Re: [PATCH] Bluetooth: L2CAP: fix an illegal state transition from BT_DISCONN

[Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx>]

Hi Kim,

On Mon, Sep 26, 2022 at 3:06 PM Sungwoo Kim <iam@xxxxxxxxxxxx> wrote:
>
> Signed-off-by: Sungwoo Kim <iam@xxxxxxxxxxxx>
> ---
>  net/bluetooth/l2cap_core.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index 2c9de67da..029de9f35 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -4294,13 +4294,13 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
>         mutex_lock(&conn->chan_lock);
>
>         if (scid) {
> -               chan = __l2cap_get_chan_by_scid(conn, scid);
> +               chan = l2cap_get_chan_by_scid(conn, scid);
>                 if (!chan) {
>                         err = -EBADSLT;
>                         goto unlock;
>                 }
>         } else {
> -               chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
> +               chan = l2cap_get_chan_by_ident(conn, cmd->ident);
>                 if (!chan) {
>                         err = -EBADSLT;
>                         goto unlock;
> @@ -4336,6 +4336,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
>         }
>
>         l2cap_chan_unlock(chan);
> +       l2cap_chan_put(chan);
>
>  unlock:
>         mutex_unlock(&conn->chan_lock);
> --
> 2.25.1

Not quite right, we cannot lock conn->chan_lock since the likes of
l2cap_get_chan_by_scid will also attempt to lock it:

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 770891f68703..4726d8979276 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4293,26 +4293,18 @@ static int l2cap_connect_create_rsp(struct
l2cap_conn *conn,
        BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
               dcid, scid, result, status);

-       mutex_lock(&conn->chan_lock);
-
        if (scid) {
-               chan = __l2cap_get_chan_by_scid(conn, scid);
-               if (!chan) {
-                       err = -EBADSLT;
-                       goto unlock;
-               }
+               chan = l2cap_get_chan_by_scid(conn, scid);
+               if (!chan)
+                       return -EBADSLT;
        } else {
-               chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
-               if (!chan) {
-                       err = -EBADSLT;
-                       goto unlock;
-               }
+               chan = l2cap_get_chan_by_ident(conn, cmd->ident);
+               if (!chan)
+                       return -EBADSLT;
        }

        err = 0;

-       l2cap_chan_lock(chan);
-
        switch (result) {
        case L2CAP_CR_SUCCESS:
                l2cap_state_change(chan, BT_CONFIG);
@@ -4338,9 +4330,7 @@ static int l2cap_connect_create_rsp(struct
l2cap_conn *conn,
        }

        l2cap_chan_unlock(chan);
-
-unlock:
-       mutex_unlock(&conn->chan_lock);
+       l2cap_chan_put(chan);

        return err;
 }


-- 
Luiz Augusto von Dentz