kernel_optimize_test/net/bluetooth
Ole Bjørn Midtbø d7d04c6749 Bluetooth: hidp: use correct wait queue when removing ctrl_wait
[ Upstream commit cca342d98bef68151a80b024f7bf5f388d1fbdea ]

A different wait queue was used when removing ctrl_wait than when adding
it. This effectively made the remove operation without locking compared
to other operations on the wait queue ctrl_wait was part of. This caused
issues like below where dead000000000100 is LIST_POISON1 and
dead000000000200 is LIST_POISON2.

 list_add corruption. next->prev should be prev (ffffffc1b0a33a08), \
	but was dead000000000200. (next=ffffffc03ac77de0).
 ------------[ cut here ]------------
 CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G           O    4.4.238+ #9
 ...
 ---[ end trace 0adc2158f0646eac ]---
 Call trace:
 [<ffffffc000443f78>] __list_add+0x38/0xb0
 [<ffffffc0000f0d04>] add_wait_queue+0x4c/0x68
 [<ffffffc00020eecc>] __pollwait+0xec/0x100
 [<ffffffc000d1556c>] bt_sock_poll+0x74/0x200
 [<ffffffc000bdb8a8>] sock_poll+0x110/0x128
 [<ffffffc000210378>] do_sys_poll+0x220/0x480
 [<ffffffc0002106f0>] SyS_poll+0x80/0x138
 [<ffffffc00008510c>] __sys_trace_return+0x0/0x4

 Unable to handle kernel paging request at virtual address dead000000000100
 ...
 CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G        W  O    4.4.238+ #9
 ...
 Call trace:
  [<ffffffc0000f079c>] __wake_up_common+0x7c/0xa8
  [<ffffffc0000f0818>] __wake_up+0x50/0x70
  [<ffffffc000be11b0>] sock_def_wakeup+0x58/0x60
  [<ffffffc000de5e10>] l2cap_sock_teardown_cb+0x200/0x224
  [<ffffffc000d3f2ac>] l2cap_chan_del+0xa4/0x298
  [<ffffffc000d45ea0>] l2cap_conn_del+0x118/0x198
  [<ffffffc000d45f8c>] l2cap_disconn_cfm+0x6c/0x78
  [<ffffffc000d29934>] hci_event_packet+0x564/0x2e30
  [<ffffffc000d19b0c>] hci_rx_work+0x10c/0x360
  [<ffffffc0000c2218>] process_one_work+0x268/0x460
  [<ffffffc0000c2678>] worker_thread+0x268/0x480
  [<ffffffc0000c94e0>] kthread+0x118/0x128
  [<ffffffc000085070>] ret_from_fork+0x10/0x20
  ---[ end trace 0adc2158f0646ead ]---

Signed-off-by: Ole Bjørn Midtbø <omidtbo@cisco.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-08-26 08:35:40 -04:00
..
bnep net: make ->{get,set}sockopt in proto_ops optional 2020-07-19 18:16:41 -07:00
cmtp Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails 2021-06-03 09:00:35 +02:00
hidp Bluetooth: hidp: use correct wait queue when removing ctrl_wait 2021-08-26 08:35:40 -04:00
rfcomm Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next 2020-07-31 15:11:52 -07:00
6lowpan.c Bluetooth: add a mutex lock to avoid UAF in do_enale_set 2020-06-23 14:30:07 +02:00
a2mp.c Bluetooth: drop HCI device reference before return 2021-03-04 11:37:25 +01:00
a2mp.h Bluetooth: Replace zero-length array with flexible-array member 2020-02-28 08:30:02 +01:00
af_bluetooth.c Bluetooth: Add support for BT_PKT_STATUS CMSG data for SCO connections 2020-06-12 15:08:49 +02:00
amp.c Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data 2021-03-07 12:34:10 +01:00
amp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
ecdh_helper.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
ecdh_helper.h Fix misc new gcc warnings 2021-05-11 14:47:36 +02:00
hci_conn.c Bluetooth: avoid deadlock between hci_dev->lock and socket lock 2021-05-14 09:50:29 +02:00
hci_core.c Bluetooth: defer cleanup of resources in hci_unregister_dev() 2021-08-12 13:22:08 +02:00
hci_debugfs.c Bluetooth: debugfs option to unset MITM flag 2020-04-07 18:32:21 +02:00
hci_debugfs.h
hci_event.c Bluetooth: Fix alt settings for incoming SCO with transparent coding format 2021-07-19 09:44:54 +02:00
hci_request.c Bluetooth: Fix Set Extended (Scan Response) Data 2021-07-14 16:56:30 +02:00
hci_request.h Bluetooth: Enable/Disable address resolution during le create conn 2020-07-30 09:34:43 +02:00
hci_sock.c Bluetooth: defer cleanup of resources in hci_unregister_dev() 2021-08-12 13:22:08 +02:00
hci_sysfs.c Bluetooth: defer cleanup of resources in hci_unregister_dev() 2021-08-12 13:22:08 +02:00
Kconfig Bluetooth: Disable High Speed by default 2020-09-25 20:21:55 +02:00
l2cap_core.c Bluetooth: L2CAP: Fix invalid access on ECRED Connection response 2021-07-19 09:44:54 +02:00
l2cap_sock.c Bluetooth: check for zapped sk before connecting 2021-05-19 10:12:53 +02:00
leds.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
leds.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
lib.c Bluetooth: Introduce debug feature when dynamic debug is disabled 2020-05-11 12:16:27 +02:00
Makefile Bluetooth: implement read/set default system parameters mgmt 2020-06-12 21:41:07 +02:00
mgmt_config.c Bluetooth: Adding a configurable autoconnect timeout 2020-07-07 17:37:03 +02:00
mgmt_config.h Bluetooth: mgmt: Add commands for runtime configuration 2020-06-18 13:11:03 +03:00
mgmt_util.c
mgmt_util.h
mgmt.c Bluetooth: mgmt: Fix the command returns garbage parameter value 2021-07-19 09:44:54 +02:00
msft.c Bluetooth: Replace zero-length array with flexible-array member 2020-10-29 17:22:59 -05:00
msft.h Bluetooth: Add handler of MGMT_OP_READ_ADV_MONITOR_FEATURES 2020-06-18 13:11:21 +03:00
sco.c Bluetooth: sco: Fix crash when using BT_SNDMTU/BT_RCVMTU option 2020-12-30 11:53:40 +01:00
selftest.c Bluetooth: Remove CRYPTO_ALG_INTERNAL flag 2020-07-31 16:42:04 +03:00
selftest.h
smp.c Bluetooth: SMP: Fail if remote and local public keys are identical 2021-05-26 12:06:57 +02:00
smp.h Bluetooth: SMP: fix crash in unpairing 2018-09-26 12:39:32 +03:00