Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp737103rdb; Fri, 22 Dec 2023 03:41:40 -0800 (PST) X-Google-Smtp-Source: AGHT+IEeBDxDrkasAC+4z+tWKPL7zEFwxhiLNiLJ3NYGd44QrxwNkkiohSp+VuJhGnMkvmWcy/K4 X-Received: by 2002:a50:cdc8:0:b0:554:6fd2:9e2b with SMTP id h8-20020a50cdc8000000b005546fd29e2bmr191287edj.7.1703245300421; Fri, 22 Dec 2023 03:41:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703245300; cv=none; d=google.com; s=arc-20160816; b=YwlKD9iNZtMJVf2pRXE+dDITBbxs0JTVpYNeiz62H7fS2ttiinR6176oV9/c5lC/+N iI5Si0XPHeLb/ybQ/gbNtey2+TzenkbyHfR66t8YWuYajAfqKHGU5ADexDzzSXKqxljm ZNUUP7nYkraiQrn2nqDUQbjhUVRE6BFgY0KtJ6IB4vvcKC2fm+oNAY0AQXqaC52Gb83F FbePLfg/ibb0R7sBM1u45CxKtBVEIl8Anm+VKyftJAUmrym8T+X1F2ocDlUvXFkUZG+T MaZS6rocOrpeKCmT+LzyghGJKhZ3QD7V6CAbq6le3PWmuooKlMO7voXacNyAlTZAOssD niMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:accept-language :in-reply-to:references:message-id:date:thread-index:thread-topic :subject:cc:to:from; bh=0lJVVl33rm9TCBCnq3eU3mxGX3xIurNnO75gRLLnA5M=; fh=aCKr9jT6B8MRBsybtrrWzQ6APYtnkFEaRudQWWpLjPs=; b=LNijWYy6/8jKN4wzcZ2++JaxTSW3R1HvTNMCLCz4Up51KnI7DvuO2b8evjPB0GlGfB qOSpFx+UglPPStDObsFTejT3T8FMG55ZHvKsWplMd/I6YPBeSP3rmdmhC9oTD9aro86+ qmJr7E6/cavWmQ7gIWgWmP1N8stFzG6ZEaSmyNB6CUkoA3Bv7jmm0KkOyWFBE1FIlq6d XdvZn9wAwj7kMrGhB7Xq0sSkyuF+5lBOgu9jrAb0QVO1drwNKCI26a1Kph1EfOi1/gRP SgEvvMK2ou3u4BfjdDNZgsZQ2pljnnCL06wHhVJQSLXUQG4cwOqpkwzHxLZXy20ZjWKj rDYA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth+bounces-713-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-713-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id dm9-20020a05640222c900b00553d974b92bsi1768530edb.26.2023.12.22.03.41.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Dec 2023 03:41:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-713-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth+bounces-713-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-713-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 2E94E1F23515 for ; Fri, 22 Dec 2023 11:41:40 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 964DE17983; Fri, 22 Dec 2023 11:41:30 +0000 (UTC) X-Original-To: linux-bluetooth@vger.kernel.org Received: from eu-smtp-delivery-151.mimecast.com (eu-smtp-delivery-151.mimecast.com [185.58.86.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 875871798F for ; Fri, 22 Dec 2023 11:41:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ACULAB.COM Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=aculab.com Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) by relay.mimecast.com with ESMTP with both STARTTLS and AUTH (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id uk-mta-403-EcondNBpNcmFjLxr1RqcUQ-1; Fri, 22 Dec 2023 11:41:24 +0000 X-MC-Unique: EcondNBpNcmFjLxr1RqcUQ-1 Received: from AcuMS.Aculab.com (10.202.163.6) by AcuMS.aculab.com (10.202.163.6) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Fri, 22 Dec 2023 11:41:09 +0000 Received: from AcuMS.Aculab.com ([::1]) by AcuMS.aculab.com ([::1]) with mapi id 15.00.1497.048; Fri, 22 Dec 2023 11:41:09 +0000 From: David Laight To: 'Gui-Dong Han' <2045gemini@gmail.com>, "marcel@holtmann.org" , "johan.hedberg@gmail.com" , "luiz.dentz@gmail.com" CC: "linux-bluetooth@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "baijiaju1990@outlook.com" , "stable@vger.kernel.org" , BassCheck Subject: RE: [PATCH] Bluetooth: Fix atomicity violation in {conn,adv}_{min,max}_interval_set Thread-Topic: [PATCH] Bluetooth: Fix atomicity violation in {conn,adv}_{min,max}_interval_set Thread-Index: AQHaNMVjcf/fSWdBLky9VyA+zJFtpLC1LJZg Date: Fri, 22 Dec 2023 11:41:09 +0000 Message-ID: <0565eabbd25141fab9f3206db4e86196@AcuMS.aculab.com> References: <20231222105526.9208-1-2045gemini@gmail.com> In-Reply-To: <20231222105526.9208-1-2045gemini@gmail.com> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable From: Gui-Dong Han > Sent: 22 December 2023 10:55 >=20 > In {conn,adv}_min_interval_set(): > =09if (val < ... || val > ... || val > hdev->le_{conn,adv}_max_interval) > =09=09return -EINVAL; > =09hci_dev_lock(hdev); > =09hdev->le_{conn,adv}_min_interval =3D val; > =09hci_dev_unlock(hdev); >=20 > In {conn,adv}_max_interval_set(): > =09if (val < ... || val > ... || val < hdev->le_{conn,adv}_min_interval) > =09=09return -EINVAL; > =09hci_dev_lock(hdev); > =09hdev->le_{conn,adv}_max_interval > =09hci_dev_unlock(hdev); >=20 > The atomicity violation occurs due to concurrent execution of set_min and > set_max funcs which may lead to inconsistent reads and writes of the min > value and the max value. The checks for value validity are ineffective as > the min/max values could change immediately after being checked, raising > the risk of the min value being greater than the max value and causing > invalid settings. >=20 > This possible bug is found by an experimental static analysis tool > developed by our team, BassCheck[1]. This tool analyzes the locking APIs > to extract function pairs that can be concurrently executed, and then > analyzes the instructions in the paired functions to identify possible > concurrency bugs including data races and atomicity violations. The above > possible bug is reported when our tool analyzes the source code of > Linux 5.17. Your static analysis tool is basically broken. The only possible issues are if the accesses aren't atomic. In practise they always will be but using READ_ONCE() and WRITE_ONCE() would make that certain. The lock sequence: > =09hci_dev_lock(hdev); > =09hdev->le_conn_min_interval =3D val; > =09hci_dev_unlock(hdev); is pretty pointless - is doesn't 'lock' two+ things together. =09David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1= PT, UK Registration No: 1397386 (Wales)