Patch "Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 15 Dec 2024 11:59:35 -0500

This is a note to let you know that I've just added the patch titled

    Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-hci_event-fix-using-rcu_read_-un-lock-whil.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit e7276e1b9bf1cebb74670c1dfe47286e33147e82
Author: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Date:   Wed Dec 4 11:40:59 2024 -0500

    Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating
    
    [ Upstream commit 581dd2dc168fe0ed2a7a5534a724f0d3751c93ae ]
    
    The usage of rcu_read_(un)lock while inside list_for_each_entry_rcu is
    not safe since for the most part entries fetched this way shall be
    treated as rcu_dereference:
    
            Note that the value returned by rcu_dereference() is valid
            only within the enclosing RCU read-side critical section [1]_.
            For example, the following is **not** legal::
    
                    rcu_read_lock();
                    p = rcu_dereference(head.next);
                    rcu_read_unlock();
                    x = p->address; /* BUG!!! */
                    rcu_read_lock();
                    y = p->data;    /* BUG!!! */
                    rcu_read_unlock();
    
    Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes")
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 141b4fce55e3..01e51e1dc9b3 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -6821,38 +6821,27 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 		return;
 
 	hci_dev_lock(hdev);
-	rcu_read_lock();
 
 	/* Connect all BISes that are bound to the BIG */
-	list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
-		if (bacmp(&conn->dst, BDADDR_ANY) ||
-		    conn->type != ISO_LINK ||
-		    conn->iso_qos.bcast.big != ev->handle)
+	while ((conn = hci_conn_hash_lookup_big_state(hdev, ev->handle,
+						      BT_BOUND))) {
+		if (ev->status) {
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
 			continue;
+		}
 
 		if (hci_conn_set_handle(conn,
 					__le16_to_cpu(ev->bis_handle[i++])))
 			continue;
 
-		if (!ev->status) {
-			conn->state = BT_CONNECTED;
-			set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
-			rcu_read_unlock();
-			hci_debugfs_create_conn(conn);
-			hci_conn_add_sysfs(conn);
-			hci_iso_setup_path(conn);
-			rcu_read_lock();
-			continue;
-		}
-
-		hci_connect_cfm(conn, ev->status);
-		rcu_read_unlock();
-		hci_conn_del(conn);
-		rcu_read_lock();
+		conn->state = BT_CONNECTED;
+		set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
+		hci_debugfs_create_conn(conn);
+		hci_conn_add_sysfs(conn);
+		hci_iso_setup_path(conn);
 	}
 
-	rcu_read_unlock();
-
 	if (!ev->status && !i)
 		/* If no BISes have been connected for the BIG,
 		 * terminate. This is in case all bound connections







