6Sm/Ev5ZWsEnUe/GQ5diUrGxyRpzqQOeeZZ0UHYgbSdTETallgIL/Tu67lCMwkooDrd pLrw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id b3-20020a170903228300b00155d6fbf4e3si15523111plh.405.2022.04.06.04.27.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 04:27:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 25E154E1D0E; Wed, 6 Apr 2022 02:49:42 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237628AbiDFAlV convert rfc822-to-8bit (ORCPT + 99 others); Tue, 5 Apr 2022 20:41:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49426 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1572915AbiDERUK (ORCPT ); Tue, 5 Apr 2022 13:20:10 -0400 Received: from mail.holtmann.org (coyote.holtmann.net [212.227.132.17]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 73FA725DA for ; Tue, 5 Apr 2022 10:18:09 -0700 (PDT) Received: from smtpclient.apple (CMPC-089-239-127-162.CNet.Gawex.PL [89.239.127.162]) by mail.holtmann.org (Postfix) with ESMTPSA id 6F86CCECC4; Tue, 5 Apr 2022 19:18:08 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\)) Subject: Re: [PATCH] Bluetooth: use hdev lock for accept_list and reject_list in conn req From: Marcel Holtmann In-Reply-To: <20220404003403.35690-1-dossche.niels@gmail.com> Date: Tue, 5 Apr 2022 19:18:07 +0200 Cc: linux-bluetooth@vger.kernel.org, Johan Hedberg , Luiz Augusto von Dentz Content-Transfer-Encoding: 8BIT Message-Id: <2F8732A2-FED9-4649-8F9D-680536E94D34@holtmann.org> References: <20220404003403.35690-1-dossche.niels@gmail.com> To: Niels Dossche X-Mailer: Apple Mail (2.3696.80.82.1.1) X-Spam-Status: No, score=1.5 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_SBL_CSS, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Niels, > All accesses (both read and modifications) to > hdev->{accept,reject}_list are protected by hdev lock, > except the ones in hci_conn_request_evt. This can cause a race condition > in the form of a list corruption. > The solution is to protect these lists in hci_conn_request_evt as well. > > I was unable to find the exact commit that introduced the issue for the > reject list, I was only able to find it for the accept list. > > Note: > I am currently working on a static analyser to detect missing locks > using type-based static analysis as my master's thesis > in order to obtain my master's degree. > If you would like to have more details, please let me know. > This was a reported case. I manually verified the report by looking > at the code, so that I do not send wrong information or patches. > After concluding that this seems to be a true positive, I created > this patch. I have both compile-tested this patch and runtime-tested > this patch on x86_64. The effect on a running system could be a > potential race condition in exceptional cases. > This issue was found on Linux v5.17.1. this doesn’t belong in the commit message. > > Fixes: a55bd29d5227 ("Bluetooth: Add white list lookup for incoming connection requests") > Signed-off-by: Niels Dossche > --- > net/bluetooth/hci_event.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index abaabfae19cc..b9038f24f46f 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -3222,8 +3222,11 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data, > return; > } > > + hci_dev_lock(hdev); > + > if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr, > BDADDR_BREDR)) { > + hci_dev_unlock(hdev); > hci_reject_conn(hdev, &ev->bdaddr); > return; > } > @@ -3236,14 +3239,13 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data, > !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && > !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr, > BDADDR_BREDR)) { > + hci_dev_unlock(hdev); > hci_reject_conn(hdev, &ev->bdaddr); > return; > } Can we use an exit goto-label instead. I am not a big fan of "unbalanced” _unlock statements. > /* Connection accepted */ > > - hci_dev_lock(hdev); > - > ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); > if (ie) > memcpy(ie->data.dev_class, ev->dev_class, 3); Regards Marcel