diff mbox series

Bluetooth: hidp: use correct wait queue when removing ctrl_wait

Message ID 20201017111544.2838773-1-omidtbo@cisco.com (mailing list archive)
State New, archived
Headers show
Series Bluetooth: hidp: use correct wait queue when removing ctrl_wait | expand

Commit Message

Ole Bjørn Midtbø Oct. 17, 2020, 11:15 a.m. UTC
A different wait queue was used when removing ctrl_wait than when adding
it. This effectively made the remove operation without locking compared
to other operations on the wait queue ctrl_wait was part of. This caused
issues like below where dead000000000100 is LIST_POISON1 and
dead000000000200 is LIST_POISON2.

 list_add corruption. next->prev should be prev (ffffffc1b0a33a08), \
	but was dead000000000200. (next=ffffffc03ac77de0).
 ------------[ cut here ]------------
 CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G           O    4.4.238+ #9
 ...
 ---[ end trace 0adc2158f0646eac ]---
 Call trace:
 [<ffffffc000443f78>] __list_add+0x38/0xb0
 [<ffffffc0000f0d04>] add_wait_queue+0x4c/0x68
 [<ffffffc00020eecc>] __pollwait+0xec/0x100
 [<ffffffc000d1556c>] bt_sock_poll+0x74/0x200
 [<ffffffc000bdb8a8>] sock_poll+0x110/0x128
 [<ffffffc000210378>] do_sys_poll+0x220/0x480
 [<ffffffc0002106f0>] SyS_poll+0x80/0x138
 [<ffffffc00008510c>] __sys_trace_return+0x0/0x4

 Unable to handle kernel paging request at virtual address dead000000000100
 ...
 CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G        W  O    4.4.238+ #9
 ...
 Call trace:
  [<ffffffc0000f079c>] __wake_up_common+0x7c/0xa8
  [<ffffffc0000f0818>] __wake_up+0x50/0x70
  [<ffffffc000be11b0>] sock_def_wakeup+0x58/0x60
  [<ffffffc000de5e10>] l2cap_sock_teardown_cb+0x200/0x224
  [<ffffffc000d3f2ac>] l2cap_chan_del+0xa4/0x298
  [<ffffffc000d45ea0>] l2cap_conn_del+0x118/0x198
  [<ffffffc000d45f8c>] l2cap_disconn_cfm+0x6c/0x78
  [<ffffffc000d29934>] hci_event_packet+0x564/0x2e30
  [<ffffffc000d19b0c>] hci_rx_work+0x10c/0x360
  [<ffffffc0000c2218>] process_one_work+0x268/0x460
  [<ffffffc0000c2678>] worker_thread+0x268/0x480
  [<ffffffc0000c94e0>] kthread+0x118/0x128
  [<ffffffc000085070>] ret_from_fork+0x10/0x20
  ---[ end trace 0adc2158f0646ead ]---

Signed-off-by: Ole Bjørn Midtbø <omidtbo@cisco.com>
---
 net/bluetooth/hidp/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Marcel Holtmann Nov. 9, 2020, 1:03 p.m. UTC | #1
Hi Ole,

> A different wait queue was used when removing ctrl_wait than when adding
> it. This effectively made the remove operation without locking compared
> to other operations on the wait queue ctrl_wait was part of. This caused
> issues like below where dead000000000100 is LIST_POISON1 and
> dead000000000200 is LIST_POISON2.
> 
> list_add corruption. next->prev should be prev (ffffffc1b0a33a08), \
> 	but was dead000000000200. (next=ffffffc03ac77de0).
> ------------[ cut here ]------------
> CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G           O    4.4.238+ #9
> ...
> ---[ end trace 0adc2158f0646eac ]---
> Call trace:
> [<ffffffc000443f78>] __list_add+0x38/0xb0
> [<ffffffc0000f0d04>] add_wait_queue+0x4c/0x68
> [<ffffffc00020eecc>] __pollwait+0xec/0x100
> [<ffffffc000d1556c>] bt_sock_poll+0x74/0x200
> [<ffffffc000bdb8a8>] sock_poll+0x110/0x128
> [<ffffffc000210378>] do_sys_poll+0x220/0x480
> [<ffffffc0002106f0>] SyS_poll+0x80/0x138
> [<ffffffc00008510c>] __sys_trace_return+0x0/0x4
> 
> Unable to handle kernel paging request at virtual address dead000000000100
> ...
> CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G        W  O    4.4.238+ #9
> ...
> Call trace:
>  [<ffffffc0000f079c>] __wake_up_common+0x7c/0xa8
>  [<ffffffc0000f0818>] __wake_up+0x50/0x70
>  [<ffffffc000be11b0>] sock_def_wakeup+0x58/0x60
>  [<ffffffc000de5e10>] l2cap_sock_teardown_cb+0x200/0x224
>  [<ffffffc000d3f2ac>] l2cap_chan_del+0xa4/0x298
>  [<ffffffc000d45ea0>] l2cap_conn_del+0x118/0x198
>  [<ffffffc000d45f8c>] l2cap_disconn_cfm+0x6c/0x78
>  [<ffffffc000d29934>] hci_event_packet+0x564/0x2e30
>  [<ffffffc000d19b0c>] hci_rx_work+0x10c/0x360
>  [<ffffffc0000c2218>] process_one_work+0x268/0x460
>  [<ffffffc0000c2678>] worker_thread+0x268/0x480
>  [<ffffffc0000c94e0>] kthread+0x118/0x128
>  [<ffffffc000085070>] ret_from_fork+0x10/0x20
>  ---[ end trace 0adc2158f0646ead ]---
> 
> Signed-off-by: Ole Bjørn Midtbø <omidtbo@cisco.com>
> ---
> net/bluetooth/hidp/core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

patch has been applied to bluetooth-next tree.

Regards

Marcel
diff mbox series

Patch

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index bef84b95e2c4..ac98e3b37ab4 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -1290,7 +1290,7 @@  static int hidp_session_thread(void *arg)
 
 	/* cleanup runtime environment */
 	remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
-	remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait);
+	remove_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
 	wake_up_interruptible(&session->report_queue);
 	hidp_del_timer(session);