linux/drivers/bluetooth/hci_serdev.c
Tetsuo Handa 3124d320c2 Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure
syzbot is reporting NULL pointer dereference at hci_uart_tty_close() [1],
for rcu_sync_enter() is called without rcu_sync_init() due to
hci_uart_tty_open() ignoring percpu_init_rwsem() failure.

While we are at it, fix that hci_uart_register_device() ignores
percpu_init_rwsem() failure and hci_uart_unregister_device() does not
call percpu_free_rwsem().

Link: https://syzkaller.appspot.com/bug?extid=576dfca25381fb6fbc5f [1]
Reported-by: syzbot <syzbot+576dfca25381fb6fbc5f@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes: 67d2f8781b9f00d1 ("Bluetooth: hci_ldisc: Allow sleeping while proto locks are held.")
Fixes: d73e172816652772 ("Bluetooth: hci_serdev: Init hci_uart proto_lock to avoid oops")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2022-09-19 10:33:39 -07:00

419 lines
9.3 KiB
C

// SPDX-License-Identifier: GPL-2.0-or-later
/*
* Bluetooth HCI serdev driver lib
*
* Copyright (C) 2017 Linaro, Ltd., Rob Herring <robh@kernel.org>
*
* Based on hci_ldisc.c:
*
* Copyright (C) 2000-2001 Qualcomm Incorporated
* Copyright (C) 2002-2003 Maxim Krasnyansky <maxk@qualcomm.com>
* Copyright (C) 2004-2005 Marcel Holtmann <marcel@holtmann.org>
*/
#include <linux/kernel.h>
#include <linux/types.h>
#include <linux/serdev.h>
#include <linux/skbuff.h>
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include "hci_uart.h"
static inline void hci_uart_tx_complete(struct hci_uart *hu, int pkt_type)
{
struct hci_dev *hdev = hu->hdev;
/* Update HCI stat counters */
switch (pkt_type) {
case HCI_COMMAND_PKT:
hdev->stat.cmd_tx++;
break;
case HCI_ACLDATA_PKT:
hdev->stat.acl_tx++;
break;
case HCI_SCODATA_PKT:
hdev->stat.sco_tx++;
break;
}
}
static inline struct sk_buff *hci_uart_dequeue(struct hci_uart *hu)
{
struct sk_buff *skb = hu->tx_skb;
if (!skb) {
if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
skb = hu->proto->dequeue(hu);
} else
hu->tx_skb = NULL;
return skb;
}
static void hci_uart_write_work(struct work_struct *work)
{
struct hci_uart *hu = container_of(work, struct hci_uart, write_work);
struct serdev_device *serdev = hu->serdev;
struct hci_dev *hdev = hu->hdev;
struct sk_buff *skb;
/* REVISIT:
* should we cope with bad skbs or ->write() returning an error value?
*/
do {
clear_bit(HCI_UART_TX_WAKEUP, &hu->tx_state);
while ((skb = hci_uart_dequeue(hu))) {
int len;
len = serdev_device_write_buf(serdev,
skb->data, skb->len);
hdev->stat.byte_tx += len;
skb_pull(skb, len);
if (skb->len) {
hu->tx_skb = skb;
break;
}
hci_uart_tx_complete(hu, hci_skb_pkt_type(skb));
kfree_skb(skb);
}
clear_bit(HCI_UART_SENDING, &hu->tx_state);
} while (test_bit(HCI_UART_TX_WAKEUP, &hu->tx_state));
}
/* ------- Interface to HCI layer ------ */
/* Reset device */
static int hci_uart_flush(struct hci_dev *hdev)
{
struct hci_uart *hu = hci_get_drvdata(hdev);
BT_DBG("hdev %p serdev %p", hdev, hu->serdev);
if (hu->tx_skb) {
kfree_skb(hu->tx_skb); hu->tx_skb = NULL;
}
/* Flush any pending characters in the driver and discipline. */
serdev_device_write_flush(hu->serdev);
if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
hu->proto->flush(hu);
return 0;
}
/* Initialize device */
static int hci_uart_open(struct hci_dev *hdev)
{
struct hci_uart *hu = hci_get_drvdata(hdev);
int err;
BT_DBG("%s %p", hdev->name, hdev);
/* When Quirk HCI_QUIRK_NON_PERSISTENT_SETUP is set by
* driver, BT SoC is completely turned OFF during
* BT OFF. Upon next BT ON UART port should be opened.
*/
if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
err = serdev_device_open(hu->serdev);
if (err)
return err;
set_bit(HCI_UART_PROTO_READY, &hu->flags);
}
/* Undo clearing this from hci_uart_close() */
hdev->flush = hci_uart_flush;
return 0;
}
/* Close device */
static int hci_uart_close(struct hci_dev *hdev)
{
struct hci_uart *hu = hci_get_drvdata(hdev);
BT_DBG("hdev %p", hdev);
if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))
return 0;
hci_uart_flush(hdev);
hdev->flush = NULL;
/* When QUIRK HCI_QUIRK_NON_PERSISTENT_SETUP is set by driver,
* BT SOC is completely powered OFF during BT OFF, holding port
* open may drain the battery.
*/
if (test_bit(HCI_QUIRK_NON_PERSISTENT_SETUP, &hdev->quirks)) {
clear_bit(HCI_UART_PROTO_READY, &hu->flags);
serdev_device_close(hu->serdev);
}
return 0;
}
/* Send frames from HCI layer */
static int hci_uart_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
{
struct hci_uart *hu = hci_get_drvdata(hdev);
BT_DBG("%s: type %d len %d", hdev->name, hci_skb_pkt_type(skb),
skb->len);
hu->proto->enqueue(hu, skb);
hci_uart_tx_wakeup(hu);
return 0;
}
static int hci_uart_setup(struct hci_dev *hdev)
{
struct hci_uart *hu = hci_get_drvdata(hdev);
struct hci_rp_read_local_version *ver;
struct sk_buff *skb;
unsigned int speed;
int err;
/* Init speed if any */
if (hu->init_speed)
speed = hu->init_speed;
else if (hu->proto->init_speed)
speed = hu->proto->init_speed;
else
speed = 0;
if (speed)
serdev_device_set_baudrate(hu->serdev, speed);
/* Operational speed if any */
if (hu->oper_speed)
speed = hu->oper_speed;
else if (hu->proto->oper_speed)
speed = hu->proto->oper_speed;
else
speed = 0;
if (hu->proto->set_baudrate && speed) {
err = hu->proto->set_baudrate(hu, speed);
if (err)
bt_dev_err(hdev, "Failed to set baudrate");
else
serdev_device_set_baudrate(hu->serdev, speed);
}
if (hu->proto->setup)
return hu->proto->setup(hu);
if (!test_bit(HCI_UART_VND_DETECT, &hu->hdev_flags))
return 0;
skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
bt_dev_err(hdev, "Reading local version info failed (%ld)",
PTR_ERR(skb));
return 0;
}
if (skb->len != sizeof(*ver))
bt_dev_err(hdev, "Event length mismatch for version info");
kfree_skb(skb);
return 0;
}
/* Check if the device is wakeable */
static bool hci_uart_wakeup(struct hci_dev *hdev)
{
/* HCI UART devices are assumed to be wakeable by default.
* Implement wakeup callback to override this behavior.
*/
return true;
}
/** hci_uart_write_wakeup - transmit buffer wakeup
* @serdev: serial device
*
* This function is called by the serdev framework when it accepts
* more data being sent.
*/
static void hci_uart_write_wakeup(struct serdev_device *serdev)
{
struct hci_uart *hu = serdev_device_get_drvdata(serdev);
BT_DBG("");
if (!hu || serdev != hu->serdev) {
WARN_ON(1);
return;
}
if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
hci_uart_tx_wakeup(hu);
}
/** hci_uart_receive_buf - receive buffer wakeup
* @serdev: serial device
* @data: pointer to received data
* @count: count of received data in bytes
*
* This function is called by the serdev framework when it received data
* in the RX buffer.
*
* Return: number of processed bytes
*/
static int hci_uart_receive_buf(struct serdev_device *serdev, const u8 *data,
size_t count)
{
struct hci_uart *hu = serdev_device_get_drvdata(serdev);
if (!hu || serdev != hu->serdev) {
WARN_ON(1);
return 0;
}
if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))
return 0;
/* It does not need a lock here as it is already protected by a mutex in
* tty caller
*/
hu->proto->recv(hu, data, count);
if (hu->hdev)
hu->hdev->stat.byte_rx += count;
return count;
}
static const struct serdev_device_ops hci_serdev_client_ops = {
.receive_buf = hci_uart_receive_buf,
.write_wakeup = hci_uart_write_wakeup,
};
int hci_uart_register_device(struct hci_uart *hu,
const struct hci_uart_proto *p)
{
int err;
struct hci_dev *hdev;
BT_DBG("");
serdev_device_set_client_ops(hu->serdev, &hci_serdev_client_ops);
if (percpu_init_rwsem(&hu->proto_lock))
return -ENOMEM;
err = serdev_device_open(hu->serdev);
if (err)
goto err_rwsem;
err = p->open(hu);
if (err)
goto err_open;
hu->proto = p;
set_bit(HCI_UART_PROTO_READY, &hu->flags);
/* Initialize and register HCI device */
hdev = hci_alloc_dev();
if (!hdev) {
BT_ERR("Can't allocate HCI device");
err = -ENOMEM;
goto err_alloc;
}
hu->hdev = hdev;
hdev->bus = HCI_UART;
hci_set_drvdata(hdev, hu);
INIT_WORK(&hu->init_ready, hci_uart_init_work);
INIT_WORK(&hu->write_work, hci_uart_write_work);
/* Only when vendor specific setup callback is provided, consider
* the manufacturer information valid. This avoids filling in the
* value for Ericsson when nothing is specified.
*/
if (hu->proto->setup)
hdev->manufacturer = hu->proto->manufacturer;
hdev->open = hci_uart_open;
hdev->close = hci_uart_close;
hdev->flush = hci_uart_flush;
hdev->send = hci_uart_send_frame;
hdev->setup = hci_uart_setup;
if (!hdev->wakeup)
hdev->wakeup = hci_uart_wakeup;
SET_HCIDEV_DEV(hdev, &hu->serdev->dev);
if (test_bit(HCI_UART_NO_SUSPEND_NOTIFIER, &hu->flags))
set_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks);
if (test_bit(HCI_UART_RAW_DEVICE, &hu->hdev_flags))
set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
if (test_bit(HCI_UART_EXT_CONFIG, &hu->hdev_flags))
set_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks);
if (test_bit(HCI_UART_CREATE_AMP, &hu->hdev_flags))
hdev->dev_type = HCI_AMP;
else
hdev->dev_type = HCI_PRIMARY;
if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
return 0;
if (hci_register_dev(hdev) < 0) {
BT_ERR("Can't register HCI device");
err = -ENODEV;
goto err_register;
}
set_bit(HCI_UART_REGISTERED, &hu->flags);
return 0;
err_register:
hci_free_dev(hdev);
err_alloc:
clear_bit(HCI_UART_PROTO_READY, &hu->flags);
p->close(hu);
err_open:
serdev_device_close(hu->serdev);
err_rwsem:
percpu_free_rwsem(&hu->proto_lock);
return err;
}
EXPORT_SYMBOL_GPL(hci_uart_register_device);
void hci_uart_unregister_device(struct hci_uart *hu)
{
struct hci_dev *hdev = hu->hdev;
cancel_work_sync(&hu->init_ready);
if (test_bit(HCI_UART_REGISTERED, &hu->flags))
hci_unregister_dev(hdev);
hci_free_dev(hdev);
cancel_work_sync(&hu->write_work);
hu->proto->close(hu);
if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
clear_bit(HCI_UART_PROTO_READY, &hu->flags);
serdev_device_close(hu->serdev);
}
percpu_free_rwsem(&hu->proto_lock);
}
EXPORT_SYMBOL_GPL(hci_uart_unregister_device);