| Message ID | a1db0c90-1803-e01c-3e23-d18e4343a4eb@salutedevices.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v1] Bluetooth: hci_uart: fix race during initialization | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| tedd_an/SubjectPrefix | success | Gitlint PASS |
| tedd_an/BuildKernel | success | BuildKernel PASS |
| tedd_an/CheckAllWarning | success | CheckAllWarning PASS |
| tedd_an/CheckSparse | success | CheckSparse PASS |
| tedd_an/BuildKernel32 | success | BuildKernel32 PASS |
| tedd_an/TestRunnerSetup | success | TestRunnerSetup PASS |
| tedd_an/TestRunner_l2cap-tester | success | TestRunner PASS |
| tedd_an/TestRunner_iso-tester | fail | TestRunner_iso-tester: WARNING: possible circular locking dependency detected |
| tedd_an/TestRunner_bnep-tester | success | TestRunner PASS |
| tedd_an/TestRunner_mgmt-tester | success | TestRunner PASS |
| tedd_an/TestRunner_rfcomm-tester | success | TestRunner PASS |
| tedd_an/TestRunner_sco-tester | success | TestRunner PASS |
| tedd_an/TestRunner_ioctl-tester | success | TestRunner PASS |
| tedd_an/TestRunner_mesh-tester | fail | TestRunner_mesh-tester: WARNING: CPU: 0 PID: 33 at kernel/workqueue.c:2257 __queue_work+0x687/0xb40 |
| tedd_an/TestRunner_smp-tester | success | TestRunner PASS |
| tedd_an/TestRunner_userchan-tester | success | TestRunner PASS |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=912808 ---Test result--- Test Summary: CheckPatch PENDING 0.28 seconds GitLint PENDING 0.25 seconds SubjectPrefix PASS 0.09 seconds BuildKernel PASS 24.87 seconds CheckAllWarning PASS 27.04 seconds CheckSparse PASS 30.44 seconds BuildKernel32 PASS 24.55 seconds TestRunnerSetup PASS 435.17 seconds TestRunner_l2cap-tester PASS 20.15 seconds TestRunner_iso-tester FAIL 28.03 seconds TestRunner_bnep-tester PASS 4.81 seconds TestRunner_mgmt-tester PASS 122.28 seconds TestRunner_rfcomm-tester PASS 7.51 seconds TestRunner_sco-tester PASS 9.32 seconds TestRunner_ioctl-tester PASS 8.01 seconds TestRunner_mesh-tester FAIL 8.07 seconds TestRunner_smp-tester PASS 7.44 seconds TestRunner_userchan-tester PASS 5.00 seconds IncrementalBuild PENDING 0.46 seconds Details ############################## Test: CheckPatch - PENDING Desc: Run checkpatch.pl script Output: ############################## Test: GitLint - PENDING Desc: Run gitlint Output: ############################## Test: TestRunner_iso-tester - FAIL Desc: Run iso-tester with test-runner Output: WARNING: possible circular locking dependency detected Total: 124, Passed: 120 (96.8%), Failed: 0, Not Run: 4 ############################## Test: TestRunner_mesh-tester - FAIL Desc: Run mesh-tester with test-runner Output: BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76c/0x7d0 WARNING: CPU: 0 PID: 33 at kernel/workqueue.c:2257 __queue_work+0x687/0xb40 Total: 10, Passed: 9 (90.0%), Failed: 1, Not Run: 0 Failed Test Cases Mesh - Send cancel - 1 Failed 0.103 seconds ############################## Test: IncrementalBuild - PENDING Desc: Incremental build with the patches in the series Output: --- Regards, Linux Bluetooth
Hi, sorry, pls ping Thanks On 27.11.2024 15:38, Arseniy Krasnov wrote: > 'hci_register_dev()' calls power up function, which is executed by > kworker - 'hci_power_on()'. This function does access to bluetooth chip > using callbacks from 'hci_ldisc.c', for example 'hci_uart_send_frame()'. > Now 'hci_uart_send_frame()' checks 'HCI_UART_PROTO_READY' bit set, and > if not - it fails. Problem is that 'HCI_UART_PROTO_READY' is set after > 'hci_register_dev()', and there is tiny chance that 'hci_power_on()' will > be executed before setting this bit. In that case HCI init logic fails. > > Patch adds one more bit in addition to 'HCI_UART_PROTO_READY' which > allows to perform power up logic without original bit set. > > Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com> > --- > drivers/bluetooth/hci_ldisc.c | 19 ++++++++++++++----- > drivers/bluetooth/hci_uart.h | 1 + > 2 files changed, 15 insertions(+), 5 deletions(-) > > diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c > index 30192bb083549..2e20f00649bd7 100644 > --- a/drivers/bluetooth/hci_ldisc.c > +++ b/drivers/bluetooth/hci_ldisc.c > @@ -102,7 +102,8 @@ static inline struct sk_buff *hci_uart_dequeue(struct hci_uart *hu) > if (!skb) { > percpu_down_read(&hu->proto_lock); > > - if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) > + if (test_bit(HCI_UART_PROTO_READY, &hu->flags) || > + test_bit(HCI_UART_PROTO_INIT, &hu->flags)) > skb = hu->proto->dequeue(hu); > > percpu_up_read(&hu->proto_lock); > @@ -124,7 +125,8 @@ int hci_uart_tx_wakeup(struct hci_uart *hu) > if (!percpu_down_read_trylock(&hu->proto_lock)) > return 0; > > - if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) > + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && > + !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) > goto no_schedule; > > set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state); > @@ -278,7 +280,8 @@ static int hci_uart_send_frame(struct hci_dev *hdev, struct sk_buff *skb) > > percpu_down_read(&hu->proto_lock); > > - if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) { > + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && > + !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) { > percpu_up_read(&hu->proto_lock); > return -EUNATCH; > } > @@ -582,7 +585,8 @@ static void hci_uart_tty_wakeup(struct tty_struct *tty) > if (tty != hu->tty) > return; > > - if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) > + if (test_bit(HCI_UART_PROTO_READY, &hu->flags) || > + test_bit(HCI_UART_PROTO_INIT, &hu->flags)) > hci_uart_tx_wakeup(hu); > } > > @@ -608,7 +612,8 @@ static void hci_uart_tty_receive(struct tty_struct *tty, const u8 *data, > > percpu_down_read(&hu->proto_lock); > > - if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) { > + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && > + !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) { > percpu_up_read(&hu->proto_lock); > return; > } > @@ -704,12 +709,16 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) > > hu->proto = p; > > + set_bit(HCI_UART_PROTO_INIT, &hu->flags); > + > err = hci_uart_register_dev(hu); > if (err) { > return err; > } > > set_bit(HCI_UART_PROTO_READY, &hu->flags); > + clear_bit(HCI_UART_PROTO_INIT, &hu->flags); > + > return 0; > } > > diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h > index 00bf7ae82c5b7..39f39704be41f 100644 > --- a/drivers/bluetooth/hci_uart.h > +++ b/drivers/bluetooth/hci_uart.h > @@ -89,6 +89,7 @@ struct hci_uart { > #define HCI_UART_REGISTERED 1 > #define HCI_UART_PROTO_READY 2 > #define HCI_UART_NO_SUSPEND_NOTIFIER 3 > +#define HCI_UART_PROTO_INIT 4 > > /* TX states */ > #define HCI_UART_SENDING 1
Hi Arseniy, On Wed, Nov 27, 2024 at 7:38 AM Arseniy Krasnov <avkrasnov@salutedevices.com> wrote: > > 'hci_register_dev()' calls power up function, which is executed by > kworker - 'hci_power_on()'. This function does access to bluetooth chip > using callbacks from 'hci_ldisc.c', for example 'hci_uart_send_frame()'. > Now 'hci_uart_send_frame()' checks 'HCI_UART_PROTO_READY' bit set, and > if not - it fails. Problem is that 'HCI_UART_PROTO_READY' is set after > 'hci_register_dev()', and there is tiny chance that 'hci_power_on()' will > be executed before setting this bit. In that case HCI init logic fails. > > Patch adds one more bit in addition to 'HCI_UART_PROTO_READY' which > allows to perform power up logic without original bit set. > > Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com> > --- > drivers/bluetooth/hci_ldisc.c | 19 ++++++++++++++----- > drivers/bluetooth/hci_uart.h | 1 + > 2 files changed, 15 insertions(+), 5 deletions(-) > > diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c > index 30192bb083549..2e20f00649bd7 100644 > --- a/drivers/bluetooth/hci_ldisc.c > +++ b/drivers/bluetooth/hci_ldisc.c > @@ -102,7 +102,8 @@ static inline struct sk_buff *hci_uart_dequeue(struct hci_uart *hu) > if (!skb) { > percpu_down_read(&hu->proto_lock); > > - if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) > + if (test_bit(HCI_UART_PROTO_READY, &hu->flags) || > + test_bit(HCI_UART_PROTO_INIT, &hu->flags)) > skb = hu->proto->dequeue(hu); > > percpu_up_read(&hu->proto_lock); > @@ -124,7 +125,8 @@ int hci_uart_tx_wakeup(struct hci_uart *hu) > if (!percpu_down_read_trylock(&hu->proto_lock)) > return 0; > > - if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) > + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && > + !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) > goto no_schedule; > > set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state); > @@ -278,7 +280,8 @@ static int hci_uart_send_frame(struct hci_dev *hdev, struct sk_buff *skb) > > percpu_down_read(&hu->proto_lock); > > - if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) { > + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && > + !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) { > percpu_up_read(&hu->proto_lock); > return -EUNATCH; > } > @@ -582,7 +585,8 @@ static void hci_uart_tty_wakeup(struct tty_struct *tty) > if (tty != hu->tty) > return; > > - if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) > + if (test_bit(HCI_UART_PROTO_READY, &hu->flags) || > + test_bit(HCI_UART_PROTO_INIT, &hu->flags)) > hci_uart_tx_wakeup(hu); > } > > @@ -608,7 +612,8 @@ static void hci_uart_tty_receive(struct tty_struct *tty, const u8 *data, > > percpu_down_read(&hu->proto_lock); > > - if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) { > + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && > + !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) { > percpu_up_read(&hu->proto_lock); > return; > } > @@ -704,12 +709,16 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) > > hu->proto = p; > > + set_bit(HCI_UART_PROTO_INIT, &hu->flags); > + > err = hci_uart_register_dev(hu); > if (err) { > return err; > } > > set_bit(HCI_UART_PROTO_READY, &hu->flags); > + clear_bit(HCI_UART_PROTO_INIT, &hu->flags); This should be quite obvious, why don't you just move the HCI_UART_PROTO_READY above hci_uart_register_dev? > return 0; > } > > diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h > index 00bf7ae82c5b7..39f39704be41f 100644 > --- a/drivers/bluetooth/hci_uart.h > +++ b/drivers/bluetooth/hci_uart.h > @@ -89,6 +89,7 @@ struct hci_uart { > #define HCI_UART_REGISTERED 1 > #define HCI_UART_PROTO_READY 2 > #define HCI_UART_NO_SUSPEND_NOTIFIER 3 > +#define HCI_UART_PROTO_INIT 4 > > /* TX states */ > #define HCI_UART_SENDING 1 > -- > 2.30.1
On 16.12.2024 17:52, Luiz Augusto von Dentz wrote: > Hi Arseniy, > > On Wed, Nov 27, 2024 at 7:38 AM Arseniy Krasnov > <avkrasnov@salutedevices.com> wrote: >> >> 'hci_register_dev()' calls power up function, which is executed by >> kworker - 'hci_power_on()'. This function does access to bluetooth chip >> using callbacks from 'hci_ldisc.c', for example 'hci_uart_send_frame()'. >> Now 'hci_uart_send_frame()' checks 'HCI_UART_PROTO_READY' bit set, and >> if not - it fails. Problem is that 'HCI_UART_PROTO_READY' is set after >> 'hci_register_dev()', and there is tiny chance that 'hci_power_on()' will >> be executed before setting this bit. In that case HCI init logic fails. >> >> Patch adds one more bit in addition to 'HCI_UART_PROTO_READY' which >> allows to perform power up logic without original bit set. >> >> Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com> >> --- >> drivers/bluetooth/hci_ldisc.c | 19 ++++++++++++++----- >> drivers/bluetooth/hci_uart.h | 1 + >> 2 files changed, 15 insertions(+), 5 deletions(-) >> >> diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c >> index 30192bb083549..2e20f00649bd7 100644 >> --- a/drivers/bluetooth/hci_ldisc.c >> +++ b/drivers/bluetooth/hci_ldisc.c >> @@ -102,7 +102,8 @@ static inline struct sk_buff *hci_uart_dequeue(struct hci_uart *hu) >> if (!skb) { >> percpu_down_read(&hu->proto_lock); >> >> - if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) >> + if (test_bit(HCI_UART_PROTO_READY, &hu->flags) || >> + test_bit(HCI_UART_PROTO_INIT, &hu->flags)) >> skb = hu->proto->dequeue(hu); >> >> percpu_up_read(&hu->proto_lock); >> @@ -124,7 +125,8 @@ int hci_uart_tx_wakeup(struct hci_uart *hu) >> if (!percpu_down_read_trylock(&hu->proto_lock)) >> return 0; >> >> - if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) >> + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && >> + !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) >> goto no_schedule; >> >> set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state); >> @@ -278,7 +280,8 @@ static int hci_uart_send_frame(struct hci_dev *hdev, struct sk_buff *skb) >> >> percpu_down_read(&hu->proto_lock); >> >> - if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) { >> + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && >> + !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) { >> percpu_up_read(&hu->proto_lock); >> return -EUNATCH; >> } >> @@ -582,7 +585,8 @@ static void hci_uart_tty_wakeup(struct tty_struct *tty) >> if (tty != hu->tty) >> return; >> >> - if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) >> + if (test_bit(HCI_UART_PROTO_READY, &hu->flags) || >> + test_bit(HCI_UART_PROTO_INIT, &hu->flags)) >> hci_uart_tx_wakeup(hu); >> } >> >> @@ -608,7 +612,8 @@ static void hci_uart_tty_receive(struct tty_struct *tty, const u8 *data, >> >> percpu_down_read(&hu->proto_lock); >> >> - if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) { >> + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && >> + !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) { >> percpu_up_read(&hu->proto_lock); >> return; >> } >> @@ -704,12 +709,16 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) >> >> hu->proto = p; >> >> + set_bit(HCI_UART_PROTO_INIT, &hu->flags); >> + >> err = hci_uart_register_dev(hu); >> if (err) { >> return err; >> } >> >> set_bit(HCI_UART_PROTO_READY, &hu->flags); >> + clear_bit(HCI_UART_PROTO_INIT, &hu->flags); > > This should be quite obvious, why don't you just move the > HCI_UART_PROTO_READY above hci_uart_register_dev? > Hi, this is simplest way, but I had doubts that this may be so obvious because I don't have enough experience in bt logic. I'll send v2 with it. Thanks >> return 0; >> } >> >> diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h >> index 00bf7ae82c5b7..39f39704be41f 100644 >> --- a/drivers/bluetooth/hci_uart.h >> +++ b/drivers/bluetooth/hci_uart.h >> @@ -89,6 +89,7 @@ struct hci_uart { >> #define HCI_UART_REGISTERED 1 >> #define HCI_UART_PROTO_READY 2 >> #define HCI_UART_NO_SUSPEND_NOTIFIER 3 >> +#define HCI_UART_PROTO_INIT 4 >> >> /* TX states */ >> #define HCI_UART_SENDING 1 >> -- >> 2.30.1 > > >
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c index 30192bb083549..2e20f00649bd7 100644 --- a/drivers/bluetooth/hci_ldisc.c +++ b/drivers/bluetooth/hci_ldisc.c @@ -102,7 +102,8 @@ static inline struct sk_buff *hci_uart_dequeue(struct hci_uart *hu) if (!skb) { percpu_down_read(&hu->proto_lock); - if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) + if (test_bit(HCI_UART_PROTO_READY, &hu->flags) || + test_bit(HCI_UART_PROTO_INIT, &hu->flags)) skb = hu->proto->dequeue(hu); percpu_up_read(&hu->proto_lock); @@ -124,7 +125,8 @@ int hci_uart_tx_wakeup(struct hci_uart *hu) if (!percpu_down_read_trylock(&hu->proto_lock)) return 0; - if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && + !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) goto no_schedule; set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state); @@ -278,7 +280,8 @@ static int hci_uart_send_frame(struct hci_dev *hdev, struct sk_buff *skb) percpu_down_read(&hu->proto_lock); - if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) { + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && + !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) { percpu_up_read(&hu->proto_lock); return -EUNATCH; } @@ -582,7 +585,8 @@ static void hci_uart_tty_wakeup(struct tty_struct *tty) if (tty != hu->tty) return; - if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) + if (test_bit(HCI_UART_PROTO_READY, &hu->flags) || + test_bit(HCI_UART_PROTO_INIT, &hu->flags)) hci_uart_tx_wakeup(hu); } @@ -608,7 +612,8 @@ static void hci_uart_tty_receive(struct tty_struct *tty, const u8 *data, percpu_down_read(&hu->proto_lock); - if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) { + if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && + !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) { percpu_up_read(&hu->proto_lock); return; } @@ -704,12 +709,16 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) hu->proto = p; + set_bit(HCI_UART_PROTO_INIT, &hu->flags); + err = hci_uart_register_dev(hu); if (err) { return err; } set_bit(HCI_UART_PROTO_READY, &hu->flags); + clear_bit(HCI_UART_PROTO_INIT, &hu->flags); + return 0; } diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h index 00bf7ae82c5b7..39f39704be41f 100644 --- a/drivers/bluetooth/hci_uart.h +++ b/drivers/bluetooth/hci_uart.h @@ -89,6 +89,7 @@ struct hci_uart { #define HCI_UART_REGISTERED 1 #define HCI_UART_PROTO_READY 2 #define HCI_UART_NO_SUSPEND_NOTIFIER 3 +#define HCI_UART_PROTO_INIT 4 /* TX states */ #define HCI_UART_SENDING 1
'hci_register_dev()' calls power up function, which is executed by kworker - 'hci_power_on()'. This function does access to bluetooth chip using callbacks from 'hci_ldisc.c', for example 'hci_uart_send_frame()'. Now 'hci_uart_send_frame()' checks 'HCI_UART_PROTO_READY' bit set, and if not - it fails. Problem is that 'HCI_UART_PROTO_READY' is set after 'hci_register_dev()', and there is tiny chance that 'hci_power_on()' will be executed before setting this bit. In that case HCI init logic fails. Patch adds one more bit in addition to 'HCI_UART_PROTO_READY' which allows to perform power up logic without original bit set. Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com> --- drivers/bluetooth/hci_ldisc.c | 19 ++++++++++++++----- drivers/bluetooth/hci_uart.h | 1 + 2 files changed, 15 insertions(+), 5 deletions(-)