1. 10 Nov, 2018 1 commit
    • Matias Karhumaa's avatar
      Bluetooth: SMP: fix crash in unpairing · b0c52fbf
      Matias Karhumaa authored
      [ Upstream commit cb28c306b93b71f2741ce1a5a66289db26715f4d ]
      
      In case unpair_device() was called through mgmt interface at the same time
      when pairing was in progress, Bluetooth kernel module crash was seen.
      
      [  600.351225] general protection fault: 0000 [#1] SMP PTI
      [  600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G           OE     4.19.0-rc1+ #1
      [  600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017
      [  600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
      [  600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
      [  600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
      [  600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
      [  600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
      [  600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
      [  600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
      [  600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
      [  600.351295] FS:  00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
      [  600.351298] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
      [  600.351302] Call Trace:
      [  600.351325]  smp_failure+0x4f/0x70 [bluetooth]
      [  600.351345]  smp_cancel_pairing+0x74/0x80 [bluetooth]
      [  600.351370]  unpair_device+0x1c1/0x330 [bluetooth]
      [  600.351399]  hci_sock_sendmsg+0x960/0x9f0 [bluetooth]
      [  600.351409]  ? apparmor_socket_sendmsg+0x1e/0x20
      [  600.351417]  sock_sendmsg+0x3e/0x50
      [  600.351422]  sock_write_iter+0x85/0xf0
      [  600.351429]  do_iter_readv_writev+0x12b/0x1b0
      [  600.351434]  do_iter_write+0x87/0x1a0
      [  600.351439]  vfs_writev+0x98/0x110
      [  600.351443]  ? ep_poll+0x16d/0x3d0
      [  600.351447]  ? ep_modify+0x73/0x170
      [  600.351451]  do_writev+0x61/0xf0
      [  600.351455]  ? do_writev+0x61/0xf0
      [  600.351460]  __x64_sys_writev+0x1c/0x20
      [  600.351465]  do_syscall_64+0x5a/0x110
      [  600.351471]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  600.351474] RIP: 0033:0x7fb2bdb62fe0
      [  600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24
      [  600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
      [  600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0
      [  600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004
      [  600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000
      [  600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001
      [  600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000
      [  600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap
      [  600.351569]  snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi
      [  600.351637] ---[ end trace e49e9f1df09c94fb ]---
      [  600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
      [  600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
      [  600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
      [  600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
      [  600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
      [  600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
      [  600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
      [  600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
      [  600.351684] FS:  00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
      [  600.351686] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
      
      Crash happened because list_del_rcu() was called twice for smp->ltk. This
      was possible if unpair_device was called right after ltk was generated
      but before keys were distributed.
      
      In this commit smp_cancel_pairing was refactored to cancel pairing if it
      is in progress and otherwise just removes keys. Once keys are removed from
      rcu list, pointers to smp context's keys are set to NULL to make sure
      removed list items are not accessed later.
      
      This commit also adjusts the functionality of mgmt unpair_device() little
      bit. Previously pairing was canceled only if pairing was in state that
      keys were already generated. With this commit unpair_device() cancels
      pairing already in earlier states.
      
      Bug was found by fuzzing kernel SMP implementation using Synopsys
      Defensics.
      Reported-by: default avatarPekka Oikarainen <pekka.oikarainen@synopsys.com>
      Signed-off-by: default avatarMatias Karhumaa <matias.karhumaa@gmail.com>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b0c52fbf
  2. 19 Sep, 2018 1 commit
    • Marcel Holtmann's avatar
      Bluetooth: hidp: Fix handling of strncpy for hid->name information · 362990d8
      Marcel Holtmann authored
      [ Upstream commit b3cadaa485f0c20add1644a5c877b0765b285c0c ]
      
      This fixes two issues with setting hid->name information.
      
        CC      net/bluetooth/hidp/core.o
      In function ‘hidp_setup_hid’,
          inlined from ‘hidp_session_dev_init’ at net/bluetooth/hidp/core.c:815:9,
          inlined from ‘hidp_session_new’ at net/bluetooth/hidp/core.c:953:8,
          inlined from ‘hidp_connection_add’ at net/bluetooth/hidp/core.c:1366:8:
      net/bluetooth/hidp/core.c:778:2: warning: ‘strncpy’ output may be truncated copying 127 bytes from a string of length 127 [-Wstringop-truncation]
        strncpy(hid->name, req->name, sizeof(req->name) - 1);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
        CC      net/bluetooth/hidp/core.o
      net/bluetooth/hidp/core.c: In function ‘hidp_setup_hid’:
      net/bluetooth/hidp/core.c:778:38: warning: argument to ‘sizeof’ in ‘strncpy’ call is the same expression as the source; did you mean to use the size of the destination? [-Wsizeof-pointer-memaccess]
        strncpy(hid->name, req->name, sizeof(req->name));
                                            ^
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      362990d8
  3. 22 Aug, 2018 1 commit
    • Sudip Mukherjee's avatar
      Bluetooth: avoid killing an already killed socket · 9aeef6b6
      Sudip Mukherjee authored
      commit 4e1a720d0312fd510699032c7694a362a010170f upstream.
      
      slub debug reported:
      
      [  440.648642] =============================================================================
      [  440.648649] BUG kmalloc-1024 (Tainted: G    BU     O   ): Poison overwritten
      [  440.648651] -----------------------------------------------------------------------------
      
      [  440.648655] INFO: 0xe70f4bec-0xe70f4bec. First byte 0x6a instead of 0x6b
      [  440.648665] INFO: Allocated in sk_prot_alloc+0x6b/0xc6 age=33155 cpu=1 pid=1047
      [  440.648671] 	___slab_alloc.constprop.24+0x1fc/0x292
      [  440.648675] 	__slab_alloc.isra.18.constprop.23+0x1c/0x25
      [  440.648677] 	__kmalloc+0xb6/0x17f
      [  440.648680] 	sk_prot_alloc+0x6b/0xc6
      [  440.648683] 	sk_alloc+0x1e/0xa1
      [  440.648700] 	sco_sock_alloc.constprop.6+0x26/0xaf [bluetooth]
      [  440.648716] 	sco_connect_cfm+0x166/0x281 [bluetooth]
      [  440.648731] 	hci_conn_request_evt.isra.53+0x258/0x281 [bluetooth]
      [  440.648746] 	hci_event_packet+0x28b/0x2326 [bluetooth]
      [  440.648759] 	hci_rx_work+0x161/0x291 [bluetooth]
      [  440.648764] 	process_one_work+0x163/0x2b2
      [  440.648767] 	worker_thread+0x1a9/0x25c
      [  440.648770] 	kthread+0xf8/0xfd
      [  440.648774] 	ret_from_fork+0x2e/0x38
      [  440.648779] INFO: Freed in __sk_destruct+0xd3/0xdf age=3815 cpu=1 pid=1047
      [  440.648782] 	__slab_free+0x4b/0x27a
      [  440.648784] 	kfree+0x12e/0x155
      [  440.648787] 	__sk_destruct+0xd3/0xdf
      [  440.648790] 	sk_destruct+0x27/0x29
      [  440.648793] 	__sk_free+0x75/0x91
      [  440.648795] 	sk_free+0x1c/0x1e
      [  440.648810] 	sco_sock_kill+0x5a/0x5f [bluetooth]
      [  440.648825] 	sco_conn_del+0x8e/0xba [bluetooth]
      [  440.648840] 	sco_disconn_cfm+0x3a/0x41 [bluetooth]
      [  440.648855] 	hci_event_packet+0x45e/0x2326 [bluetooth]
      [  440.648868] 	hci_rx_work+0x161/0x291 [bluetooth]
      [  440.648872] 	process_one_work+0x163/0x2b2
      [  440.648875] 	worker_thread+0x1a9/0x25c
      [  440.648877] 	kthread+0xf8/0xfd
      [  440.648880] 	ret_from_fork+0x2e/0x38
      [  440.648884] INFO: Slab 0xf4718580 objects=27 used=27 fp=0x  (null) flags=0x40008100
      [  440.648886] INFO: Object 0xe70f4b88 @offset=19336 fp=0xe70f54f8
      
      When KASAN was enabled, it reported:
      
      [  210.096613] ==================================================================
      [  210.096634] BUG: KASAN: use-after-free in ex_handler_refcount+0x5b/0x127
      [  210.096641] Write of size 4 at addr ffff880107e17160 by task kworker/u9:1/2040
      
      [  210.096651] CPU: 1 PID: 2040 Comm: kworker/u9:1 Tainted: G     U     O    4.14.47-20180606+ #2
      [  210.096654] Hardware name: , BIOS 2017.01-00087-g43e04de 08/30/2017
      [  210.096693] Workqueue: hci0 hci_rx_work [bluetooth]
      [  210.096698] Call Trace:
      [  210.096711]  dump_stack+0x46/0x59
      [  210.096722]  print_address_description+0x6b/0x23b
      [  210.096729]  ? ex_handler_refcount+0x5b/0x127
      [  210.096736]  kasan_report+0x220/0x246
      [  210.096744]  ex_handler_refcount+0x5b/0x127
      [  210.096751]  ? ex_handler_clear_fs+0x85/0x85
      [  210.096757]  fixup_exception+0x8c/0x96
      [  210.096766]  do_trap+0x66/0x2c1
      [  210.096773]  do_error_trap+0x152/0x180
      [  210.096781]  ? fixup_bug+0x78/0x78
      [  210.096817]  ? hci_debugfs_create_conn+0x244/0x26a [bluetooth]
      [  210.096824]  ? __schedule+0x113b/0x1453
      [  210.096830]  ? sysctl_net_exit+0xe/0xe
      [  210.096837]  ? __wake_up_common+0x343/0x343
      [  210.096843]  ? insert_work+0x107/0x163
      [  210.096850]  invalid_op+0x1b/0x40
      [  210.096888] RIP: 0010:hci_debugfs_create_conn+0x244/0x26a [bluetooth]
      [  210.096892] RSP: 0018:ffff880094a0f970 EFLAGS: 00010296
      [  210.096898] RAX: 0000000000000000 RBX: ffff880107e170e8 RCX: ffff880107e17160
      [  210.096902] RDX: 000000000000002f RSI: ffff88013b80ed40 RDI: ffffffffa058b940
      [  210.096906] RBP: ffff88011b2b0578 R08: 00000000852f0ec9 R09: ffffffff81cfcf9b
      [  210.096909] R10: 00000000d21bdad7 R11: 0000000000000001 R12: ffff8800967b0488
      [  210.096913] R13: ffff880107e17168 R14: 0000000000000068 R15: ffff8800949c0008
      [  210.096920]  ? __sk_destruct+0x2c6/0x2d4
      [  210.096959]  hci_event_packet+0xff5/0x7de2 [bluetooth]
      [  210.096969]  ? __local_bh_enable_ip+0x43/0x5b
      [  210.097004]  ? l2cap_sock_recv_cb+0x158/0x166 [bluetooth]
      [  210.097039]  ? hci_le_meta_evt+0x2bb3/0x2bb3 [bluetooth]
      [  210.097075]  ? l2cap_ertm_init+0x94e/0x94e [bluetooth]
      [  210.097093]  ? xhci_urb_enqueue+0xbd8/0xcf5 [xhci_hcd]
      [  210.097102]  ? __accumulate_pelt_segments+0x24/0x33
      [  210.097109]  ? __accumulate_pelt_segments+0x24/0x33
      [  210.097115]  ? __update_load_avg_se.isra.2+0x217/0x3a4
      [  210.097122]  ? set_next_entity+0x7c3/0x12cd
      [  210.097128]  ? pick_next_entity+0x25e/0x26c
      [  210.097135]  ? pick_next_task_fair+0x2ca/0xc1a
      [  210.097141]  ? switch_mm_irqs_off+0x346/0xb4f
      [  210.097147]  ? __switch_to+0x769/0xbc4
      [  210.097153]  ? compat_start_thread+0x66/0x66
      [  210.097188]  ? hci_conn_check_link_mode+0x1cd/0x1cd [bluetooth]
      [  210.097195]  ? finish_task_switch+0x392/0x431
      [  210.097228]  ? hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097260]  hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097269]  process_one_work+0x579/0x9e9
      [  210.097277]  worker_thread+0x68f/0x804
      [  210.097285]  kthread+0x31c/0x32b
      [  210.097292]  ? rescuer_thread+0x70c/0x70c
      [  210.097299]  ? kthread_create_on_node+0xa3/0xa3
      [  210.097306]  ret_from_fork+0x35/0x40
      
      [  210.097314] Allocated by task 2040:
      [  210.097323]  kasan_kmalloc.part.1+0x51/0xc7
      [  210.097328]  __kmalloc+0x17f/0x1b6
      [  210.097335]  sk_prot_alloc+0xf2/0x1a3
      [  210.097340]  sk_alloc+0x22/0x297
      [  210.097375]  sco_sock_alloc.constprop.7+0x23/0x202 [bluetooth]
      [  210.097410]  sco_connect_cfm+0x2d0/0x566 [bluetooth]
      [  210.097443]  hci_conn_request_evt.isra.53+0x6d3/0x762 [bluetooth]
      [  210.097476]  hci_event_packet+0x85e/0x7de2 [bluetooth]
      [  210.097507]  hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097512]  process_one_work+0x579/0x9e9
      [  210.097517]  worker_thread+0x68f/0x804
      [  210.097523]  kthread+0x31c/0x32b
      [  210.097529]  ret_from_fork+0x35/0x40
      
      [  210.097533] Freed by task 2040:
      [  210.097539]  kasan_slab_free+0xb3/0x15e
      [  210.097544]  kfree+0x103/0x1a9
      [  210.097549]  __sk_destruct+0x2c6/0x2d4
      [  210.097584]  sco_conn_del.isra.1+0xba/0x10e [bluetooth]
      [  210.097617]  hci_event_packet+0xff5/0x7de2 [bluetooth]
      [  210.097648]  hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097653]  process_one_work+0x579/0x9e9
      [  210.097658]  worker_thread+0x68f/0x804
      [  210.097663]  kthread+0x31c/0x32b
      [  210.097670]  ret_from_fork+0x35/0x40
      
      [  210.097676] The buggy address belongs to the object at ffff880107e170e8
       which belongs to the cache kmalloc-1024 of size 1024
      [  210.097681] The buggy address is located 120 bytes inside of
       1024-byte region [ffff880107e170e8, ffff880107e174e8)
      [  210.097683] The buggy address belongs to the page:
      [  210.097689] page:ffffea00041f8400 count:1 mapcount:0 mapping:          (null) index:0xffff880107e15b68 compound_mapcount: 0
      [  210.110194] flags: 0x8000000000008100(slab|head)
      [  210.115441] raw: 8000000000008100 0000000000000000 ffff880107e15b68 0000000100170016
      [  210.115448] raw: ffffea0004a47620 ffffea0004b48e20 ffff88013b80ed40 0000000000000000
      [  210.115451] page dumped because: kasan: bad access detected
      
      [  210.115454] Memory state around the buggy address:
      [  210.115460]  ffff880107e17000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  210.115465]  ffff880107e17080: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb
      [  210.115469] >ffff880107e17100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  210.115472]                                                        ^
      [  210.115477]  ffff880107e17180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  210.115481]  ffff880107e17200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  210.115483] ==================================================================
      
      And finally when BT_DBG() and ftrace was enabled it showed:
      
             <...>-14979 [001] ....   186.104191: sco_sock_kill <-sco_sock_close
             <...>-14979 [001] ....   186.104191: sco_sock_kill <-sco_sock_release
             <...>-14979 [001] ....   186.104192: sco_sock_kill: sk ef0497a0 state 9
             <...>-14979 [001] ....   186.104193: bt_sock_unlink <-sco_sock_kill
      kworker/u9:2-792   [001] ....   186.104246: sco_sock_kill <-sco_conn_del
      kworker/u9:2-792   [001] ....   186.104248: sco_sock_kill: sk ef0497a0 state 9
      kworker/u9:2-792   [001] ....   186.104249: bt_sock_unlink <-sco_sock_kill
      kworker/u9:2-792   [001] ....   186.104250: sco_sock_destruct <-__sk_destruct
      kworker/u9:2-792   [001] ....   186.104250: sco_sock_destruct: sk ef0497a0
      kworker/u9:2-792   [001] ....   186.104860: hci_conn_del <-hci_event_packet
      kworker/u9:2-792   [001] ....   186.104864: hci_conn_del: hci0 hcon ef0484c0 handle 266
      
      Only in the failed case, sco_sock_kill() gets called with the same sock
      pointer two times. Add a check for SOCK_DEAD to avoid continue killing
      a socket which has already been killed.
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9aeef6b6
  4. 17 Aug, 2018 1 commit
    • Mark Salyzyn's avatar
      Bluetooth: hidp: buffer overflow in hidp_process_report · 17c1e0b1
      Mark Salyzyn authored
      commit 7992c18810e568b95c869b227137a2215702a805 upstream.
      
      CVE-2018-9363
      
      The buffer length is unsigned at all layers, but gets cast to int and
      checked in hidp_process_report and can lead to a buffer overflow.
      Switch len parameter to unsigned int to resolve issue.
      
      This affects 3.18 and newer kernels.
      Signed-off-by: default avatarMark Salyzyn <salyzyn@android.com>
      Fixes: a4b1b587 ("HID: Bluetooth: hidp: make sure input buffers are big enough")
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
      Cc: linux-bluetooth@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: security@kernel.org
      Cc: kernel-team@android.com
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17c1e0b1
  5. 03 Jul, 2018 1 commit
    • Szymon Janc's avatar
      Bluetooth: Fix connection if directed advertising and privacy is used · 679bd362
      Szymon Janc authored
      commit 082f2300cfa1a3d9d5221c38c5eba85d4ab98bd8 upstream.
      
      Local random address needs to be updated before creating connection if
      RPA from LE Direct Advertising Report was resolved in host. Otherwise
      remote device might ignore connection request due to address mismatch.
      
      This was affecting following qualification test cases:
      GAP/CONN/SCEP/BV-03-C, GAP/CONN/GCEP/BV-05-C, GAP/CONN/DCEP/BV-05-C
      
      Before patch:
      < HCI Command: LE Set Random Address (0x08|0x0005) plen 6          #11350 [hci0] 84680.231216
              Address: 56:BC:E8:24:11:68 (Resolvable)
                Identity type: Random (0x01)
                Identity: F2:F1:06:3D:9C:42 (Static)
      > HCI Event: Command Complete (0x0e) plen 4                        #11351 [hci0] 84680.246022
            LE Set Random Address (0x08|0x0005) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7         #11352 [hci0] 84680.246417
              Type: Passive (0x00)
              Interval: 60.000 msec (0x0060)
              Window: 30.000 msec (0x0030)
              Own address type: Random (0x01)
              Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
      > HCI Event: Command Complete (0x0e) plen 4                        #11353 [hci0] 84680.248854
            LE Set Scan Parameters (0x08|0x000b) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2             #11354 [hci0] 84680.249466
              Scanning: Enabled (0x01)
              Filter duplicates: Enabled (0x01)
      > HCI Event: Command Complete (0x0e) plen 4                        #11355 [hci0] 84680.253222
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 18                          #11356 [hci0] 84680.458387
            LE Direct Advertising Report (0x0b)
              Num reports: 1
              Event type: Connectable directed - ADV_DIRECT_IND (0x01)
              Address type: Random (0x01)
              Address: 53:38:DA:46:8C:45 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Direct address type: Random (0x01)
              Direct address: 7C:D6:76:8C:DF:82 (Resolvable)
                Identity type: Random (0x01)
                Identity: F2:F1:06:3D:9C:42 (Static)
              RSSI: -74 dBm (0xb6)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2             #11357 [hci0] 84680.458737
              Scanning: Disabled (0x00)
              Filter duplicates: Disabled (0x00)
      > HCI Event: Command Complete (0x0e) plen 4                        #11358 [hci0] 84680.469982
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection (0x08|0x000d) plen 25          #11359 [hci0] 84680.470444
              Scan interval: 60.000 msec (0x0060)
              Scan window: 60.000 msec (0x0060)
              Filter policy: White list is not used (0x00)
              Peer address type: Random (0x01)
              Peer address: 53:38:DA:46:8C:45 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Own address type: Random (0x01)
              Min connection interval: 30.00 msec (0x0018)
              Max connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Min connection length: 0.000 msec (0x0000)
              Max connection length: 0.000 msec (0x0000)
      > HCI Event: Command Status (0x0f) plen 4                          #11360 [hci0] 84680.474971
            LE Create Connection (0x08|0x000d) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection Cancel (0x08|0x000e) plen 0    #11361 [hci0] 84682.545385
      > HCI Event: Command Complete (0x0e) plen 4                        #11362 [hci0] 84682.551014
            LE Create Connection Cancel (0x08|0x000e) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 19                          #11363 [hci0] 84682.551074
            LE Connection Complete (0x01)
              Status: Unknown Connection Identifier (0x02)
              Handle: 0
              Role: Master (0x00)
              Peer address type: Public (0x00)
              Peer address: 00:00:00:00:00:00 (OUI 00-00-00)
              Connection interval: 0.00 msec (0x0000)
              Connection latency: 0 (0x0000)
              Supervision timeout: 0 msec (0x0000)
              Master clock accuracy: 0x00
      
      After patch:
      < HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7    #210 [hci0] 667.152459
              Type: Passive (0x00)
              Interval: 60.000 msec (0x0060)
              Window: 30.000 msec (0x0030)
              Own address type: Random (0x01)
              Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
      > HCI Event: Command Complete (0x0e) plen 4                   #211 [hci0] 667.153613
            LE Set Scan Parameters (0x08|0x000b) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2        #212 [hci0] 667.153704
              Scanning: Enabled (0x01)
              Filter duplicates: Enabled (0x01)
      > HCI Event: Command Complete (0x0e) plen 4                   #213 [hci0] 667.154584
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 18                     #214 [hci0] 667.182619
            LE Direct Advertising Report (0x0b)
              Num reports: 1
              Event type: Connectable directed - ADV_DIRECT_IND (0x01)
              Address type: Random (0x01)
              Address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Direct address type: Random (0x01)
              Direct address: 7C:C1:57:A5:B7:A8 (Resolvable)
                Identity type: Random (0x01)
                Identity: F4:28:73:5D:38:B0 (Static)
              RSSI: -70 dBm (0xba)
      < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2       #215 [hci0] 667.182704
              Scanning: Disabled (0x00)
              Filter duplicates: Disabled (0x00)
      > HCI Event: Command Complete (0x0e) plen 4                  #216 [hci0] 667.183599
            LE Set Scan Enable (0x08|0x000c) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Set Random Address (0x08|0x0005) plen 6    #217 [hci0] 667.183645
              Address: 7C:C1:57:A5:B7:A8 (Resolvable)
                Identity type: Random (0x01)
                Identity: F4:28:73:5D:38:B0 (Static)
      > HCI Event: Command Complete (0x0e) plen 4                  #218 [hci0] 667.184590
            LE Set Random Address (0x08|0x0005) ncmd 1
              Status: Success (0x00)
      < HCI Command: LE Create Connection (0x08|0x000d) plen 25    #219 [hci0] 667.184613
              Scan interval: 60.000 msec (0x0060)
              Scan window: 60.000 msec (0x0060)
              Filter policy: White list is not used (0x00)
              Peer address type: Random (0x01)
              Peer address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Own address type: Random (0x01)
              Min connection interval: 30.00 msec (0x0018)
              Max connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Min connection length: 0.000 msec (0x0000)
              Max connection length: 0.000 msec (0x0000)
      > HCI Event: Command Status (0x0f) plen 4                    #220 [hci0] 667.186558
            LE Create Connection (0x08|0x000d) ncmd 1
              Status: Success (0x00)
      > HCI Event: LE Meta Event (0x3e) plen 19                    #221 [hci0] 667.485824
            LE Connection Complete (0x01)
              Status: Success (0x00)
              Handle: 0
              Role: Master (0x00)
              Peer address type: Random (0x01)
              Peer address: 50:52:D9:A6:48:A0 (Resolvable)
                Identity type: Public (0x00)
                Identity: 11:22:33:44:55:66 (OUI 11-22-33)
              Connection interval: 50.00 msec (0x0028)
              Connection latency: 0 (0x0000)
              Supervision timeout: 420 msec (0x002a)
              Master clock accuracy: 0x07
      @ MGMT Event: Device Connected (0x000b) plen 13          {0x0002} [hci0] 667.485996
              LE Address: 11:22:33:44:55:66 (OUI 11-22-33)
              Flags: 0x00000000
              Data length: 0
      Signed-off-by: default avatarSzymon Janc <szymon.janc@codecoup.pl>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      679bd362
  6. 13 Apr, 2018 1 commit
    • Marcel Holtmann's avatar
      Bluetooth: Send HCI Set Event Mask Page 2 command only when needed · 4bd783a4
      Marcel Holtmann authored
      
      [ Upstream commit 313f6888 ]
      
      The Broadcom BCM20702 Bluetooth controller in ThinkPad-T530 devices
      report support for the Set Event Mask Page 2 command, but actually do
      return an error when trying to use it.
      
        < HCI Command: Read Local Supported Commands (0x04|0x0002) plen 0
        > HCI Event: Command Complete (0x0e) plen 68
             Read Local Supported Commands (0x04|0x0002) ncmd 1
               Status: Success (0x00)
               Commands: 162 entries
                 ...
                 Set Event Mask Page 2 (Octet 22 - Bit 2)
                 ...
      
        < HCI Command: Set Event Mask Page 2 (0x03|0x0063) plen 8
               Mask: 0x0000000000000000
        > HCI Event: Command Complete (0x0e) plen 4
             Set Event Mask Page 2 (0x03|0x0063) ncmd 1
               Status: Unknown HCI Command (0x01)
      
      Since these controllers do not support any feature that would require
      the event mask page 2 to be modified, it is safe to not send this
      command at all. The default value is all bits set to zero.
      
      T:  Bus=01 Lev=02 Prnt=02 Port=03 Cnt=03 Dev#=  9 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=0a5c ProdID=21e6 Rev= 1.12
      S:  Manufacturer=Broadcom Corp
      S:  Product=BCM20702A0
      S:  SerialNumber=F82FA8E8CFC0
      C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=  0mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=btusb
      E:  Ad=84(I) Atr=02(Bulk) MxPS=  32 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS=  32 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Reported-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Tested-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Signed-off-by: default avatarSzymon Janc <szymon.janc@codecoup.pl>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4bd783a4
  7. 08 Apr, 2018 1 commit
    • Szymon Janc's avatar
      Bluetooth: Fix missing encryption refresh on Security Request · 3d3df56e
      Szymon Janc authored
      commit 64e759f58f128730b97a3c3a26d283c075ad7c86 upstream.
      
      If Security Request is received on connection that is already encrypted
      with sufficient security master should perform encryption key refresh
      procedure instead of just ignoring Slave Security Request
      (Core Spec 5.0 Vol 3 Part H 2.4.6).
      
      > ACL Data RX: Handle 3585 flags 0x02 dlen 6
            SMP: Security Request (0x0b) len 1
              Authentication requirement: Bonding, No MITM, SC, No Keypresses (0x09)
      < HCI Command: LE Start Encryption (0x08|0x0019) plen 28
              Handle: 3585
              Random number: 0x0000000000000000
              Encrypted diversifier: 0x0000
              Long term key: 44264272a5c426a9e868f034cf0e69f3
      > HCI Event: Command Status (0x0f) plen 4
            LE Start Encryption (0x08|0x0019) ncmd 1
              Status: Success (0x00)
      > HCI Event: Encryption Key Refresh Complete (0x30) plen 3
              Status: Success (0x00)
              Handle: 3585
      Signed-off-by: default avatarSzymon Janc <szymon.janc@codecoup.pl>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3d3df56e
  8. 17 Jan, 2018 1 commit
    • Ben Seri's avatar
      Bluetooth: Prevent stack info leak from the EFS element. · 0ae86454
      Ben Seri authored
      commit 06e7e776 upstream.
      
      In the function l2cap_parse_conf_rsp and in the function
      l2cap_parse_conf_req the following variable is declared without
      initialization:
      
      struct l2cap_conf_efs efs;
      
      In addition, when parsing input configuration parameters in both of
      these functions, the switch case for handling EFS elements may skip the
      memcpy call that will write to the efs variable:
      
      ...
      case L2CAP_CONF_EFS:
      if (olen == sizeof(efs))
      memcpy(&efs, (void *)val, olen);
      ...
      
      The olen in the above if is attacker controlled, and regardless of that
      if, in both of these functions the efs variable would eventually be
      added to the outgoing configuration request that is being built:
      
      l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs);
      
      So by sending a configuration request, or response, that contains an
      L2CAP_CONF_EFS element, but with an element length that is not
      sizeof(efs) - the memcpy to the uninitialized efs variable can be
      avoided, and the uninitialized variable would be returned to the
      attacker (16 bytes).
      
      This issue has been assigned CVE-2017-1000410
      
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Gustavo Padovan <gustavo@padovan.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Signed-off-by: default avatarBen Seri <ben@armis.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ae86454
  9. 13 Sep, 2017 1 commit
  10. 30 Aug, 2017 3 commits
  11. 27 Jul, 2017 1 commit
  12. 20 May, 2017 1 commit
  13. 20 Aug, 2016 1 commit
  14. 12 Apr, 2016 1 commit
  15. 03 Mar, 2016 4 commits
  16. 15 Dec, 2015 1 commit
  17. 01 Dec, 2015 1 commit
    • Eric Dumazet's avatar
      net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA · 9cd3e072
      Eric Dumazet authored
      This patch is a cleanup to make following patch easier to
      review.
      
      Goal is to move SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA
      from (struct socket)->flags to a (struct socket_wq)->flags
      to benefit from RCU protection in sock_wake_async()
      
      To ease backports, we rename both constants.
      
      Two new helpers, sk_set_bit(int nr, struct sock *sk)
      and sk_clear_bit(int net, struct sock *sk) are added so that
      following patch can change their implementation.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9cd3e072
  18. 11 Nov, 2015 1 commit
    • Johan Hedberg's avatar
      Bluetooth: Fix l2cap_chan leak in SMP · 7883746b
      Johan Hedberg authored
      The L2CAP core expects channel implementations to manage the reference
      returned by the new_connection callback. With sockets this is already
      handled with each channel being tied to the corresponding socket. With
      SMP however there's no context to tie the pointer to in the
      smp_new_conn_cb function. The function can also not just drop the
      reference since it's the only one at that point.
      
      For fixed channels (like SMP) the code path inside the L2CAP core from
      new_connection() to ready() is short and straight-forwards. The
      crucial difference is that in ready() the implementation has access to
      the l2cap_conn that SMP needs associate its l2cap_chan. Instead of
      taking a new reference in smp_ready_cb() we can simply assume to
      already own the reference created in smp_new_conn_cb(), i.e. there is
      no need to call l2cap_chan_hold().
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org # 3.19+
      7883746b
  19. 05 Nov, 2015 4 commits
  20. 27 Oct, 2015 2 commits
    • Alexander Aring's avatar
      bluetooth: 6lowpan: fix NOHZ: local_softirq_pending · 324e786e
      Alexander Aring authored
      Jukka reported about the following warning:
      
      "NOHZ: local_softirq_pending 08"
      
      I remember this warning and we had a similar issue when using workqueues
      and calling netif_rx. See commit 5ff3fec6 ("mac802154: fix NOHZ
      local_softirq_pending 08 warning").
      
      This warning occurs when calling "netif_rx" inside the wrong context
      (non softirq context). The net core api offers "netif_rx_ni" to call
      netif_rx inside the correct softirq context.
      Reported-by: default avatarJukka Rissanen <jukka.rissanen@linux.intel.com>
      Signed-off-by: default avatarAlexander Aring <alex.aring@gmail.com>
      Acked-by: default avatarJukka Rissanen <jukka.rissanen@linux.intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      324e786e
    • Kuba Pawlak's avatar
      Bluetooth: Fix crash on fast disconnect of SCO · 2c501cdd
      Kuba Pawlak authored
      Fix a crash that may happen when a connection is closed before it was fully
      established. Mapping conn->hcon was released by shutdown function, but it
      is still referenced in (not yet finished) connection established handling
      function.
      
      [ 4635.254073] BUG: unable to handle kernel NULL pointer dereference at 00000013
      [ 4635.262058] IP: [<c11659f0>] memcmp+0xe/0x25
      [ 4635.266835] *pdpt = 0000000024190001 *pde = 0000000000000000
      [ 4635.273261] Oops: 0000 [#1] PREEMPT SMP
      [ 4635.277652] Modules linked in: evdev ecb vfat fat libcomposite usb2380 isofs zlib_inflate rfcomm(O) udc_core bnep(O) btusb(O) btbcm(O) btintel(O) bluetooth(O) cdc_acm arc4 uinput hid_mule
      [ 4635.321761] Pid: 363, comm: kworker/u:2H Tainted: G           O 3.8.0-119.1-plk-adaptation-byt-ivi-brd #1
      [ 4635.332642] EIP: 0060:[<c11659f0>] EFLAGS: 00010206 CPU: 0
      [ 4635.338767] EIP is at memcmp+0xe/0x25
      [ 4635.342852] EAX: e4720678 EBX: 00000000 ECX: 00000006 EDX: 00000013
      [ 4635.349849] ESI: 00000000 EDI: fb85366c EBP: e40c7dc0 ESP: e40c7db4
      [ 4635.356846]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      [ 4635.362873] CR0: 8005003b CR2: 00000013 CR3: 24191000 CR4: 001007f0
      [ 4635.369869] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      [ 4635.376865] DR6: ffff0ff0 DR7: 00000400
      [ 4635.381143] Process kworker/u:2H (pid: 363, ti=e40c6000 task=e40c5510 task.ti=e40c6000)
      [ 4635.390080] Stack:
      [ 4635.392319]  e4720400 00000000 fb85366c e40c7df4 fb842285 e40c7de2 fb853200 00000013
      [ 4635.401003]  e3f101c4 e4720678 e3f101c0 e403be0a e40c7dfc e416a000 e403be0a fb85366c
      [ 4635.409692]  e40c7e1c fb820186 020f6c00 e47c49ac e47c4008 00000000 e416a000 e47c402c
      [ 4635.418380] Call Trace:
      [ 4635.421153]  [<fb842285>] sco_connect_cfm+0xff/0x236 [bluetooth]
      [ 4635.427893]  [<fb820186>] hci_sync_conn_complete_evt.clone.101+0x227/0x268 [bluetooth]
      [ 4635.436758]  [<fb82370f>] hci_event_packet+0x1caa/0x21d3 [bluetooth]
      [ 4635.443859]  [<c106231f>] ? trace_hardirqs_on+0xb/0xd
      [ 4635.449502]  [<c1375b8a>] ? _raw_spin_unlock_irqrestore+0x42/0x59
      [ 4635.456340]  [<fb814b67>] hci_rx_work+0xb9/0x350 [bluetooth]
      [ 4635.462663]  [<c1039f1e>] ? process_one_work+0x17b/0x2e6
      [ 4635.468596]  [<c1039f77>] process_one_work+0x1d4/0x2e6
      [ 4635.474333]  [<c1039f1e>] ? process_one_work+0x17b/0x2e6
      [ 4635.480294]  [<fb814aae>] ? hci_cmd_work+0xda/0xda [bluetooth]
      [ 4635.486810]  [<c103a3fa>] worker_thread+0x171/0x20f
      [ 4635.492257]  [<c10456c5>] ? complete+0x34/0x3e
      [ 4635.497219]  [<c103ea06>] kthread+0x90/0x95
      [ 4635.501888]  [<c103a289>] ? manage_workers+0x1df/0x1df
      [ 4635.507628]  [<c1376537>] ret_from_kernel_thread+0x1b/0x28
      [ 4635.513755]  [<c103e976>] ? __init_kthread_worker+0x42/0x42
      [ 4635.519975] Code: 74 0d 3c 79 74 04 3c 59 75 0c c6 02 01 eb 03 c6 02 00 31 c0 eb 05 b8 ea ff ff ff 5d c3 55 89 e5 57 56 53 31 db eb 0e 0f b6 34 18 <0f> b6 3c 1a 43 29 fe 75 07 49 85 c9 7f
      [ 4635.541264] EIP: [<c11659f0>] memcmp+0xe/0x25 SS:ESP 0068:e40c7db4
      [ 4635.548166] CR2: 0000000000000013
      [ 4635.552177] ---[ end trace e05ce9b8ce6182f6 ]---
      Signed-off-by: default avatarKuba Pawlak <kubax.t.pawlak@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      2c501cdd
  21. 26 Oct, 2015 4 commits
  22. 25 Oct, 2015 3 commits
    • Kuba Pawlak's avatar
      Bluetooth: Fix locking issue during fast SCO reconnection. · 1da5537e
      Kuba Pawlak authored
      When SCO connection is requested and disconnected fast, there is a change
      that sco_sock_shutdown is going to preempt thread started in sco_connect_cfm.
      When this happens struct sock sk may be removed but a pointer to it is still
      held in sco_conn_ready, where embedded spinlock is used. If it is used, but
      struct sock has been removed, it will crash.
      
      Block connection object, which will prevent struct sock from being removed
      and give connection process chance to finish.
      
      BUG: spinlock bad magic on CPU#0, kworker/u:2H/319
       lock: 0xe3e99434, .magic: f3000000, .owner: (���/0, .owner_cpu: -203804160
      Pid: 319, comm: kworker/u:2H Tainted: G           O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
      Call Trace:
       [<c1155659>] ? do_raw_spin_lock+0x19/0xe9
       [<fb75354f>] ? sco_connect_cfm+0x92/0x236 [bluetooth]
       [<fb731dbc>] ? hci_sync_conn_complete_evt.clone.101+0x18b/0x1cb [bluetooth]
       [<fb734ee7>] ? hci_event_packet+0x1acd/0x21a6 [bluetooth]
       [<c1041095>] ? finish_task_switch+0x50/0x89
       [<c1349a2e>] ? __schedule+0x638/0x6b8
       [<fb727918>] ? hci_rx_work+0xb9/0x2b8 [bluetooth]
       [<c103760a>] ? queue_delayed_work_on+0x21/0x2a
       [<c1035df9>] ? process_one_work+0x157/0x21b
       [<fb72785f>] ? hci_cmd_work+0xef/0xef [bluetooth]
       [<c1036217>] ? worker_thread+0x16e/0x20a
       [<c10360a9>] ? manage_workers+0x1cf/0x1cf
       [<c103a0ef>] ? kthread+0x8d/0x92
       [<c134adf7>] ? ret_from_kernel_thread+0x1b/0x28
       [<c103a062>] ? __init_kthread_worker+0x24/0x24
      BUG: unable to handle kernel NULL pointer dereference at   (null)
      IP: [<  (null)>]   (null)
      *pdpt = 00000000244e1001 *pde = 0000000000000000
      Oops: 0010 [#1] PREEMPT SMP
      Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) cdc_acm btintel(O) bluetooth(O) arc4 uinput hid_multitouch usbhid hid iwlmvm(O)e
      Pid: 319, comm: kworker/u:2H Tainted: G           O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
      EIP: 0060:[<00000000>] EFLAGS: 00010246 CPU: 0
      EIP is at 0x0
      EAX: e3e99400 EBX: e3e99400 ECX: 00000100 EDX: 00000000
      ESI: e3e99434 EDI: fb763ce0 EBP: e49b9e44 ESP: e49b9e14
       DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      CR0: 8005003b CR2: 00000000 CR3: 24444000 CR4: 001007f0
      DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      DR6: ffff0ff0 DR7: 00000400
      Process kworker/u:2H (pid: 319, ti=e49b8000 task=e4ab9030 task.ti=e49b8000)
      Stack:
       fb75355b 00000246 fb763900 22222222 22222222 22222222 e3f94460 e3ca7c0a
       e49b9e4c e3f34c00 e3ca7c0a fb763ce0 e49b9e6c fb731dbc 02000246 e4cec85c
       e4cec008 00000000 e3f34c00 e4cec000 e3c2ce00 0000002c e49b9ed0 fb734ee7
      Call Trace:
       [<fb75355b>] ? sco_connect_cfm+0x9e/0x236 [bluetooth]
       [<fb731dbc>] ? hci_sync_conn_complete_evt.clone.101+0x18b/0x1cb [bluetooth]
       [<fb734ee7>] ? hci_event_packet+0x1acd/0x21a6 [bluetooth]
       [<c1041095>] ? finish_task_switch+0x50/0x89
       [<c1349a2e>] ? __schedule+0x638/0x6b8
       [<fb727918>] ? hci_rx_work+0xb9/0x2b8 [bluetooth]
       [<c103760a>] ? queue_delayed_work_on+0x21/0x2a
       [<c1035df9>] ? process_one_work+0x157/0x21b
       [<fb72785f>] ? hci_cmd_work+0xef/0xef [bluetooth]
       [<c1036217>] ? worker_thread+0x16e/0x20a
       [<c10360a9>] ? manage_workers+0x1cf/0x1cf
       [<c103a0ef>] ? kthread+0x8d/0x92
       [<c134adf7>] ? ret_from_kernel_thread+0x1b/0x28
       [<c103a062>] ? __init_kthread_worker+0x24/0x24
      Code:  Bad EIP value.
      EIP: [<00000000>] 0x0 SS:ESP 0068:e49b9e14
      CR2: 0000000000000000
      ---[ end trace 942a6577c0abd725 ]---
      Signed-off-by: default avatarKuba Pawlak <kubax.t.pawlak@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      1da5537e
    • Kuba Pawlak's avatar
      Bluetooth: Fix locking issue on SCO disconnection · 435c5133
      Kuba Pawlak authored
      Thread handling SCO disconnection may get preempted in '__sco_sock_close'
      after dropping a reference to hci_conn but before marking this as NULL
      in associated struct sco_conn. When execution returs to this thread,
      this connection will possibly be released, resulting in kernel crash
      
      Lock connection before this point.
      
      BUG: unable to handle kernel NULL pointer dereference at   (null)
      IP: [<fb770ab9>] __sco_sock_close+0x194/0x1ff [bluetooth]
      *pdpt = 0000000023da6001 *pde = 0000000000000000
      Oops: 0002 [#1] PREEMPT SMP
      Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) cdc_acm btintel(O) bluetooth(O) arc4 uinput hid_multitouch usbhid iwlmvm(O) hide
      Pid: 984, comm: bluetooth Tainted: G           O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
      EIP: 0060:[<fb770ab9>] EFLAGS: 00010282 CPU: 2
      EIP is at __sco_sock_close+0x194/0x1ff [bluetooth]
      EAX: 00000000 EBX: e49d7600 ECX: ef1ec3c2 EDX: 000000c3
      ESI: e4c12000 EDI: 00000000 EBP: ef1edf5c ESP: ef1edf4c
       DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
      CR0: 80050033 CR2: 00000000 CR3: 23da7000 CR4: 001007f0
      DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      DR6: ffff0ff0 DR7: 00000400
      Process bluetooth (pid: 984, ti=ef1ec000 task=e47f2550 task.ti=ef1ec000)
      Stack:
       e4c120d0 e49d7600 00000000 08421a40 ef1edf70 fb770b7a 00000002 e8a4cc80
       08421a40 ef1ec000 c12966b1 00000001 00000000 0000000b 084954c8 c1296b6c
       0000001b 00000002 0000001b 00000002 00000000 00000002 b2524880 00000046
      Call Trace:
       [<fb770b7a>] ? sco_sock_shutdown+0x56/0x95 [bluetooth]
       [<c12966b1>] ? sys_shutdown+0x37/0x53
       [<c1296b6c>] ? sys_socketcall+0x12e/0x1be
       [<c134ae7e>] ? sysenter_do_call+0x12/0x26
       [<c1340000>] ? ip_vs_control_net_cleanup+0x46/0xb1
      Code: e8 90 6b 8c c5 f6 05 72 5d 78 fb 04 74 17 8b 46 08 50 56 68 0a fd 77 fb 68 60 5d 78 fb e8 68 95 9e c5 83 c4 10 8b 83 fc 01 00 00 <c7> 00 00 00 00 00 eb 32 ba 68 00 00 0b
      EIP: [<fb770ab9>] __sco_sock_close+0x194/0x1ff [bluetooth] SS:ESP 0068:ef1edf4c
      CR2: 0000000000000000
      ---[ end trace 47fa2f55a9544e69 ]---
      Signed-off-by: default avatarKuba Pawlak <kubax.t.pawlak@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      435c5133
    • Kuba Pawlak's avatar
      Bluetooth: Fix crash on SCO disconnect · 75e34f5c
      Kuba Pawlak authored
      When disconnecting audio from the phone's side, it may happen, that
      a thread handling HCI message 'disconnection complete' will get preempted
      in 'sco_conn_del' before calling 'sco_sock_kill', still holding a pointer
      to struct sock sk. Interrupting thread started in 'sco_sock_shutdown' will
      carry on releasing resources and will eventually release struct sock.
      When execution goes back to first thread it will call sco_sock_kill using
      now invalid pointer to already destroyed socket.
      
      Fix is to grab a reference to the socket a release it after calling
      'sco_sock_kill'.
      
      [  166.358213] BUG: unable to handle kernel paging request at 7541203a
      [  166.365228] IP: [<fb6e8bfb>] bt_sock_unlink+0x1a/0x38 [bluetooth]
      [  166.372068] *pdpt = 0000000024b19001 *pde = 0000000000000000
      [  166.378483] Oops: 0002 [#1] PREEMPT SMP
      [  166.382871] Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) btintel(O) cdc_acm bluetooth(O) arc4 uinput hid_multitouch iwlmvm(O) usbhid hide
      [  166.424233] Pid: 338, comm: kworker/u:2H Tainted: G           O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
      [  166.435112] EIP: 0060:[<fb6e8bfb>] EFLAGS: 00010206 CPU: 0
      [  166.441259] EIP is at bt_sock_unlink+0x1a/0x38 [bluetooth]
      [  166.447382] EAX: 632e6563 EBX: e4bfc600 ECX: e466d4d3 EDX: 7541203a
      [  166.454369] ESI: fb7278ac EDI: e4d52000 EBP: e4669e20 ESP: e4669e0c
      [  166.461366]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      [  166.467391] CR0: 8005003b CR2: 7541203a CR3: 24aba000 CR4: 001007f0
      [  166.474387] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      [  166.481375] DR6: ffff0ff0 DR7: 00000400
      [  166.485654] Process kworker/u:2H (pid: 338, ti=e4668000 task=e466e030 task.ti=e4668000)
      [  166.494591] Stack:
      [  166.496830]  e4bfc600 e4bfc600 fb715c28 e4717ee0 e4d52000 e4669e3c fb715cf3 e4bfc634
      [  166.505518]  00000068 e4d52000 e4c32000 fb7277c0 e4669e6c fb6f2019 0000004a 00000216
      [  166.514205]  e4660101 e4c32008 02000001 00000013 e4d52000 e4c32000 e3dc9240 00000005
      [  166.522891] Call Trace:
      [  166.525654]  [<fb715c28>] ? sco_sock_kill+0x73/0x9a [bluetooth]
      [  166.532295]  [<fb715cf3>] ? sco_conn_del+0xa4/0xbf [bluetooth]
      [  166.538836]  [<fb6f2019>] ? hci_disconn_complete_evt.clone.55+0x1bd/0x205 [bluetooth]
      [  166.547609]  [<fb6f73d3>] ? hci_event_packet+0x297/0x223c [bluetooth]
      [  166.554805]  [<c10416da>] ? dequeue_task+0xaf/0xb7
      [  166.560154]  [<c1041095>] ? finish_task_switch+0x50/0x89
      [  166.566086]  [<c1349a2e>] ? __schedule+0x638/0x6b8
      [  166.571460]  [<fb6eb906>] ? hci_rx_work+0xb9/0x2b8 [bluetooth]
      [  166.577975]  [<c1035df9>] ? process_one_work+0x157/0x21b
      [  166.583933]  [<fb6eb84d>] ? hci_cmd_work+0xef/0xef [bluetooth]
      [  166.590448]  [<c1036217>] ? worker_thread+0x16e/0x20a
      [  166.596088]  [<c10360a9>] ? manage_workers+0x1cf/0x1cf
      [  166.601826]  [<c103a0ef>] ? kthread+0x8d/0x92
      [  166.606691]  [<c134adf7>] ? ret_from_kernel_thread+0x1b/0x28
      [  166.613010]  [<c103a062>] ? __init_kthread_worker+0x24/0x24
      [  166.619230] Code: 85 63 ff ff ff 31 db 8d 65 f4 89 d8 5b 5e 5f 5d c3 56 8d 70 04 53 89 f0 89 d3 e8 7e 17 c6 c5 8b 53 28 85 d2 74 1a 8b 43 24 85 c0 <89> 02 74 03 89 50 04 c7 43 28 00 00 00
      [  166.640501] EIP: [<fb6e8bfb>] bt_sock_unlink+0x1a/0x38 [bluetooth] SS:ESP 0068:e4669e0c
      [  166.649474] CR2: 000000007541203a
      [  166.653420] ---[ end trace 0181ff2c9e42d51e ]---
      [  166.658609] note: kworker/u:2H[338] exited with preempt_count 1
      Signed-off-by: default avatarKuba Pawlak <kubax.t.pawlak@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      75e34f5c
  23. 22 Oct, 2015 4 commits