linux-toradex.git/net/bluetooth/sco.c, branch v3.9.8

Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg()

2013-04-07T20:28:01+00:00

If the socket is in state BT_CONNECT2 and BT_SK_DEFER_SETUP is set in
the flags, sco_sock_recvmsg() returns early with 0 without updating the
possibly set msg_namelen member. This, in turn, leads to a 128 byte
kernel stack leak in net/socket.c.

Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_recvmsg().

Cc: Marcel Holtmann 
Cc: Gustavo Padovan 
Cc: Johan Hedberg 
Signed-off-by: Mathias Krause 
Signed-off-by: David S. Miller

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

2013-03-18T19:17:11+00:00

Bluetooth: Fix not closing SCO sockets in the BT_CONNECT2 state

2013-03-14T16:14:21+00:00

With deferred setup for SCO, it is possible that userspace closes the
socket when it is in the BT_CONNECT2 state, after the Connect Request is
received but before the Accept Synchonous Connection is sent.

If this happens the following crash was observed, when the connection is
terminated:

[  +0.000003] hci_sync_conn_complete_evt: hci0 status 0x10
[  +0.000005] sco_connect_cfm: hcon ffff88003d1bd800 bdaddr 40:98:4e:32:d7:39 status 16
[  +0.000003] sco_conn_del: hcon ffff88003d1bd800 conn ffff88003cc8e300, err 110
[  +0.000015] BUG: unable to handle kernel NULL pointer dereference at 0000000000000199
[  +0.000906] IP: [] __lock_acquire+0xed/0xe82
[  +0.000000] PGD 3d21f067 PUD 3d291067 PMD 0
[  +0.000000] Oops: 0002 [#1] SMP
[  +0.000000] Modules linked in: rfcomm bnep btusb bluetooth
[  +0.000000] CPU 0
[  +0.000000] Pid: 1481, comm: kworker/u:2H Not tainted 3.9.0-rc1-25019-gad82cdd #1 Bochs Bochs
[  +0.000000] RIP: 0010:[]  [] __lock_acquire+0xed/0xe82
[  +0.000000] RSP: 0018:ffff88003c3c19d8  EFLAGS: 00010002
[  +0.000000] RAX: 0000000000000001 RBX: 0000000000000246 RCX: 0000000000000000
[  +0.000000] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003d1be868
[  +0.000000] RBP: ffff88003c3c1a98 R08: 0000000000000002 R09: 0000000000000000
[  +0.000000] R10: ffff88003d1be868 R11: ffff88003e20b000 R12: 0000000000000002
[  +0.000000] R13: ffff88003aaa8000 R14: 000000000000006e R15: ffff88003d1be850
[  +0.000000] FS:  0000000000000000(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000
[  +0.000000] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  +0.000000] CR2: 0000000000000199 CR3: 000000003c1cb000 CR4: 00000000000006b0
[  +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  +0.000000] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  +0.000000] Process kworker/u:2H (pid: 1481, threadinfo ffff88003c3c0000, task ffff88003aaa8000)
[  +0.000000] Stack:
[  +0.000000]  ffffffff81b16342 0000000000000000 0000000000000000 ffff88003d1be868
[  +0.000000]  ffffffff00000000 00018c0c7863e367 000000003c3c1a28 ffffffff8101efbd
[  +0.000000]  0000000000000000 ffff88003e3d2400 ffff88003c3c1a38 ffffffff81007c7a
[  +0.000000] Call Trace:
[  +0.000000]  [] ? kvm_clock_read+0x34/0x3b
[  +0.000000]  [] ? paravirt_sched_clock+0x9/0xd
[  +0.000000]  [] ? sched_clock+0x9/0xb
[  +0.000000]  [] ? sched_clock_local+0x12/0x75
[  +0.000000]  [] lock_acquire+0x93/0xb1
[  +0.000000]  [] ? spin_lock+0x9/0xb [bluetooth]
[  +0.000000]  [] ? lock_release_holdtime.part.22+0x4e/0x55
[  +0.000000]  [] _raw_spin_lock+0x40/0x74
[  +0.000000]  [] ? spin_lock+0x9/0xb [bluetooth]
[  +0.000000]  [] ? _raw_spin_unlock+0x23/0x36
[  +0.000000]  [] spin_lock+0x9/0xb [bluetooth]
[  +0.000000]  [] sco_conn_del+0x76/0xbb [bluetooth]
[  +0.000000]  [] sco_connect_cfm+0x2da/0x2e9 [bluetooth]
[  +0.000000]  [] hci_proto_connect_cfm+0x38/0x65 [bluetooth]
[  +0.000000]  [] hci_sync_conn_complete_evt.isra.79+0x11a/0x13e [bluetooth]
[  +0.000000]  [] hci_event_packet+0x153b/0x239d [bluetooth]
[  +0.000000]  [] ? _raw_spin_unlock_irqrestore+0x48/0x5c
[  +0.000000]  [] hci_rx_work+0xf3/0x2e3 [bluetooth]
[  +0.000000]  [] process_one_work+0x1dc/0x30b
[  +0.000000]  [] ? process_one_work+0x172/0x30b
[  +0.000000]  [] ? spin_lock_irq+0x9/0xb
[  +0.000000]  [] worker_thread+0x123/0x1d2
[  +0.000000]  [] ? manage_workers+0x240/0x240
[  +0.000000]  [] kthread+0x9d/0xa5
[  +0.000000]  [] ? __kthread_parkme+0x60/0x60
[  +0.000000]  [] ret_from_fork+0x7c/0xb0
[  +0.000000]  [] ? __kthread_parkme+0x60/0x60
[  +0.000000] Code: d7 44 89 8d 50 ff ff ff 4c 89 95 58 ff ff ff e8 44 fc ff ff 44 8b 8d 50 ff ff ff 48 85 c0 4c 8b 95 58 ff ff ff 0f 84 7a 04 00 00  ff 80 98 01 00 00 83 3d 25 41 a7 00 00 45 8b b5 e8 05 00 00
[  +0.000000] RIP  [] __lock_acquire+0xed/0xe82
[  +0.000000]  RSP 
[  +0.000000] CR2: 0000000000000199
[  +0.000000] ---[ end trace e73cd3b52352dd34 ]---

Cc: stable@vger.kernel.org [3.8]
Signed-off-by: Vinicius Costa Gomes 
Tested-by: Frederic Dalleau 
Signed-off-by: Gustavo Padovan

hlist: drop the node parameter from iterators

2013-02-28T03:10:24+00:00

I'm not sure why, but the hlist for each entry iterators were conceived

        list_for_each_entry(pos, head, member)

The hlist ones were greedy and wanted an extra parameter:

        hlist_for_each_entry(tpos, pos, head, member)

Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.

Besides the semantic patch, there was some manual work required:

 - Fix up the actual hlist iterators in linux/list.h
 - Fix up the declaration of other iterators based on the hlist ones.
 - A very small amount of places were using the 'node' parameter, this
 was modified to use 'obj->member' instead.
 - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
 properly, so those had to be fixed up manually.

The semantic patch which is mostly the work of Peter Senna Tschudin is here:

@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

type T;
expression a,c,d,e;
identifier b;
statement S;
@@

-T b;
    <+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
    ...+>

[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin 
Acked-by: Paul E. McKenney 
Signed-off-by: Sasha Levin 
Cc: Wu Fengguang 
Cc: Marcelo Tosatti 
Cc: Gleb Natapov 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds

Bluetooth: Reduce critical section in sco_conn_ready

2013-02-01T17:50:18+00:00

This patch reduces the critical section protected by sco_conn_lock in
sco_conn_ready function. The lock is acquired only when it is really
needed.

This patch fixes the following lockdep warning which is generated
when the host terminates a SCO connection.

Today, this warning is a false positive. There is no way those
two threads reported by lockdep are running at the same time since
hdev->workqueue (where rx_work is queued) is single-thread. However,
if somehow this behavior is changed in future, we will have a
potential deadlock.

======================================================
[ INFO: possible circular locking dependency detected ]
3.8.0-rc1+ #7 Not tainted
-------------------------------------------------------
kworker/u:1H/1018 is trying to acquire lock:
 (&(&conn->lock)->rlock){+.+...}, at: [] sco_chan_del+0x66/0x190 [bluetooth]

but task is already holding lock:
 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.+...}, at: [] sco_conn_del+0x8a/0xe0 [bluetooth]

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.+...}:
       [] lock_acquire+0xb1/0xe0
       [] _raw_spin_lock+0x41/0x80
       [] sco_connect_cfm+0xbe/0x350 [bluetooth]
       [] hci_event_packet+0xd3c/0x29b0 [bluetooth]
       [] hci_rx_work+0x133/0x870 [bluetooth]
       [] process_one_work+0x2bf/0x4f0
       [] worker_thread+0x2b2/0x3e0
       [] kthread+0xd1/0xe0
       [] ret_from_fork+0x7c/0xb0

-> #0 (&(&conn->lock)->rlock){+.+...}:
       [] __lock_acquire+0x1465/0x1c70
       [] lock_acquire+0xb1/0xe0
       [] _raw_spin_lock+0x41/0x80
       [] sco_chan_del+0x66/0x190 [bluetooth]
       [] sco_conn_del+0x9d/0xe0 [bluetooth]
       [] sco_disconn_cfm+0x53/0x60 [bluetooth]
       [] hci_disconn_complete_evt.isra.54+0x363/0x3c0 [bluetooth]
       [] hci_event_packet+0xc7/0x29b0 [bluetooth]
       [] hci_rx_work+0x133/0x870 [bluetooth]
       [] process_one_work+0x2bf/0x4f0
       [] worker_thread+0x2b2/0x3e0
       [] kthread+0xd1/0xe0
       [] ret_from_fork+0x7c/0xb0

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
                               lock(&(&conn->lock)->rlock);
                               lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
  lock(&(&conn->lock)->rlock);

 *** DEADLOCK ***

4 locks held by kworker/u:1H/1018:
 #0:  (hdev->name#2){.+.+.+}, at: [] process_one_work+0x258/0x4f0
 #1:  ((&hdev->rx_work)){+.+.+.}, at: [] process_one_work+0x258/0x4f0
 #2:  (&hdev->lock){+.+.+.}, at: [] hci_disconn_complete_evt.isra.54+0x59/0x3c0 [bluetooth]
 #3:  (slock-AF_BLUETOOTH-BTPROTO_SCO){+.+...}, at: [] sco_conn_del+0x8a/0xe0 [bluetooth]

stack backtrace:
Pid: 1018, comm: kworker/u:1H Not tainted 3.8.0-rc1+ #7
Call Trace:
 [] print_circular_bug+0x1fb/0x20c
 [] __lock_acquire+0x1465/0x1c70
 [] lock_acquire+0xb1/0xe0
 [] ? sco_chan_del+0x66/0x190 [bluetooth]
 [] _raw_spin_lock+0x41/0x80
 [] ? sco_chan_del+0x66/0x190 [bluetooth]
 [] sco_chan_del+0x66/0x190 [bluetooth]
 [] sco_conn_del+0x9d/0xe0 [bluetooth]
 [] sco_disconn_cfm+0x53/0x60 [bluetooth]
 [] hci_disconn_complete_evt.isra.54+0x363/0x3c0 [bluetooth]
 [] ? hci_disconn_complete_evt.isra.54+0x40/0x3c0 [bluetooth]
 [] hci_event_packet+0xc7/0x29b0 [bluetooth]
 [] ? __dynamic_pr_debug+0x80/0x90
 [] ? kfree_skb+0x2d/0x40
 [] ? hci_send_to_monitor+0x1a4/0x1c0 [bluetooth]
 [] hci_rx_work+0x133/0x870 [bluetooth]
 [] ? process_one_work+0x258/0x4f0
 [] process_one_work+0x2bf/0x4f0
 [] ? process_one_work+0x258/0x4f0
 [] ? worker_thread+0x51/0x3e0
 [] ? hci_tx_work+0x800/0x800 [bluetooth]
 [] worker_thread+0x2b2/0x3e0
 [] ? busy_worker_rebind_fn+0x100/0x100
 [] kthread+0xd1/0xe0
 [] ? flush_kthread_worker+0xc0/0xc0
 [] ret_from_fork+0x7c/0xb0
 [] ? flush_kthread_worker+0xc0/0xc0

Signed-off-by: Andre Guedes 
Signed-off-by: Gustavo Padovan

Bluetooth: Check if the hci connection exists in SCO shutdown

2013-01-10T05:53:32+00:00

Checking only for sco_conn seems to not be enough and lead to NULL
dereferences in the code, check for hcon instead.

<1>[11340.226404] BUG: unable to handle kernel NULL pointer dereference at
0000000
8
<4>[11340.226619] EIP is at __sco_sock_close+0xe8/0x1a0
<4>[11340.226629] EAX: f063a740 EBX: 00000000 ECX: f58f4544 EDX: 00000000
<4>[11340.226640] ESI: dec83e00 EDI: 5f9a081f EBP: e0fdff38 ESP: e0fdff1c
<0>[11340.226674] Stack:
<4>[11340.226682]  c184db87 c1251028 dec83e00 e0fdff38 c1754aef dec83e00
00000000
e0fdff5c
<4>[11340.226718]  c184f587 e0fdff64 e0fdff68 5f9a081f e0fdff5c c1751852
d7813800
62262f10
<4>[11340.226752]  e0fdff70 c1753c00 00000000 00000001 0000000d e0fdffac
c175425c
00000041
<0>[11340.226793] Call Trace:
<4>[11340.226813]  [] ? sco_sock_clear_timer+0x27/0x60
<4>[11340.226831]  [] ? local_bh_enable+0x68/0xd0
<4>[11340.226846]  [] ? lock_sock_nested+0x4f/0x60
<4>[11340.226862]  [] sco_sock_shutdown+0x67/0xb0
<4>[11340.226879]  [] ? sockfd_lookup_light+0x22/0x80
<4>[11340.226897]  [] sys_shutdown+0x30/0x60
<4>[11340.226912]  [] sys_socketcall+0x1dc/0x2a0
<4>[11340.226929]  [] ? trace_hardirqs_on_thunk+0xc/0x10
<4>[11340.226944]  [] syscall_call+0x7/0xb
<4>[11340.226960]  [] ? restore_cur+0x5e/0xd7
<0>[11340.226969] Code:  ff 4b 08 0f 94 c0 84 c0 74 20 80 7b 19 01 74
2f b8 0a 00 00

Reported-by: Chuansheng Liu 
Signed-off-by: Gustavo Padovan

Revert "Bluetooth: Fix possible deadlock in SCO code"

2012-12-03T18:00:04+00:00

This reverts commit 269c4845d5b3627b95b1934107251bacbe99bb68.

The commit was causing dead locks and NULL dereferences in the sco code:

 [28084.104013] BUG: soft lockup - CPU#0 stuck for 22s! [kworker/u:0H:7]
 [28084.104021] Modules linked in: btusb bluetooth ] _raw_spin_lock+0xd/0x10
 [28084.104021]  [] sco_conn_del+0x58/0x1b0 [bluetooth]
 [28084.104021]  [] sco_connect_cfm+0xb9/0x2b0 [bluetooth]
 [28084.104021]  []
hci_sync_conn_complete_evt.isra.94+0x1c9/0x260 [bluetooth]
 [28084.104021]  [] hci_event_packet+0x74d/0x2b40 [bluetooth]
 [28084.104021]  [] ? __kfree_skb+0x3d/0x90
 [28084.104021]  [] ? kfree_skb+0x36/0x90
 [28084.104021]  [] ? hci_send_to_monitor+0x10e/0x190 [bluetooth]
 [28084.104021]  [] ? hci_send_to_monitor+0x10e/0x190 [bluetooth]

Cc: stable@vger.kernel.org
Reported-by: Chan-yeol Park 
Signed-off-by: Gustavo Padovan

Bluetooth: Implement deferred sco socket setup

2012-12-03T17:59:58+00:00

In order to authenticate and configure an incoming SCO connection, the
BT_DEFER_SETUP option was added. This option is intended to defer reply
to Connect Request on SCO sockets.
When a connection is requested, the listening socket is unblocked but
the effective connection setup happens only on first recv. Any send
between accept and recv fails with -ENOTCONN.

Signed-off-by: Frédéric Dalleau 
Signed-off-by: Gustavo Padovan

Bluetooth: Add BT_DEFER_SETUP option to sco socket

2012-12-03T17:59:58+00:00

This option will set the BT_SK_DEFER_SETUP bit in socket flags.

Signed-off-by: Frédéric Dalleau 
Signed-off-by: Gustavo Padovan

Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr

2012-09-27T21:10:15+00:00

Instead of old unsafe batostr function use %pMR print specifier
for printing Bluetooth addresses in sprintf and seq_printf
statements.

Signed-off-by: Andrei Emeltchenko 
Acked-by: Marcel Holtmann 
Signed-off-by: Gustavo Padovan