Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1057010iob;
        Fri, 13 May 2022 21:25:15 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJydM544XPsu+9qHNNF89toh1lzCR4XhLnmd9hWLuAFPutQ8e49ZNTZ2C9M4ACx+wwyT9+Tn
X-Received: by 2002:a5d:6586:0:b0:20a:ece0:9062 with SMTP id q6-20020a5d6586000000b0020aece09062mr6321329wru.446.1652502315322;
        Fri, 13 May 2022 21:25:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1652502315; cv=none;
        d=google.com; s=arc-20160816;
        b=YbCUIjgbRc4Gu/QxWPhfpUS/3okqJ6sTOFelNgSPWr0WCH9aVpzkoqs2i+BWp6TD/V
         653ahuqt/wZTeclTdc6WFFcm7mivMvrJzyPoXlg56zD038/mUYgxLDfsyByD+8Qu72Pp
         M0zoNND+ZaGYxkHx0hHmuv8+rPbJp2aVLAElC+8dUp20BDqeTXADZVeCwD1s3Gw1Z0G1
         PdgmFECgkEvznMzfhchBbX9T9k8G/eoy2zX6NY2TCS/b4tSFHOav4tqunCTxdfhrRvXu
         E3TYL++yhgxg2EJgGTASfBc8u9tmkWOmMxwNywNocSz2gFljIexcthlh4PXh1S9hu+fB
         gmAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=TDw2EF76bFWlKcTGV1GJw+KjAOlIdVUgMjVyObR6IxQ=;
        b=0zOYDUx5fp+PPUuYWaPie1ulQA2Sx/XGzoKEmlFGMoZOd9ZP4YnT4lYk0Vrp07l/2e
         PpnWpAkMBNqMPhsG5rY9yWufQs3iOxn+1FqWgTZdsooYD2SmMepgsyvBauUQQTX/nSWk
         qAO43YhkwuVDl2Spm2uflXb8U1bSHl5u9sLNXIBm7qc3Qu73Rb3XRBv366E/ULGsPsoR
         NDkbNFNH7dS8y5LLlbBVVT7E2MeZRcamp0cxoAMz6wS8SoLXM6PPzUiAJkwB5D5QFteS
         mk4m2N/WD3qpt4J4YkaNERdE8xKrW6viitrDbtraUSu/v8JaLMoOgRlhlJRPUnV7ZtEy
         2n/Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=m2IJNQSq;
       spf=softfail (google.com: domain of transitioning linux-bluetooth-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id n1-20020a5d5981000000b0020c613fe308si4111828wri.56.2022.05.13.21.25.14
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 13 May 2022 21:25:15 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-bluetooth-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=m2IJNQSq;
       spf=softfail (google.com: domain of transitioning linux-bluetooth-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id E7C6D3660EB;
	Fri, 13 May 2022 18:01:46 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229453AbiENBBq (ORCPT <rfc822;cyrozap@gmail.com> + 99 others);
        Fri, 13 May 2022 21:01:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53808 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229436AbiENBBo (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 13 May 2022 21:01:44 -0400
Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3C08934219C
        for <linux-bluetooth@vger.kernel.org>; Fri, 13 May 2022 17:37:37 -0700 (PDT)
Received: by mail-oi1-x231.google.com with SMTP id v66so12078855oib.3
        for <linux-bluetooth@vger.kernel.org>; Fri, 13 May 2022 17:37:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=TDw2EF76bFWlKcTGV1GJw+KjAOlIdVUgMjVyObR6IxQ=;
        b=m2IJNQSqV8ZtytcWwjcL8T+UFI2hCAn+ImvKgKrwV7KnLjRwyS6sJeLkQITZNRgst9
         FXp9FfKuWgv99fqIbj4JVJY2xLQSeBv+Wq4aaPPl0+WH6pvyVvi+pbAm2bFsOqa3Ub3O
         OfDUL70xfoep22Bbb49T+qXvvb9IQJGgi9LYeH9eEjlAPBtvgz56fDalW74xpN+W5PYF
         mX7VTPvTrtHD0s/2mTZSCaeK4aIgp6Nf4/gmR/1gaA2BDkX9yNOL3T3XZYRv5C3yAvsZ
         XkKgkYMBAS4y2DXPhtWcmiCm7BQCkO7udpk/SBtJ6aDGgRomsCjNxszzvrLrTD2kRqvQ
         j3pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=TDw2EF76bFWlKcTGV1GJw+KjAOlIdVUgMjVyObR6IxQ=;
        b=RJ8MYcLN3QPW5MhjxS0Xe/INKgKJyCIuoLaXlrAfwZoACC0jgXpP8Of17XJqS3I7HT
         vmHLM6OlVpVMCHGqWFMpt488it3+OG2xrsvYVqbzMPJWAVYFYbDd8sh+e8G+JOVBaAoR
         JntfoA+KLGp5OSPgcVgu4CxpPHnBTsKa2NIl6ggzrAzYNBiJkYi5WdbWfEoLYuGHSt3s
         VL8A628gaqWY2kKNiBtixMctYuzPu1KhAmacaJ/HkfYEnLzdbtvJ6J8RXh15vc3TrkmN
         v1X5OFfuGlcfu2Ey/pAImuKUxM/PUJIRt894EhBcBcgdXqXQQHH4tbpaJNcnMjti9td9
         bPvg==
X-Gm-Message-State: AOAM5303EpiwXpbe5jzGJrTohRaDZ2qsZXUs/Y5WNs1FBGTpoEqtezom
        XTxbBTxhBRzbYYo30w3foXaXD7EvuftMRuysbG+M13CU
X-Received: by 2002:a17:90b:4b83:b0:1dc:4cc8:16d9 with SMTP id
 lr3-20020a17090b4b8300b001dc4cc816d9mr7395293pjb.4.1652486277357; Fri, 13 May
 2022 16:57:57 -0700 (PDT)
MIME-Version: 1.0
References: <a1ce1743-e450-6cdb-dfab-56a3e3eb9aed@pengutronix.de>
 <CABBYNZ+z8kBUKGXbZSfb0ynJaTnPQRp0wFDUb12AW1ymbNx1eg@mail.gmail.com> <CABBYNZ+zsuggTpaUSPsZKeL=qqvM1=sgMWzdWEqaS_oh6dhY2g@mail.gmail.com>
In-Reply-To: <CABBYNZ+zsuggTpaUSPsZKeL=qqvM1=sgMWzdWEqaS_oh6dhY2g@mail.gmail.com>
From:   Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Date:   Fri, 13 May 2022 16:57:45 -0700
Message-ID: <CABBYNZJHOyv-z31hNWBJ_fd=CX-S6J_GQyOquO-TEiLWAEoS+A@mail.gmail.com>
Subject: Re: [BUG] BLE device unpairing triggers kernel panic
To:     Ahmad Fatoum <a.fatoum@pengutronix.de>
Cc:     "linux-bluetooth@vger.kernel.org" <linux-bluetooth@vger.kernel.org>,
        Marcel Holtmann <marcel@holtmann.org>,
        Pengutronix Kernel Team <kernel@pengutronix.de>,
        "regressions@lists.linux.dev" <regressions@lists.linux.dev>,
        Tedd Ho-Jeong An <hj.tedd.an@gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE,
	SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi Tedd,

On Fri, May 13, 2022 at 4:52 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Ahmad,
>
> On Fri, May 13, 2022 at 1:14 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > Hi Ahmad,
> >
> > On Fri, May 13, 2022 at 7:10 AM Ahmad Fatoum <a.fatoum@pengutronix.de> wrote:
> > >
> > > Hello,
> > >
> > > On Linux v5.18-rc5, I can reliably crash the kernel on the second (un)pairing
> > > with a customer's BLE device. I have bisected the issue and found two commits:
> > >
> > > - Commit 6cd29ec6ae5e ("Bluetooth: hci_sync: Wait for proper events when
> > >   connecting LE") causes previously working pairing to time out, presumably
> > >   because it keeps waiting for the wrong event.
> >
> > Can you describe in more details what is the second pairing, are you
> > pairing 2 devices concurrently? I recall someone for nxp having
> > similar problem, at least the traces look pretty similar, the problem
> > seems to be the expected event don't match the event the controller
> > send, in this case hci_le_enh_conn_complete_evt, so hci_event process
> > it and frees the hci_conn instead of first running the callback.
>
> Looks like my memory failed me on this one, the sync callback is run
> last so we shouldn't cleanup the hci_conn at that point, perhaps
> something like the following should fix the crash:
>
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 0270e597c285..c1634af670b8 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -5632,10 +5632,8 @@ static void le_conn_complete_evt(struct hci_dev
> *hdev, u8 status,
>                 status = HCI_ERROR_INVALID_PARAMETERS;
>         }
>
> -       if (status) {
> -               hci_conn_failed(conn, status);
> +       if (status)
>                 goto unlock;
> -       }
>
>         if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
>                 addr_type = BDADDR_LE_PUBLIC;
>
> > > - Commit a56a1138cbd8 ("Bluetooth: hci_sync: Fix not using conn_timeout")
> > >   fixes, despite the title, what event is waited on. First Pairing works now,
> > >   but the second pairing times out and crashes the kernel:
> > >
> > >   [   84.191684] Bluetooth: hci0: Opcode 0x200d failed: -110
> > >   [   84.230478] Bluetooth: hci0: request failed to create LE connection: err -110
> > >   [   84.237690] Unable to handle kernel read from unreadable memory at virtual address 0000000000000ca8
>
> That said the error -110 mean -ETIMEDOUT

We might want to incorporate some test to the likes of mgmt-tester to
check this behavior, afaik the crash can be triggered by just causing
a le_conn_complete event with status != 0 which perhaps we need to
extend bthost.c to be able to reject connections.

>
>
> --
> Luiz Augusto von Dentz



-- 
Luiz Augusto von Dentz