diff options
author | Benjamin Berg | 2021-12-17 16:28:09 +0100 |
---|---|---|
committer | Marcel Holtmann | 2021-12-22 23:01:27 +0100 |
commit | 744451c162a514044a912cbbd64b7a386035cc5b (patch) | |
tree | 3b98ed43f097ae8e357b895c93078b1932207e6b /net/bluetooth | |
parent | df1e5c51492fd93ffc293acdcc6f00698d19fedc (diff) |
Bluetooth: hci_sync: Push sync command cancellation to workqueue
syzbot reported that hci_cmd_sync_cancel may sleep from the wrong
context. To avoid this, create a new work item that pushes the relevant
parts into a different context.
Note that we keep the old implementation with the name
__hci_cmd_sync_cancel as the sleeping behaviour is desired in some
cases.
Reported-and-tested-by: syzbot+485cc00ea7cf41dfdbf1@syzkaller.appspotmail.com
Fixes: c97a747efc93 ("Bluetooth: btusb: Cancel sync commands for certain URB errors")
Signed-off-by: Benjamin Berg <bberg@redhat.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth')
-rw-r--r-- | net/bluetooth/hci_core.c | 2 | ||||
-rw-r--r-- | net/bluetooth/hci_request.c | 2 | ||||
-rw-r--r-- | net/bluetooth/hci_sync.c | 27 |
3 files changed, 28 insertions, 3 deletions
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 38063bf1fdc5..2b7bd3655b07 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -3859,7 +3859,7 @@ static void hci_cmd_work(struct work_struct *work) res = hci_send_frame(hdev, skb); if (res < 0) - hci_cmd_sync_cancel(hdev, -res); + __hci_cmd_sync_cancel(hdev, -res); if (test_bit(HCI_RESET, &hdev->flags)) cancel_delayed_work(&hdev->cmd_timer); diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c index 329c66456cf1..ef5ced467f75 100644 --- a/net/bluetooth/hci_request.c +++ b/net/bluetooth/hci_request.c @@ -2692,7 +2692,7 @@ void hci_request_setup(struct hci_dev *hdev) void hci_request_cancel_all(struct hci_dev *hdev) { - hci_cmd_sync_cancel(hdev, ENODEV); + __hci_cmd_sync_cancel(hdev, ENODEV); cancel_work_sync(&hdev->discov_update); cancel_work_sync(&hdev->scan_update); diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index fd15fb37a52a..2fb8bc496d18 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -313,11 +313,24 @@ static void hci_cmd_sync_work(struct work_struct *work) } } +static void hci_cmd_sync_cancel_work(struct work_struct *work) +{ + struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_sync_cancel_work); + + cancel_delayed_work_sync(&hdev->cmd_timer); + cancel_delayed_work_sync(&hdev->ncmd_timer); + atomic_set(&hdev->cmd_cnt, 1); + + wake_up_interruptible(&hdev->req_wait_q); +} + void hci_cmd_sync_init(struct hci_dev *hdev) { INIT_WORK(&hdev->cmd_sync_work, hci_cmd_sync_work); INIT_LIST_HEAD(&hdev->cmd_sync_work_list); mutex_init(&hdev->cmd_sync_work_lock); + + INIT_WORK(&hdev->cmd_sync_cancel_work, hci_cmd_sync_cancel_work); } void hci_cmd_sync_clear(struct hci_dev *hdev) @@ -335,7 +348,7 @@ void hci_cmd_sync_clear(struct hci_dev *hdev) } } -void hci_cmd_sync_cancel(struct hci_dev *hdev, int err) +void __hci_cmd_sync_cancel(struct hci_dev *hdev, int err) { bt_dev_dbg(hdev, "err 0x%2.2x", err); @@ -350,6 +363,18 @@ void hci_cmd_sync_cancel(struct hci_dev *hdev, int err) wake_up_interruptible(&hdev->req_wait_q); } } + +void hci_cmd_sync_cancel(struct hci_dev *hdev, int err) +{ + bt_dev_dbg(hdev, "err 0x%2.2x", err); + + if (hdev->req_status == HCI_REQ_PEND) { + hdev->req_result = err; + hdev->req_status = HCI_REQ_CANCELED; + + queue_work(hdev->workqueue, &hdev->cmd_sync_cancel_work); + } +} EXPORT_SYMBOL(hci_cmd_sync_cancel); int hci_cmd_sync_queue(struct hci_dev *hdev, hci_cmd_sync_work_func_t func, |