[v2,1/1] Bluetooth: fix race condition in hidp_session_thread

Commit Message

Min Li March 4, 2023, 2:23 p.m. UTC

There is a potential race condition in hidp_session_thread that may
lead to use-after-free. For instance, the timer is active while
hidp_del_timer is called in hidp_session_thread(). After hidp_session_put,
then 'session' will be freed, causing kernel panic when hidp_idle_timeout
is running.

The solution is to use del_timer_sync instead of del_timer.

Here is the call trace:

? hidp_session_probe+0x780/0x780
call_timer_fn+0x2d/0x1e0
__run_timers.part.0+0x569/0x940
hidp_session_probe+0x780/0x780
call_timer_fn+0x1e0/0x1e0
ktime_get+0x5c/0xf0
lapic_next_deadline+0x2c/0x40
clockevents_program_event+0x205/0x320
run_timer_softirq+0xa9/0x1b0
__do_softirq+0x1b9/0x641
__irq_exit_rcu+0xdc/0x190
irq_exit_rcu+0xe/0x20
sysvec_apic_timer_interrupt+0xa1/0xc0

v2:
  - Fixed code style issues

Signed-off-by: Min Li <lm0963hack@gmail.com>
---
 net/bluetooth/hidp/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

bluez.test.bot@gmail.com March 4, 2023, 2:57 p.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=726625

---Test result---

Test Summary:
CheckPatch                    PASS      0.69 seconds
GitLint                       PASS      0.35 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      32.22 seconds
CheckAllWarning               PASS      34.86 seconds
CheckSparse                   PASS      40.03 seconds
CheckSmatch                   PASS      107.74 seconds
BuildKernel32                 PASS      31.24 seconds
TestRunnerSetup               PASS      446.15 seconds
TestRunner_l2cap-tester       PASS      16.82 seconds
TestRunner_iso-tester         PASS      17.77 seconds
TestRunner_bnep-tester        PASS      5.76 seconds
TestRunner_mgmt-tester        PASS      113.05 seconds
TestRunner_rfcomm-tester      PASS      9.26 seconds
TestRunner_sco-tester         PASS      8.43 seconds
TestRunner_ioctl-tester       PASS      9.86 seconds
TestRunner_mesh-tester        PASS      7.29 seconds
TestRunner_smp-tester         PASS      8.35 seconds
TestRunner_userchan-tester    PASS      6.00 seconds
IncrementalBuild              PASS      29.26 seconds



---
Regards,
Linux Bluetooth

patchwork-bot+bluetooth@kernel.org March 7, 2023, 6:40 p.m. UTC | #2

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sat,  4 Mar 2023 22:23:30 +0800 you wrote:
> There is a potential race condition in hidp_session_thread that may
> lead to use-after-free. For instance, the timer is active while
> hidp_del_timer is called in hidp_session_thread(). After hidp_session_put,
> then 'session' will be freed, causing kernel panic when hidp_idle_timeout
> is running.
> 
> The solution is to use del_timer_sync instead of del_timer.
> 
> [...]

Here is the summary with links:
  - [v2,1/1] Bluetooth: fix race condition in hidp_session_thread
    https://git.kernel.org/bluetooth/bluetooth-next/c/4bbfb9fefadf

You are awesome, thank you!

Patch

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index bed1a7b9205c..707f229f896a 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -433,7 +433,7 @@  static void hidp_set_timer(struct hidp_session *session)
 static void hidp_del_timer(struct hidp_session *session)
 {
 	if (session->idle_to > 0)
-		del_timer(&session->timer);
+		del_timer_sync(&session->timer);
 }
 
 static void hidp_process_report(struct hidp_session *session, int type,