Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp124903rwb; Mon, 26 Sep 2022 15:55:18 -0700 (PDT) X-Google-Smtp-Source: AMsMyM59f5ufgbqs4kPwjoSqPMoawCHEkTeKtW167jVtcc89YmF8t9Fj4hRKwtOmX6t8gWRL0hlq X-Received: by 2002:a05:6a00:2906:b0:52a:bc7f:f801 with SMTP id cg6-20020a056a00290600b0052abc7ff801mr26517980pfb.49.1664232918765; Mon, 26 Sep 2022 15:55:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664232918; cv=none; d=google.com; s=arc-20160816; b=vs63pUlaepzpjuGMkXOUMPmze9uK9OQgd4BXxfcnFl5DzE9FDKgp6/4qbW1d0Kj1XL uSA9wr2OvsQnu7WAziJzPmw7w9or2Dc3cPtSDOyXLgzTyVGhByoqevXKWHN7TxznjTkC NZ17buA1VogCH+EiK4kkmDk8V2wkVTD3g3lDw5CAF8qgCnhn340eyAyQsemSUVl5Xjwe 8uXFYfhBdE5YBxQZ7tUejsJNQO2jFYiTNdWrCA0Vh4aQmNyJaLtQGIHe2EgDNT6dGbRa aYEKXchnYG3Hb305gvSlVNtmqtl/Ek2jsk1WWrL8FZWRr/HGSvU7svDYt2oe9WTw5IHs DwbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=y72XdXz6R5ZX/ARjJcZ26pw4EoyPBrU9yVa6+CTk8aU=; b=Hgji+Zd/4wUNAsbD0yVpDkfvV6tL9vlilQe/SaqBRusKLw6lgeFNN52bmSG608FuZc 4p92R21IFj5Kosgajpk+pg3F/OyQtjRZNNyr7d22no+oNx8O5WJ15lraOGuhvtHmMaCI o/6HhNIYFG5lIKQ1IKsu+vcenREG6Hlzq9VkuvOqNzkCs/KMUS2lRfuq1bn6jnvMcFt/ 5KxA5/Lj75hKQwXLGwqswEYVcx7Lxzv3oke6Y/fV2iBEdaGQxYlnhn7piUnp/dtsdEow OaQRNywbXg826uPoqsLMuITnrUT/1IkFj5615a7H41OP4QhlR9CqYCfPeVgYiO3kbZ5B 276w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=MUbphOcr; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f14-20020a170902ce8e00b0016d2a83e761si14633018plg.243.2022.09.26.15.54.51; Mon, 26 Sep 2022 15:55:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=MUbphOcr; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229761AbiIZWkj (ORCPT + 99 others); Mon, 26 Sep 2022 18:40:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59304 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229912AbiIZWkb (ORCPT ); Mon, 26 Sep 2022 18:40:31 -0400 Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 83A2851427; Mon, 26 Sep 2022 15:40:29 -0700 (PDT) Received: by mail-lj1-x236.google.com with SMTP id c7so9031510ljm.12; Mon, 26 Sep 2022 15:40:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=y72XdXz6R5ZX/ARjJcZ26pw4EoyPBrU9yVa6+CTk8aU=; b=MUbphOcrpdLt5Iomx0drL3eOcQehL/fsyiEdAkz7QzmABbebFY7hoTuj00cvws+kQb xdkQ7b5thEBkfj+yxxLT2UtP/Jlkz1uhSvDSgbkTR7NPFW8LG0NmyQB4gr/YmngT3CdE oZKo3e09DksH1ZBc0B/lYsVvf8l99rwiHoHE8K1DPOU7wP3qn+38DPYtARw/uDpIqJws kFyEkWHl4TFB/zConA/M2BLF+dxBVsC4VCgis8TNOSaH/XoKG5FdqRt3bdUfptxQY+pp 5AkIxUrWdYm8oOS3DNXwumRi/Pp1I+3aXZ1ig1ad9KVWTsr23F5TzvcRMaWzoXMl/wNY RzUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=y72XdXz6R5ZX/ARjJcZ26pw4EoyPBrU9yVa6+CTk8aU=; b=EoJ5o9IGyFaPCDv8AiHT9Y8DU+TRtrLfuVdfF5pyVLQwREwbnefB/aUxJG+wxvoe+L 0NVmhABjjBDi6YSPsZpaIs9T3YEpaZwZWh5lolzgNPg9L5H7/nkbyuoEn7YzqEZMjaZK oVUX6uKlhwOxveeTO0frxgDtp6z01o/jUOiyCrw1Lsr7qgGRZcGipzXT+KlU4qePPFZx zcTnKS+aCP+mm5ehNfU1ZWw8AuA7kkzsGmEkAAl/diMjyBMvz0Gfwcny/mjeYNDJcVTk lpPGR4B38hxzRCHerD4p6hB83tI0neSYilspJxmj2gxLDI5hn5bdsksjT8DzGAKzW7AD SYyg== X-Gm-Message-State: ACrzQf2Ffzuj/BhwGCmIP7jZAJ7D5E3Ax3N2ztvCUbC25d4U15AyvldZ uLWQG+Jz2UJKTdjjeexZbubH9oOlg5yBU5jyVm8= X-Received: by 2002:a2e:a884:0:b0:25d:d8a2:d18c with SMTP id m4-20020a2ea884000000b0025dd8a2d18cmr7917320ljq.305.1664232027695; Mon, 26 Sep 2022 15:40:27 -0700 (PDT) MIME-Version: 1.0 References: <20220926220212.3170191-1-iam@sung-woo.kim> In-Reply-To: <20220926220212.3170191-1-iam@sung-woo.kim> From: Luiz Augusto von Dentz Date: Mon, 26 Sep 2022 15:40:15 -0700 Message-ID: Subject: Re: [PATCH] Bluetooth: L2CAP: fix an illegal state transition from BT_DISCONN To: Sungwoo Kim Cc: davem@davemloft.net, edumazet@google.com, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org, pabeni@redhat.com, syzkaller@googlegroups.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Kim, On Mon, Sep 26, 2022 at 3:06 PM Sungwoo Kim wrote: > > Signed-off-by: Sungwoo Kim > --- > net/bluetooth/l2cap_core.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c > index 2c9de67da..029de9f35 100644 > --- a/net/bluetooth/l2cap_core.c > +++ b/net/bluetooth/l2cap_core.c > @@ -4294,13 +4294,13 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, > mutex_lock(&conn->chan_lock); > > if (scid) { > - chan = __l2cap_get_chan_by_scid(conn, scid); > + chan = l2cap_get_chan_by_scid(conn, scid); > if (!chan) { > err = -EBADSLT; > goto unlock; > } > } else { > - chan = __l2cap_get_chan_by_ident(conn, cmd->ident); > + chan = l2cap_get_chan_by_ident(conn, cmd->ident); > if (!chan) { > err = -EBADSLT; > goto unlock; > @@ -4336,6 +4336,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, > } > > l2cap_chan_unlock(chan); > + l2cap_chan_put(chan); > > unlock: > mutex_unlock(&conn->chan_lock); > -- > 2.25.1 Not quite right, we cannot lock conn->chan_lock since the likes of l2cap_get_chan_by_scid will also attempt to lock it: diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 770891f68703..4726d8979276 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -4293,26 +4293,18 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status); - mutex_lock(&conn->chan_lock); - if (scid) { - chan = __l2cap_get_chan_by_scid(conn, scid); - if (!chan) { - err = -EBADSLT; - goto unlock; - } + chan = l2cap_get_chan_by_scid(conn, scid); + if (!chan) + return -EBADSLT; } else { - chan = __l2cap_get_chan_by_ident(conn, cmd->ident); - if (!chan) { - err = -EBADSLT; - goto unlock; - } + chan = l2cap_get_chan_by_ident(conn, cmd->ident); + if (!chan) + return -EBADSLT; } err = 0; - l2cap_chan_lock(chan); - switch (result) { case L2CAP_CR_SUCCESS: l2cap_state_change(chan, BT_CONFIG); @@ -4338,9 +4330,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, } l2cap_chan_unlock(chan); - -unlock: - mutex_unlock(&conn->chan_lock); + l2cap_chan_put(chan); return err; } -- Luiz Augusto von Dentz