[v1] Bluetooth: MGMT: Fix possible crash on mgmt_index_removed

Commit Message

Luiz Augusto von Dentz Sept. 12, 2024, 4:44 p.m. UTC

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

If mgmt_index_removed is called while there are commands queued on
cmd_sync it could lead to crashes like the bellow trace:

0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc
0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth]
0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth]
0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth]

So while handling mgmt_index_removed this attempts to dequeue
commands passed as user_data to cmd_sync.

Fixes: 7cf5c2978f23 ("Bluetooth: hci_sync: Refactor remove Adv Monitor")
Reported-by: jiaymao <quic_jiaymao@quicinc.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 net/bluetooth/mgmt.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

kernel test robot Sept. 13, 2024, 4:16 a.m. UTC | #1

Hi Luiz,

kernel test robot noticed the following build errors:

[auto build test ERROR on bluetooth-next/master]
[also build test ERROR on bluetooth/master linus/master v6.11-rc7 next-20240912]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Luiz-Augusto-von-Dentz/Bluetooth-MGMT-Fix-possible-crash-on-mgmt_index_removed/20240913-004604
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
patch link:    https://lore.kernel.org/r/20240912164454.2996352-1-luiz.dentz%40gmail.com
patch subject: [PATCH v1] Bluetooth: MGMT: Fix possible crash on mgmt_index_removed
config: openrisc-randconfig-r071-20240913 (https://download.01.org/0day-ci/archive/20240913/202409131212.VOjz2kzX-lkp@intel.com/config)
compiler: or1k-linux-gcc (GCC) 14.1.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240913/202409131212.VOjz2kzX-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409131212.VOjz2kzX-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/bluetooth/mgmt.c: In function 'cmd_complete_rsp':
>> net/bluetooth/mgmt.c:1459:33: error: 'struct mgmt_pending_cmd' has no member named 'hdev'
    1459 |         hci_cmd_sync_dequeue(cmd->hdev, NULL, cmd, NULL);
         |                                 ^~


vim +1459 net/bluetooth/mgmt.c

  1453	
  1454	static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
  1455	{
  1456		/* dequeue cmd_sync entries using cmd as data as that is about to be
  1457		 * removed/freed.
  1458		 */
> 1459		hci_cmd_sync_dequeue(cmd->hdev, NULL, cmd, NULL);
  1460	
  1461		if (cmd->cmd_complete) {
  1462			u8 *status = data;
  1463	
  1464			cmd->cmd_complete(cmd, *status);
  1465			mgmt_pending_remove(cmd);
  1466	
  1467			return;
  1468		}
  1469	
  1470		cmd_status_rsp(cmd, data);
  1471	}
  1472

kernel test robot Sept. 13, 2024, 5:29 a.m. UTC | #2

Hi Luiz,

kernel test robot noticed the following build errors:

[auto build test ERROR on bluetooth-next/master]
[also build test ERROR on bluetooth/master linus/master v6.11-rc7]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Luiz-Augusto-von-Dentz/Bluetooth-MGMT-Fix-possible-crash-on-mgmt_index_removed/20240913-004604
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
patch link:    https://lore.kernel.org/r/20240912164454.2996352-1-luiz.dentz%40gmail.com
patch subject: [PATCH v1] Bluetooth: MGMT: Fix possible crash on mgmt_index_removed
config: i386-buildonly-randconfig-001-20240913 (https://download.01.org/0day-ci/archive/20240913/202409131332.j8QQVdrT-lkp@intel.com/config)
compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240913/202409131332.j8QQVdrT-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409131332.j8QQVdrT-lkp@intel.com/

All errors (new ones prefixed by >>):

>> net/bluetooth/mgmt.c:1459:28: error: no member named 'hdev' in 'struct mgmt_pending_cmd'
    1459 |         hci_cmd_sync_dequeue(cmd->hdev, NULL, cmd, NULL);
         |                              ~~~  ^
   1 error generated.


vim +1459 net/bluetooth/mgmt.c

  1453	
  1454	static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
  1455	{
  1456		/* dequeue cmd_sync entries using cmd as data as that is about to be
  1457		 * removed/freed.
  1458		 */
> 1459		hci_cmd_sync_dequeue(cmd->hdev, NULL, cmd, NULL);
  1460	
  1461		if (cmd->cmd_complete) {
  1462			u8 *status = data;
  1463	
  1464			cmd->cmd_complete(cmd, *status);
  1465			mgmt_pending_remove(cmd);
  1466	
  1467			return;
  1468		}
  1469	
  1470		cmd_status_rsp(cmd, data);
  1471	}
  1472

Patch

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index e4f564d6f6fb..1fb5c8022610 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1453,6 +1453,11 @@  static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
 
 static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
 {
+	/* dequeue cmd_sync entries using cmd as data as that is about to be
+	 * removed/freed.
+	 */
+	hci_cmd_sync_dequeue(cmd->hdev, NULL, cmd, NULL);
+
 	if (cmd->cmd_complete) {
 		u8 *status = data;