From patchwork Fri Aug 4 00:11:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13341026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12E3BC001DF for ; Fri, 4 Aug 2023 00:11:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231786AbjHDALZ (ORCPT ); Thu, 3 Aug 2023 20:11:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32778 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231761AbjHDALX (ORCPT ); Thu, 3 Aug 2023 20:11:23 -0400 Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC16F4219 for ; Thu, 3 Aug 2023 17:11:20 -0700 (PDT) Received: by mail-qv1-xf35.google.com with SMTP id 6a1803df08f44-63d09d886a3so9761296d6.2 for ; Thu, 03 Aug 2023 17:11:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1691107879; x=1691712679; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=ZguMEN4f74aIRZKEXf9LyElH7zH8nSS/jAeZs8ucaCo=; b=BavinnWpR/kosABK2UPY7GH5HO131sqW5UtT4YSGxwzL6tL1oyuhP3/v6D7bownGDt 292PC0mcWwxVKgDmVgpiqgTGT23iIoGEoVMWFR6i2j4pB3YawIUr2qY3g5XYcOjtfc10 fluGlFDtULeh4ev3HfYKBrqFDoCT+Sz8jn9mYLie1CKRTpQk+QKLZ81J4rWfieCoY/CC 85zU3aVirgG/iQcCOgqyajNhFl5lf6J9lq0LCmabwy+qT2/htpm5QjC5C63hTCJ+/FQF DXM9DIghw/IYUIZmfUXjmqzsQbdJBz/pkGt++KgXSttPGiEJs78frr/ygkeZzKA86BpS +dLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691107879; x=1691712679; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZguMEN4f74aIRZKEXf9LyElH7zH8nSS/jAeZs8ucaCo=; b=du41t9PJ+EzmF0uWd1jf/CNkLKBn0EtZrxTwKEKJ2nJ7Pj6frHd+lYUNp9NA5rdp8O OaaPxGwImFbmE5GWHwyXXdOc5BSqEmkpMri1RwKmaoN/v8xh0ccsaCuomWMJ+KH+1yRE tF9yWym+rXc3r/Ep9F8TLXumN4OCMBc6swb+aCw+WgaljEHFyvJFIoQdZ8x8NgIbBWqW h6WAZiYBTOZnZXYeW3mPk9Bwh3XSHHxan10jisNifOdJx2doI9PoK8F2lGBKsOKW+qtp Yc60Pd74+H+ei842GAk5TwWp2BGObSMNuNamuPfOODkQJSj865gyh5Mvlz4ZsTBmDyQh Cgdw== X-Gm-Message-State: AOJu0YzZTR863rZuVvFwwwtLsn4EgFLC8AcC4ufqXRKhiiPPiQSV7hwL cvdRvtYo1xLCeq2SClNNxD+hq3TjlLk= X-Google-Smtp-Source: AGHT+IHoeWqxKxYEX1oUraItKY0EVGPzLDpcF95ZtSwTBLAUA3FLM9AzH92hdJA3xg55TB5oH3VH8A== X-Received: by 2002:a0c:c406:0:b0:631:f6f1:87dd with SMTP id r6-20020a0cc406000000b00631f6f187ddmr174478qvi.8.1691107879041; Thu, 03 Aug 2023 17:11:19 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-236-201-58.hsd1.or.comcast.net. [71.236.201.58]) by smtp.gmail.com with ESMTPSA id y11-20020a0ce04b000000b0063c6c7f4b92sm272448qvk.1.2023.08.03.17.11.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Aug 2023 17:11:17 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 1/5] Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL Date: Thu, 3 Aug 2023 17:11:11 -0700 Message-ID: <20230804001115.907885-1-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz When sending HCI_OP_CREATE_CONN_CANCEL it shall Wait for HCI_EV_CONN_COMPLETE, not HCI_EV_CMD_STATUS, when the reason is anything but HCI_ERROR_REMOTE_POWER_OFF. This reason is used when suspending or powering off, where we don't want to wait for the peer's response. Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/hci_sync.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index e114409628d1..a9b048d7b419 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -5321,6 +5321,17 @@ static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn, if (hdev->hci_ver < BLUETOOTH_VER_1_2) return 0; + /* Wait for HCI_EV_CONN_COMPLETE, not HCI_EV_CMD_STATUS, when the + * reason is anything but HCI_ERROR_REMOTE_POWER_OFF. This reason is + * used when suspending or powering off, where we don't want to wait + * for the peer's response. + */ + if (reason != HCI_ERROR_REMOTE_POWER_OFF) + return __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN_CANCEL, + 6, &conn->dst, + HCI_EV_CONN_COMPLETE, + HCI_CMD_TIMEOUT, NULL); + return __hci_cmd_sync_status(hdev, HCI_OP_CREATE_CONN_CANCEL, 6, &conn->dst, HCI_CMD_TIMEOUT); } From patchwork Fri Aug 4 00:11:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13341027 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 518ADC0015E for ; Fri, 4 Aug 2023 00:11:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232320AbjHDAL0 (ORCPT ); Thu, 3 Aug 2023 20:11:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32810 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232258AbjHDALZ (ORCPT ); Thu, 3 Aug 2023 20:11:25 -0400 Received: from mail-qv1-xf33.google.com (mail-qv1-xf33.google.com [IPv6:2607:f8b0:4864:20::f33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5586D4224 for ; Thu, 3 Aug 2023 17:11:22 -0700 (PDT) Received: by mail-qv1-xf33.google.com with SMTP id 6a1803df08f44-63cf4827630so8588086d6.2 for ; Thu, 03 Aug 2023 17:11:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1691107880; x=1691712680; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=nk0LqftkGcvUkx2geH25FY/+oHYJHbqC58Qr0CCsDVI=; b=OOIf4dgbcv9YUbMmwUGSWKhbxR/IIfLRlc0sXOW7Kv1PCD51K3OF4ak22sIuQIvw5i U+UGAEBFGb4ul4qzJBRnACk24lURHV/r8Y4VNVvOMNCuP6r+Y0ZQy9XHxsxtsPB8HL1C kgBjgU5d7wQSArlPAGLW+J0WV8fdfszt7qy4vsuaQY4+OMnPVz5fmG453VXUwgVMrq5F zQsiO6qwHPeIWyFNfUNnOjKdU9m3B2hUDfNzv55aW8nm30LXsEY2RsMaiRnUMkG67qsO E+sLLHxZK17JWf7p4mVHv7YBDj5+YMGlPlibNf2LO3xuJWze1m0o8S/z29pcE/Rj9KhR c9jA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691107880; x=1691712680; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nk0LqftkGcvUkx2geH25FY/+oHYJHbqC58Qr0CCsDVI=; b=YcO6/xl8ZLmd8/jPSEZZFcEOOliKKUm9sYkcF9zpCBllCxltuoF2GuA4G6x6/TtQdC OLk53nC+VDUsO3bm+XpYerBJJGAiFapXvvAHMfDSZLudIzDVU3SfW3lWCpE9k1XKFU74 5NuPO1SWXtbFgt5mrq/lhmlwQAxkCreBpfRjwOscXylmqUPgXy4/YyhgMm5MPoeurphf zu8ipTDJMBYvuCkrnsAdFhknsWaOqQweWWMx5wUZ653k3qLHRWfpiPnzE+cGzHDmdS+0 KHCkoxYdAq0zt7YYUMawbvXmnpX4ZCP8VBtcumKiiMvyoH1S8lpn8n4XU9h9KsqzzgME 5U6g== X-Gm-Message-State: AOJu0YyzACkPphSEs9bXheGSHNbfSC0hdZfpLFs3ctHTxzaPaX0i8QJr im/lUO3K8rPbqg+BRHA3AYvcQ/1tUJM= X-Google-Smtp-Source: AGHT+IESssMob16uWJmvzXXaPhsD/ZyG9itHojo11q8RzfbHcnDUUbgtSov6XOL8sg9nUPEp9i9rlg== X-Received: by 2002:a0c:e513:0:b0:62d:eaa8:27e4 with SMTP id l19-20020a0ce513000000b0062deaa827e4mr179045qvm.36.1691107880619; Thu, 03 Aug 2023 17:11:20 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-236-201-58.hsd1.or.comcast.net. [71.236.201.58]) by smtp.gmail.com with ESMTPSA id y11-20020a0ce04b000000b0063c6c7f4b92sm272448qvk.1.2023.08.03.17.11.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Aug 2023 17:11:19 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 2/5] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync Date: Thu, 3 Aug 2023 17:11:12 -0700 Message-ID: <20230804001115.907885-2-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230804001115.907885-1-luiz.dentz@gmail.com> References: <20230804001115.907885-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz Connections may be cleanup while waiting for the commands to complete so this attempts to check if the connection handle remains valid in case of errors that would lead to call hci_conn_failed: BUG: KASAN: slab-use-after-free in hci_conn_failed+0x1f/0x160 Read of size 8 at addr ffff888001376958 by task kworker/u3:0/52 CPU: 0 PID: 52 Comm: kworker/u3:0 Not tainted 6.5.0-rc1-00527-g2dfe76d58d3a #5615 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x1d/0x70 print_report+0xce/0x620 ? __virt_addr_valid+0xd4/0x150 ? hci_conn_failed+0x1f/0x160 kasan_report+0xd1/0x100 ? hci_conn_failed+0x1f/0x160 hci_conn_failed+0x1f/0x160 hci_abort_conn_sync+0x237/0x360 Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/hci_sync.c | 45 ++++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 16 deletions(-) diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index a9b048d7b419..ec8929e79502 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -5389,27 +5389,20 @@ static int hci_reject_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason) { - int err; + int err = 0; + u16 handle = conn->handle; switch (conn->state) { case BT_CONNECTED: case BT_CONFIG: - return hci_disconnect_sync(hdev, conn, reason); + err = hci_disconnect_sync(hdev, conn, reason); + break; case BT_CONNECT: err = hci_connect_cancel_sync(hdev, conn, reason); - /* Cleanup hci_conn object if it cannot be cancelled as it - * likelly means the controller and host stack are out of sync - * or in case of LE it was still scanning so it can be cleanup - * safely. - */ - if (err) { - hci_dev_lock(hdev); - hci_conn_failed(conn, err); - hci_dev_unlock(hdev); - } - return err; + break; case BT_CONNECT2: - return hci_reject_conn_sync(hdev, conn, reason); + err = hci_reject_conn_sync(hdev, conn, reason); + break; case BT_OPEN: case BT_BOUND: hci_dev_lock(hdev); @@ -5418,10 +5411,30 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason) return 0; default: conn->state = BT_CLOSED; - break; + return 0; } - return 0; + /* Cleanup hci_conn object if it cannot be cancelled as it + * likelly means the controller and host stack are out of sync + * or in case of LE it was still scanning so it can be cleanup + * safely. + */ + if (err) { + struct hci_conn *c; + + /* Check if the connection hasn't been cleanup while waiting + * commands to complete. + */ + c = hci_conn_hash_lookup_handle(hdev, handle); + if (!c || c != conn) + return 0; + + hci_dev_lock(hdev); + hci_conn_failed(conn, err); + hci_dev_unlock(hdev); + } + + return err; } static int hci_disconnect_all_sync(struct hci_dev *hdev, u8 reason) From patchwork Fri Aug 4 00:11:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13341028 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD6A9C001DF for ; Fri, 4 Aug 2023 00:11:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232258AbjHDAL2 (ORCPT ); Thu, 3 Aug 2023 20:11:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32808 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231761AbjHDAL0 (ORCPT ); Thu, 3 Aug 2023 20:11:26 -0400 Received: from mail-qv1-xf2f.google.com (mail-qv1-xf2f.google.com [IPv6:2607:f8b0:4864:20::f2f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BEBEB420E for ; Thu, 3 Aug 2023 17:11:23 -0700 (PDT) Received: by mail-qv1-xf2f.google.com with SMTP id 6a1803df08f44-63d03d3cac6so8587956d6.2 for ; Thu, 03 Aug 2023 17:11:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1691107882; x=1691712682; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=y55Yg/C7ifA7uYXM7obeHwISK1JjvWlPYwGVPva4JEs=; b=SWpZupy4UCPkqDyJ3j34KE9HLpSfJmwvXDMf/I+ggGna0CcpDaD520ppQGD7tEt7gw z6rrkoh9h3PdDW0D/kdefLWTiBrV75GKLzd8ZWz8leMPMMt8ZyougiUCWli9nrxrW9LY ooF3elYCif3F+JPcVMHpNQT+fk6FXu+/nHAy2/cAHbHC1roMkcHw8OlreAt2faJhoxYH w21diB9BMlL14Byb6WSPW/+NRl/S+vxVoYmRu4wbXHuxUILKgEMkxPzQu+XE6An9ZXZj CNQkL7hxNB1hU9COxMji/RCH0T38HRSutHKrKgwoDVEIESzv9+r5DP0yf04CY0rTWPI0 4Hww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691107882; x=1691712682; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=y55Yg/C7ifA7uYXM7obeHwISK1JjvWlPYwGVPva4JEs=; b=Tk0j8LduFh/O4exziTTMdkRQxjajFWIF20s8QESyaZ+LjX9F6Ij0HzrRYX7NqydjpM n1QZbwb4OL54nMYP/zk34Qbht+TnpN7RCZ4dzvX0ho6kOdtz9zcL0eAlnEaeEgCEzCgn 4O6cvU9dH4/Tmpg55ehFocgn+Q/3U6MEeYtx46fF1szRPdS0Q73bin5Rq33B3TpQKMdD hh0lDqV9PBULWOUTWkzfqdlO4jz8xs80MONjso0MenM2IWKbRQ6tu8HAypftGSGQK/tY SOWBpx8mws3pKVA19sgf8VkAqIyoPuVQ2BkUNi6tIFcZD4QHAeAGc9g+U+LIIQIAnl5N kCTw== X-Gm-Message-State: AOJu0Yx4h0t68nuaK/7VyeMJZt3ex7/J6GyWx72HTRj5HcMCQML26E/A AvredXEFiKZ+9O24O3+rjPysLLGCdN0= X-Google-Smtp-Source: AGHT+IEANTOTi/hzAGo6W4FCN923h1viwj4tro40Xfw9CJc6hq8ErgnGzd1FjbvJ95+Anki77E0xUA== X-Received: by 2002:ad4:4e82:0:b0:636:955e:3dd7 with SMTP id dy2-20020ad44e82000000b00636955e3dd7mr164880qvb.42.1691107882256; Thu, 03 Aug 2023 17:11:22 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-236-201-58.hsd1.or.comcast.net. [71.236.201.58]) by smtp.gmail.com with ESMTPSA id y11-20020a0ce04b000000b0063c6c7f4b92sm272448qvk.1.2023.08.03.17.11.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Aug 2023 17:11:21 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 3/5] Bluetooth: ISO: Fix not checking for valid CIG/CIS IDs Date: Thu, 3 Aug 2023 17:11:13 -0700 Message-ID: <20230804001115.907885-3-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230804001115.907885-1-luiz.dentz@gmail.com> References: <20230804001115.907885-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz Valid range of CIG/CIS are 0x00 to 0xEF, so this checks they are properly checked before attempting to use HCI_OP_LE_SET_CIG_PARAMS. Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/iso.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index 358954bfbb32..6b66d6a88b9a 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -1187,6 +1187,12 @@ static bool check_io_qos(struct bt_iso_io_qos *qos) static bool check_ucast_qos(struct bt_iso_qos *qos) { + if (qos->ucast.cig > 0xef && qos->ucast.cig != BT_ISO_QOS_CIG_UNSET) + return false; + + if (qos->ucast.cis > 0xef && qos->ucast.cis != BT_ISO_QOS_CIS_UNSET) + return false; + if (qos->ucast.sca > 0x07) return false; From patchwork Fri Aug 4 00:11:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13341029 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31E39C0015E for ; Fri, 4 Aug 2023 00:11:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229659AbjHDALa (ORCPT ); Thu, 3 Aug 2023 20:11:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32848 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230292AbjHDAL3 (ORCPT ); Thu, 3 Aug 2023 20:11:29 -0400 Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6B0284210 for ; Thu, 3 Aug 2023 17:11:25 -0700 (PDT) Received: by mail-qv1-xf36.google.com with SMTP id 6a1803df08f44-63cf8754d95so8630006d6.1 for ; Thu, 03 Aug 2023 17:11:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1691107884; x=1691712684; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5bSxYb47b3tMEJ98dX1ZqPQ6oX8LUr00D4CqTLz8w+M=; b=m4EtReiScMrR1SRNroDbhGFWb9ak8hMWHkbrgudfEF7R8lTckmr2CuJX01AguLiXsL aFlANYyg0PR8j5BNGNlnW8F0AKCVc1sUfXKaxaG1yCRvAHCsHmGXeiNrIMkp/A2T0f2v GCDFtyFdu7OwmKgTAQqbu5aFe17nRsHcdSz++IMEy6chjD4nGq02l/u9OLJW9iZ0wFE0 z/wxpWkG0Y1+3bqWQycqjM2PRu29xACDO5eilKzaO1krpbCtGzRE1XA+Dnm+DzQ/ohvo iEDdeTXEKHTrSvkSOMOvGFCYLsn5WWCxXZtHXC6qyzSp9fgVLnUfI4qFWBQtM6LzNRk+ 5K3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691107884; x=1691712684; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5bSxYb47b3tMEJ98dX1ZqPQ6oX8LUr00D4CqTLz8w+M=; b=bNDr8A3UBuLlQ8pIWA7jEK1xsnmSpTUJEDHcca5fCyotaqCXX+yIk7i07pOVpqIVIf x8kscPyZM9FRepcwzThv3C/3B3ULUwSvSrmWg9zh7HgJcpha54GOpGtKZ5oA4owRkyJe IqPlqWdALa67lbKncAo9TtuFoMEN5usuiPKZKykYvWlSsg5pB+vdUazDfu0W2/TsAahX XhEmreCg7IRoZ/HLr/ZhTKSV3CBVB7Ns6FBpX4axR4r7zfefy3jcEeSifsD+hBp6yYa3 BEC3k5j8ur/ZEbXbWhbjSROa9Zo1dx1BRCmS/uBdFfv2nmNX55J+SD4h4fD+dbqZR6Wc k6vg== X-Gm-Message-State: AOJu0YxAGxQ+ZHbwCyNht2APKpKc2Wjr2KiM9yWnySBDhX8oVlpFvBym LlMse2HMchi4ITlB6rCHuZ55om1ezCs= X-Google-Smtp-Source: AGHT+IG7mx8sYSeKS8JiJGPMlM59E9J+tUTUwwL0UNNNQUxHkIUz4kyVw12gUj3MGBs9l2+Mp9+uHg== X-Received: by 2002:a0c:f151:0:b0:63c:d901:d5d3 with SMTP id y17-20020a0cf151000000b0063cd901d5d3mr162520qvl.9.1691107883791; Thu, 03 Aug 2023 17:11:23 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-236-201-58.hsd1.or.comcast.net. [71.236.201.58]) by smtp.gmail.com with ESMTPSA id y11-20020a0ce04b000000b0063c6c7f4b92sm272448qvk.1.2023.08.03.17.11.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Aug 2023 17:11:23 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 4/5] Bluetooth: hci_conn: Fix modifying handle while aborting Date: Thu, 3 Aug 2023 17:11:14 -0700 Message-ID: <20230804001115.907885-4-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230804001115.907885-1-luiz.dentz@gmail.com> References: <20230804001115.907885-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz This introduces hci_conn_set_handle which takes care of verifying the conditions where the hci_conn handle can be modified, including when hci_conn_abort has been called and also checks that the handles is valid as well. Signed-off-by: Luiz Augusto von Dentz --- include/net/bluetooth/hci_core.h | 1 + net/bluetooth/hci_conn.c | 30 ++++++++++++++++++++++++++++++ net/bluetooth/hci_event.c | 29 +++++++++++------------------ 3 files changed, 42 insertions(+), 18 deletions(-) diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h index 8200a6689b39..d2a3a2a9fd7d 100644 --- a/include/net/bluetooth/hci_core.h +++ b/include/net/bluetooth/hci_core.h @@ -1425,6 +1425,7 @@ int hci_conn_switch_role(struct hci_conn *conn, __u8 role); void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active); void hci_conn_failed(struct hci_conn *conn, u8 status); +u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle); /* * hci_conn_get() and hci_conn_put() are used to control the life-time of an diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 923bb7e7be2b..13bd2753abbb 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1231,6 +1231,36 @@ void hci_conn_failed(struct hci_conn *conn, u8 status) hci_conn_del(conn); } +/* This function requires the caller holds hdev->lock */ +u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle) +{ + struct hci_dev *hdev = conn->hdev; + + bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle); + + if (conn->handle == handle) + return 0; + + if (handle > HCI_CONN_HANDLE_MAX) { + bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", + handle, HCI_CONN_HANDLE_MAX); + return HCI_ERROR_INVALID_PARAMETERS; + } + + /* If abort_reason has been sent it means the connection is being + * aborted and the handle shall not be changed. + */ + if (conn->abort_reason) { + bt_dev_err(hdev, "hcon %p abort_reason 0x%2.2x", conn, + conn->abort_reason); + return conn->abort_reason; + } + + conn->handle = handle; + + return 0; +} + static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) { struct hci_conn *conn; diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index f1fcece29e7d..218da9b0fe8f 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -3179,13 +3179,9 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, } if (!status) { - conn->handle = __le16_to_cpu(ev->handle); - if (conn->handle > HCI_CONN_HANDLE_MAX) { - bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", - conn->handle, HCI_CONN_HANDLE_MAX); - status = HCI_ERROR_INVALID_PARAMETERS; + status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); + if (status) goto done; - } if (conn->type == ACL_LINK) { conn->state = BT_CONFIG; @@ -3849,11 +3845,9 @@ static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data, if (conn->state != BT_BOUND && conn->state != BT_CONNECT) continue; - conn->handle = __le16_to_cpu(rp->handle[i]); + if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i]))) + continue; - bt_dev_dbg(hdev, "%p handle 0x%4.4x parent %p", conn, - conn->handle, conn->parent); - if (conn->state == BT_CONNECT) pending = true; } @@ -5039,11 +5033,8 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data, switch (status) { case 0x00: - conn->handle = __le16_to_cpu(ev->handle); - if (conn->handle > HCI_CONN_HANDLE_MAX) { - bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", - conn->handle, HCI_CONN_HANDLE_MAX); - status = HCI_ERROR_INVALID_PARAMETERS; + status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); + if (status) { conn->state = BT_CLOSED; break; } @@ -6978,7 +6969,7 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, { struct hci_evt_le_create_big_complete *ev = data; struct hci_conn *conn; - __u8 bis_idx = 0; + __u8 i = 0; BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); @@ -6996,7 +6987,9 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, conn->iso_qos.bcast.big != ev->handle) continue; - conn->handle = __le16_to_cpu(ev->bis_handle[bis_idx++]); + if (hci_conn_set_handle(conn, + __le16_to_cpu(ev->bis_handle[i++]))) + continue; if (!ev->status) { conn->state = BT_CONNECTED; @@ -7015,7 +7008,7 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, rcu_read_lock(); } - if (!ev->status && !bis_idx) + if (!ev->status && !i) /* If no BISes have been connected for the BIG, * terminate. This is in case all bound connections * have been closed before the BIG creation From patchwork Fri Aug 4 00:11:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13341030 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4659C001DF for ; Fri, 4 Aug 2023 00:11:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232332AbjHDALb (ORCPT ); Thu, 3 Aug 2023 20:11:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32852 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232045AbjHDAL3 (ORCPT ); Thu, 3 Aug 2023 20:11:29 -0400 Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D31FE421D for ; Thu, 3 Aug 2023 17:11:26 -0700 (PDT) Received: by mail-qk1-x732.google.com with SMTP id af79cd13be357-76af2cb7404so112683985a.0 for ; Thu, 03 Aug 2023 17:11:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1691107885; x=1691712685; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=WIEsPwNQJyDAIqXk9eD9dl8ZlbgEpVSK34aQ6MX/wbs=; b=HNuuDPMS1h0wYiephHJDauMEqg3Cb5OaOV336FElUa3oC9zLDcZ9YaPq/cjg2TyPpd uw1aeWvnEEAAwo+64qbOmRVAVp4yOaXxbYFyCSw+baiYbqhb7cWSAuXyGJbAzWoWzMs7 6afrzEqloFZgvExHkkpEnLWX0wc71o4AJIMxSyJdwKgaTKnH/izqrrrtKTut3gGEoWSG DeRvjR2Fsj6wEGlV82IA5RNkuDavKbcUWtti3S8Vqrv7emUB8blXjlgWjiaS+U6fOmEM kouHF4SuQ15NdVAqS5YLJqkl7m7IKQCJVfjDSiLiqwgKvyxfKm+ehgc53jTilMuAesIi /DQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691107885; x=1691712685; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WIEsPwNQJyDAIqXk9eD9dl8ZlbgEpVSK34aQ6MX/wbs=; b=jhtd3xTd0h8n8DLd0YRxRgAUHHQjl4Q2Yd5FguJPa8A9rl75jLOQa8ujAkS2i0w6Nn mRTJd+6IzlcLHhbgB5qKwQ5yQKkZcX2jpg3n0xR1QCeF6XIQWh3QVOZ+X6DIZkV1Esfn bBUitOjwzIHMLbxbA+DSe4tBx21hcaB8taUHJo5n/uextKpOcCH0rewg0PqyM1Hk80ug j4f5ZwDNP2ZTHFRFZmhGWmyQ2pPNi6pOxfl94JGVkcm3ET53fyQWBtA34vv9xkpUieyW y3S1fff+Kcpmq7YLB7IjW1b1ORYJuuNHHwe/y+TkcizdgfYA+8VPlA1BzHOURQmdtzmo ZI+A== X-Gm-Message-State: AOJu0Yzzlcx2cG8JngpxlFDMSyXWr2Q9hNMuLcLrWvgMoqtKFYmlD6id 6mx5kjkuHVCUpv0cmY1OiPZZvBwFq+k= X-Google-Smtp-Source: AGHT+IER4JFqkf9Y9Cw2DXgdSvWVPx7/obq7Lzo8pHH7buLdkv61gznIgzx7BDCBx4kqMlyFyGwlGQ== X-Received: by 2002:a05:6214:18ee:b0:63c:ef88:f8f2 with SMTP id ep14-20020a05621418ee00b0063cef88f8f2mr194515qvb.32.1691107885330; Thu, 03 Aug 2023 17:11:25 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-236-201-58.hsd1.or.comcast.net. [71.236.201.58]) by smtp.gmail.com with ESMTPSA id y11-20020a0ce04b000000b0063c6c7f4b92sm272448qvk.1.2023.08.03.17.11.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Aug 2023 17:11:24 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 5/5] Bluetooth: hci_conn: Fix not allowing valid CIS ID Date: Thu, 3 Aug 2023 17:11:15 -0700 Message-ID: <20230804001115.907885-5-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230804001115.907885-1-luiz.dentz@gmail.com> References: <20230804001115.907885-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz Only the number of CIS shall be limited to 0x1f, the CIS ID in the other hand is up to 0xef. Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections") Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/hci_conn.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 13bd2753abbb..84f2ac21a85a 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1849,9 +1849,12 @@ static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) cis_add(&data, qos); } - /* Reprogram all CIS(s) with the same CIG */ - for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0x11; - data.cis++) { + /* Reprogram all CIS(s) with the same CIG, valid range are: + * num_cis: 0x00 to 0x1F + * cis_id: 0x00 to 0xEF + */ + for (data.cig = qos->ucast.cig, data.cis = 0x00; data.cis < 0xf0 && + data.pdu.cp.num_cis < ARRAY_SIZE(data.pdu.cis); data.cis++) { data.count = 0; hci_conn_hash_list_state(hdev, cis_list, ISO_LINK, BT_BOUND,