Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp939900pxb; Wed, 6 Apr 2022 04:54:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzv9CkweS2oazqi3UusyYzfRXtH8gNmcj7+BFTqMRn66JJlA1bOU60qp6Ger0AV6+v6KZ3o X-Received: by 2002:a17:90a:e7cd:b0:1c7:acbd:215d with SMTP id kb13-20020a17090ae7cd00b001c7acbd215dmr9367664pjb.153.1649246042832; Wed, 06 Apr 2022 04:54:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649246042; cv=none; d=google.com; s=arc-20160816; b=0PgGlTj815iwUNPncOcumJ4ugXfOwL/Zrk7Iz4SBCH2E1j7yMflV6IZjVY1OICi12Y +I2FLQAq/89d/Ty+C+m1ZdJWFrjDHSl22lem+8WbGxzSKmG0RG6GQ2bqkoQbxzNQdT02 z4bUStgxGjTNS1R4qgepykIrJo7HXT4rem1ZgCLpeSEXwgekCFwVLuH+TkUJZ1Lsjmku NA0820QWiPzmGYDB4vtvUhzun/XNDYcbCF+QAkVr86rP/IZzZiWhGnLxYDEbU9Oyd9Vq 7tXXektwaCCkp4VuNXE3ieK8X6lvbe/6k4aY95DmiSsjdj48cFLEMcl/1TsGV2cRerVZ Qo4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=lZTA6qS517iMBH/6vi6t25ZeLyj68KNfE9pEgZZW7fA=; b=j3M6IjCO+tHOTP03mf0VYdr/QFb3mvgva1HRbltetsCORy5xK6241GZuFf+osrsIC5 xA3etL8yLGxdixus9rorxWZS6WdY1U37IslKlOkr6i0ermioSAxtDtQA+cd6Zgb48EP4 Bmz+6HAW5BC0pzN5ancWLM+OZ+7CVR/yd1LTm97BAW5rpRb9nuGsrX7nm4wk1z92zSrE PCnytOpnuaZD8jQwp2BNNC8pzRO4NP7HxUeorrFPEHGp/kZjuSYka9Q4RQmoOQcqS1Rd QadAwSKVYcBxmpnRwF1eO0U/uN+IGzHofMfBQiVEHVbHWTkimbSoZpCVYbZH3WTPBakh B47w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=TLmlWOYn; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id b23-20020a63d317000000b0039908cd81b8si10577310pgg.133.2022.04.06.04.54.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 04:54:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=TLmlWOYn; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 80890642E3F; Wed, 6 Apr 2022 03:14:42 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237029AbiDFAlo (ORCPT + 99 others); Tue, 5 Apr 2022 20:41:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53526 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1572943AbiDERWa (ORCPT ); Tue, 5 Apr 2022 13:22:30 -0400 Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A17114012 for ; Tue, 5 Apr 2022 10:20:31 -0700 (PDT) Received: by mail-ed1-x52c.google.com with SMTP id f18so10661365edc.5 for ; Tue, 05 Apr 2022 10:20:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=lZTA6qS517iMBH/6vi6t25ZeLyj68KNfE9pEgZZW7fA=; b=TLmlWOYn6xoL40zCophbQad5csQnHtjQLp98WTNFg9BDiaOt816xefzQgv7UlNcd0M tt8u47n0LloId9KRYyVEdzHQslz7m3p83NnD0fhsiQpUkR2l+qWUglQxMEKWnOOnqjYy WrvtVtU4Y1suGGHJAFf7iwkxf3FKwl1emvCe1RsWMQ/pp/vlWYynsIBQdR5CzPY4Z32d z4Wb8fFb6fzFLTjCGvRiMWZnuLeUR2Ag9quEMFUVDxqipU+GKaYQ24Oxl04vOz5IJ8FV 1+/g+q39e4828TDIxZdUGYzxTu2GYkXWIRvkClVAE7P11LZ84WrO7MbXhuERARUIpvwj KBYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=lZTA6qS517iMBH/6vi6t25ZeLyj68KNfE9pEgZZW7fA=; b=j5Ek+SJIGrRLKpWCTE2+Fhd2hH/lgmBaiX3K7f7IghCh6n9nYjAOEGPSlGGBYI6/wL xZx/JSIeDkW7RmkzwdkohYCcQmmdn8LkNDIazRMfqUEcZexdUq/lqhzLYZPatJSEadd5 fQNyoyKu0JjxzqnUE5tugVRozWCj1bj4x9kKb+YSN/P0Jc3WEGKdPLgEbP+BW/C9Xehs HlM9tr83h3hGvek3VDLSTDOHY57uMFcUTIEFtRiu59d9nh05GmnOExT1aLjLt40yWVO1 WV+qK4Q+GaLFunJdQAaFixM8Cbp6FYGNuqftKzGDZg+lubImgNhr+90tLUT5LNAToOUl 7vUA== X-Gm-Message-State: AOAM532PiMYkCgzoOSmJouEHdggBsxDTkcpMikkslWD6E5M/RnQLIJow rjUYEN/26DdnsazI1dJY2nAUMUMfvRI= X-Received: by 2002:a05:6402:b4f:b0:41c:ce96:f3f4 with SMTP id bx15-20020a0564020b4f00b0041cce96f3f4mr4742453edb.98.1649179229883; Tue, 05 Apr 2022 10:20:29 -0700 (PDT) Received: from ?IPV6:2a02:1811:cc83:eef0:7bf1:a0f8:a9aa:ac98? (ptr-dtfv0pmq82wc9dcpm6w.18120a2.ip6.access.telenet.be. [2a02:1811:cc83:eef0:7bf1:a0f8:a9aa:ac98]) by smtp.gmail.com with ESMTPSA id s20-20020a056402015400b00418f9574a36sm6818308edu.73.2022.04.05.10.20.29 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 05 Apr 2022 10:20:29 -0700 (PDT) Message-ID: <2f9b0046-f27a-c6c3-2d91-eb438f53f6a4@gmail.com> Date: Tue, 5 Apr 2022 19:20:28 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH] Bluetooth: use hdev lock for accept_list and reject_list in conn req Content-Language: en-US To: Marcel Holtmann Cc: linux-bluetooth@vger.kernel.org, Johan Hedberg , Luiz Augusto von Dentz References: <20220404003403.35690-1-dossche.niels@gmail.com> <2F8732A2-FED9-4649-8F9D-680536E94D34@holtmann.org> From: Niels Dossche In-Reply-To: <2F8732A2-FED9-4649-8F9D-680536E94D34@holtmann.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org On 05/04/2022 19:18, Marcel Holtmann wrote: > Hi Niels, > >> All accesses (both read and modifications) to >> hdev->{accept,reject}_list are protected by hdev lock, >> except the ones in hci_conn_request_evt. This can cause a race condition >> in the form of a list corruption. >> The solution is to protect these lists in hci_conn_request_evt as well. >> >> I was unable to find the exact commit that introduced the issue for the >> reject list, I was only able to find it for the accept list. >> >> Note: >> I am currently working on a static analyser to detect missing locks >> using type-based static analysis as my master's thesis >> in order to obtain my master's degree. >> If you would like to have more details, please let me know. >> This was a reported case. I manually verified the report by looking >> at the code, so that I do not send wrong information or patches. >> After concluding that this seems to be a true positive, I created >> this patch. I have both compile-tested this patch and runtime-tested >> this patch on x86_64. The effect on a running system could be a >> potential race condition in exceptional cases. >> This issue was found on Linux v5.17.1. > > this doesn’t belong in the commit message. Hi Marcel I'll remove it from the commit message. I can write it in below the --- in the future such that it won't be included. > >> >> Fixes: a55bd29d5227 ("Bluetooth: Add white list lookup for incoming connection requests") >> Signed-off-by: Niels Dossche >> --- >> net/bluetooth/hci_event.c | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c >> index abaabfae19cc..b9038f24f46f 100644 >> --- a/net/bluetooth/hci_event.c >> +++ b/net/bluetooth/hci_event.c >> @@ -3222,8 +3222,11 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data, >> return; >> } >> >> + hci_dev_lock(hdev); >> + >> if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr, >> BDADDR_BREDR)) { >> + hci_dev_unlock(hdev); >> hci_reject_conn(hdev, &ev->bdaddr); >> return; >> } >> @@ -3236,14 +3239,13 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data, >> !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && >> !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr, >> BDADDR_BREDR)) { >> + hci_dev_unlock(hdev); >> hci_reject_conn(hdev, &ev->bdaddr); >> return; >> } > > Can we use an exit goto-label instead. I am not a big fan of "unbalanced” _unlock statements. I'll make a v2 and send it. > >> /* Connection accepted */ >> >> - hci_dev_lock(hdev); >> - >> ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); >> if (ie) >> memcpy(ie->data.dev_class, ev->dev_class, 3); > > Regards > > Marcel > Thanks Niels