Hi Matias, On Wed, Sep 26, 2018, Matias Karhumaa wrote: > In case unpair_device() was called through mgmt interface at the same time > when pairing was in progress, Bluetooth kernel module crash was seen. > > [ 600.351225] general protection fault: 0000 [#1] SMP PTI > [ 600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G OE 4.19.0-rc1+ #1 > [ 600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017 > [ 600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth] > [ 600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01 > [ 600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246 > [ 600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60 > [ 600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500 > [ 600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00 > [ 600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800 > [ 600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00 > [ 600.351295] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000 > [ 600.351298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0 > [ 600.351302] Call Trace: > [ 600.351325] smp_failure+0x4f/0x70 [bluetooth] > [ 600.351345] smp_cancel_pairing+0x74/0x80 [bluetooth] > [ 600.351370] unpair_device+0x1c1/0x330 [bluetooth] > [ 600.351399] hci_sock_sendmsg+0x960/0x9f0 [bluetooth] > [ 600.351409] ? apparmor_socket_sendmsg+0x1e/0x20 > [ 600.351417] sock_sendmsg+0x3e/0x50 > [ 600.351422] sock_write_iter+0x85/0xf0 > [ 600.351429] do_iter_readv_writev+0x12b/0x1b0 > [ 600.351434] do_iter_write+0x87/0x1a0 > [ 600.351439] vfs_writev+0x98/0x110 > [ 600.351443] ? ep_poll+0x16d/0x3d0 > [ 600.351447] ? ep_modify+0x73/0x170 > [ 600.351451] do_writev+0x61/0xf0 > [ 600.351455] ? do_writev+0x61/0xf0 > [ 600.351460] __x64_sys_writev+0x1c/0x20 > [ 600.351465] do_syscall_64+0x5a/0x110 > [ 600.351471] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [ 600.351474] RIP: 0033:0x7fb2bdb62fe0 > [ 600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24 > [ 600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 > [ 600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0 > [ 600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004 > [ 600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000 > [ 600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001 > [ 600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000 > [ 600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap > [ 600.351569] snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi > [ 600.351637] ---[ end trace e49e9f1df09c94fb ]--- > [ 600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth] > [ 600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01 > [ 600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246 > [ 600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60 > [ 600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500 > [ 600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00 > [ 600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800 > [ 600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00 > [ 600.351684] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000 > [ 600.351686] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0 > > Crash happened because list_del_rcu() was called twice for smp->ltk. This > was possible if unpair_device was called right after ltk was generated > but before keys were distributed. > > In this commit smp_cancel_pairing was refactored to cancel pairing if it > is in progress and otherwise just removes keys. Once keys are removed from > rcu list, pointers to smp context's keys are set to NULL to make sure > removed list items are not accessed later. > > This commit also adjusts the functionality of mgmt unpair_device() little > bit. Previously pairing was canceled only if pairing was in state that > keys were already generated. With this commit unpair_device() cancels > pairing already in earlier states. > > Bug was found by fuzzing kernel SMP implementation using Synopsys > Defensics. > > Reported-by: Pekka Oikarainen <pekka.oikarainen@xxxxxxxxxxxx> > Signed-off-by: Matias Karhumaa <matias.karhumaa@xxxxxxxxx> > --- > net/bluetooth/mgmt.c | 7 ++----- > net/bluetooth/smp.c | 29 +++++++++++++++++++++++++---- > net/bluetooth/smp.h | 3 ++- > 3 files changed, 29 insertions(+), 10 deletions(-) Thanks. The patch has been applied to the Bluetooth stable tree. Johan
