8ce783dc5e
The hci_conn objects don't have a dedicated lock themselves but rely on the caller to hold the hci_dev lock for most types of access. The hci_conn_timeout() function has so far sent certain HCI commands based on the hci_conn state which has been possible without holding the hci_dev lock. The recent changes to do LE scanning before connect attempts added even more operations to hci_conn and hci_dev from hci_conn_timeout, thereby exposing potential race conditions with the hci_dev and hci_conn states. As an example of such a race, here there's a timeout but an l2cap_sock_connect() call manages to race with the cleanup routine: [Oct21 08:14] l2cap_chan_timeout: chan ee4b12c0 state BT_CONNECT [ +0.000004] l2cap_chan_close: chan ee4b12c0 state BT_CONNECT [ +0.000002] l2cap_chan_del: chan ee4b12c0, conn f3141580, err 111, state BT_CONNECT [ +0.000002] l2cap_sock_teardown_cb: chan ee4b12c0 state BT_CONNECT [ +0.000005] l2cap_chan_put: chan ee4b12c0 orig refcnt 4 [ +0.000010] hci_conn_drop: hcon f53d56e0 orig refcnt 1 [ +0.000013] l2cap_chan_put: chan ee4b12c0 orig refcnt 3 [ +0.000063] hci_conn_timeout: hcon f53d56e0 state BT_CONNECT [ +0.000049] hci_conn_params_del: addr ee:0d:30:09:53:1f (type 1) [ +0.000002] hci_chan_list_flush: hcon f53d56e0 [ +0.000001] hci_chan_del: hci0 hcon f53d56e0 chan f4e7ccc0 [ +0.004528] l2cap_sock_create: sock e708fc00 [ +0.000023] l2cap_chan_create: chan ee4b1770 [ +0.000001] l2cap_chan_hold: chan ee4b1770 orig refcnt 1 [ +0.000002] l2cap_sock_init: sk ee4b3390 [ +0.000029] l2cap_sock_bind: sk ee4b3390 [ +0.000010] l2cap_sock_setsockopt: sk ee4b3390 [ +0.000037] l2cap_sock_connect: sk ee4b3390 [ +0.000002] l2cap_chan_connect: 00:02:72:d9:e5:8b -> ee:0d:30:09:53:1f (type 2) psm 0x00 [ +0.000002] hci_get_route: 00:02:72:d9:e5:8b -> ee:0d:30:09:53:1f [ +0.000001] hci_dev_hold: hci0 orig refcnt 8 [ +0.000003] hci_conn_hold: hcon f53d56e0 orig refcnt 0 Above the l2cap_chan_connect() shouldn't have been able to reach the hci_conn f53d56e0 anymore but since hci_conn_timeout didn't do proper locking that's not the case. The end result is a reference to hci_conn that's not in the conn_hash list, resulting in list corruption when trying to remove it later: [Oct21 08:15] l2cap_chan_timeout: chan ee4b1770 state BT_CONNECT [ +0.000004] l2cap_chan_close: chan ee4b1770 state BT_CONNECT [ +0.000003] l2cap_chan_del: chan ee4b1770, conn f3141580, err 111, state BT_CONNECT [ +0.000001] l2cap_sock_teardown_cb: chan ee4b1770 state BT_CONNECT [ +0.000005] l2cap_chan_put: chan ee4b1770 orig refcnt 4 [ +0.000002] hci_conn_drop: hcon f53d56e0 orig refcnt 1 [ +0.000015] l2cap_chan_put: chan ee4b1770 orig refcnt 3 [ +0.000038] hci_conn_timeout: hcon f53d56e0 state BT_CONNECT [ +0.000003] hci_chan_list_flush: hcon f53d56e0 [ +0.000002] hci_conn_hash_del: hci0 hcon f53d56e0 [ +0.000001] ------------[ cut here ]------------ [ +0.000461] WARNING: CPU: 0 PID: 1782 at lib/list_debug.c:56 __list_del_entry+0x3f/0x71() [ +0.000839] list_del corruption, f53d56e0->prev is LIST_POISON2 (00000200) The necessary fix is unfortunately more complicated than just adding hci_dev_lock/unlock calls to the hci_conn_timeout() call path. Particularly, the hci_conn_del() API, which expects the hci_dev lock to be held, performs a cancel_delayed_work_sync(&hcon->disc_work) which would lead to a deadlock if the hci_conn_timeout() call path tries to acquire the same lock. This patch solves the problem by deferring the cleanup work to a separate work callback. To protect against the hci_dev or hci_conn going away meanwhile temporary references are taken with the help of hci_dev_hold() and hci_conn_get(). Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Cc: stable@vger.kernel.org # 4.3 |
||
---|---|---|
.. | ||
9p | ||
bluetooth | ||
caif | ||
irda | ||
iucv | ||
netfilter | ||
netns | ||
nfc | ||
phonet | ||
sctp | ||
tc_act | ||
6lowpan.h | ||
act_api.h | ||
addrconf.h | ||
af_ieee802154.h | ||
af_rxrpc.h | ||
af_unix.h | ||
af_vsock.h | ||
ah.h | ||
arp.h | ||
atmclip.h | ||
ax25.h | ||
ax88796.h | ||
bond_3ad.h | ||
bond_alb.h | ||
bond_options.h | ||
bonding.h | ||
busy_poll.h | ||
cfg80211-wext.h | ||
cfg80211.h | ||
cfg802154.h | ||
checksum.h | ||
cipso_ipv4.h | ||
cls_cgroup.h | ||
codel.h | ||
compat.h | ||
datalink.h | ||
dcbevent.h | ||
dcbnl.h | ||
dn.h | ||
dn_dev.h | ||
dn_fib.h | ||
dn_neigh.h | ||
dn_nsp.h | ||
dn_route.h | ||
dsa.h | ||
dsfield.h | ||
dst.h | ||
dst_metadata.h | ||
dst_ops.h | ||
esp.h | ||
ethoc.h | ||
fib_rules.h | ||
firewire.h | ||
flow.h | ||
flow_dissector.h | ||
flowcache.h | ||
fou.h | ||
garp.h | ||
gen_stats.h | ||
genetlink.h | ||
geneve.h | ||
gre.h | ||
gro_cells.h | ||
gue.h | ||
icmp.h | ||
ieee80211_radiotap.h | ||
ieee802154_netdev.h | ||
if_inet6.h | ||
inet6_connection_sock.h | ||
inet6_hashtables.h | ||
inet_common.h | ||
inet_connection_sock.h | ||
inet_ecn.h | ||
inet_frag.h | ||
inet_hashtables.h | ||
inet_sock.h | ||
inet_timewait_sock.h | ||
inetpeer.h | ||
ip.h | ||
ip6_checksum.h | ||
ip6_fib.h | ||
ip6_route.h | ||
ip6_tunnel.h | ||
ip_fib.h | ||
ip_tunnels.h | ||
ip_vs.h | ||
ipcomp.h | ||
ipconfig.h | ||
ipv6.h | ||
ipx.h | ||
iw_handler.h | ||
l3mdev.h | ||
lapb.h | ||
lib80211.h | ||
llc.h | ||
llc_c_ac.h | ||
llc_c_ev.h | ||
llc_c_st.h | ||
llc_conn.h | ||
llc_if.h | ||
llc_pdu.h | ||
llc_s_ac.h | ||
llc_s_ev.h | ||
llc_s_st.h | ||
llc_sap.h | ||
lwtunnel.h | ||
mac80211.h | ||
mac802154.h | ||
mip6.h | ||
mld.h | ||
mpls.h | ||
mpls_iptunnel.h | ||
mrp.h | ||
ndisc.h | ||
neighbour.h | ||
net_namespace.h | ||
net_ratelimit.h | ||
netevent.h | ||
netlabel.h | ||
netlink.h | ||
netprio_cgroup.h | ||
netrom.h | ||
nexthop.h | ||
nl802154.h | ||
p8022.h | ||
ping.h | ||
pkt_cls.h | ||
pkt_sched.h | ||
protocol.h | ||
psnap.h | ||
raw.h | ||
rawv6.h | ||
red.h | ||
regulatory.h | ||
request_sock.h | ||
rose.h | ||
route.h | ||
rtnetlink.h | ||
sch_generic.h | ||
scm.h | ||
secure_seq.h | ||
slhc_vj.h | ||
snmp.h | ||
sock.h | ||
Space.h | ||
stp.h | ||
switchdev.h | ||
tcp.h | ||
tcp_memcontrol.h | ||
tcp_states.h | ||
timewait_sock.h | ||
transp_v6.h | ||
tso.h | ||
udp.h | ||
udp_tunnel.h | ||
udplite.h | ||
vsock_addr.h | ||
vxlan.h | ||
wext.h | ||
wimax.h | ||
x25.h | ||
x25device.h | ||
xfrm.h |