From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Abhishek Pandit-Subedi <abhishekpandit@chromium.org>,
Balakrishna Godavarthi <bgodavar@codeaurora.org>,
Manish Mandlik <mmandlik@chromium.org>,
Marcel Holtmann <marcel@holtmann.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 099/112] Bluetooth: Only mark socket zapped after unlocking
Date: Tue, 27 Oct 2020 14:50:09 +0100 [thread overview]
Message-ID: <20201027134905.225233912@linuxfoundation.org> (raw)
In-Reply-To: <20201027134900.532249571@linuxfoundation.org>
From: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
[ Upstream commit 20ae4089d0afeb24e9ceb026b996bfa55c983cc2 ]
Since l2cap_sock_teardown_cb doesn't acquire the channel lock before
setting the socket as zapped, it could potentially race with
l2cap_sock_release which frees the socket. Thus, wait until the cleanup
is complete before marking the socket as zapped.
This race was reproduced on a JBL GO speaker after the remote device
rejected L2CAP connection due to resource unavailability.
Here is a dmesg log with debug logs from a repro of this bug:
[ 3465.424086] Bluetooth: hci_core.c:hci_acldata_packet() hci0 len 16 handle 0x0003 flags 0x0002
[ 3465.424090] Bluetooth: hci_conn.c:hci_conn_enter_active_mode() hcon 00000000cfedd07d mode 0
[ 3465.424094] Bluetooth: l2cap_core.c:l2cap_recv_acldata() conn 000000007eae8952 len 16 flags 0x2
[ 3465.424098] Bluetooth: l2cap_core.c:l2cap_recv_frame() len 12, cid 0x0001
[ 3465.424102] Bluetooth: l2cap_core.c:l2cap_raw_recv() conn 000000007eae8952
[ 3465.424175] Bluetooth: l2cap_core.c:l2cap_sig_channel() code 0x03 len 8 id 0x0c
[ 3465.424180] Bluetooth: l2cap_core.c:l2cap_connect_create_rsp() dcid 0x0045 scid 0x0000 result 0x02 status 0x00
[ 3465.424189] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 4
[ 3465.424196] Bluetooth: l2cap_core.c:l2cap_chan_del() chan 000000006acf9bff, conn 000000007eae8952, err 111, state BT_CONNECT
[ 3465.424203] Bluetooth: l2cap_sock.c:l2cap_sock_teardown_cb() chan 000000006acf9bff state BT_CONNECT
[ 3465.424221] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 3
[ 3465.424226] Bluetooth: hci_core.h:hci_conn_drop() hcon 00000000cfedd07d orig refcnt 6
[ 3465.424234] BUG: spinlock bad magic on CPU#2, kworker/u17:0/159
[ 3465.425626] Bluetooth: hci_sock.c:hci_sock_sendmsg() sock 000000002bb0cb64 sk 00000000a7964053
[ 3465.430330] lock: 0xffffff804410aac0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
[ 3465.430332] Causing a watchdog bite!
Signed-off-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Reported-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
Reviewed-by: Manish Mandlik <mmandlik@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_sock.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index e562385d9440e..30731ce390ba0 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1330,8 +1330,6 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
parent = bt_sk(sk)->parent;
- sock_set_flag(sk, SOCK_ZAPPED);
-
switch (chan->state) {
case BT_OPEN:
case BT_BOUND:
@@ -1358,8 +1356,11 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
break;
}
-
release_sock(sk);
+
+ /* Only zap after cleanup to avoid use after free race */
+ sock_set_flag(sk, SOCK_ZAPPED);
+
}
static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
--
2.25.1
next prev parent reply other threads:[~2020-10-27 14:02 UTC|newest]
Thread overview: 119+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-27 13:48 [PATCH 4.4 000/112] 4.4.241-rc1 review Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 001/112] ibmveth: Identify ingress large send packets Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 002/112] tipc: fix the skb_unshare() in tipc_buf_append() Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 003/112] net/ipv4: always honour route mtu during forwarding Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 004/112] r8169: fix data corruption issue on RTL8402 Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 005/112] ALSA: bebob: potential info leak in hwdep_read() Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 006/112] mm/kasan: print name of mem[set,cpy,move]() caller in report Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 007/112] mm/kasan: add API to check memory regions Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 008/112] compiler.h, kasan: Avoid duplicating __read_once_size_nocheck() Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 009/112] compiler.h: Add read_word_at_a_time() function Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 010/112] lib/strscpy: Shut up KASAN false-positives in strscpy() Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 011/112] x86/mm/ptdump: Fix soft lockup in page table walker Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 012/112] net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 013/112] net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 014/112] nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 015/112] tcp: fix to update snd_wl1 in bulk receiver fast path Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 016/112] icmp: randomize the global rate limiter Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 017/112] cifs: remove bogus debug code Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 018/112] ima: Dont ignore errors from crypto_shash_update() Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 019/112] EDAC/i5100: Fix error handling order in i5100_init_one() Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 020/112] crypto: ixp4xx - Fix the size used in a dma_free_coherent() call Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 021/112] media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 022/112] media: m5mols: Check function pointer in m5mols_sensor_power Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 023/112] media: omap3isp: Fix memleak in isp_probe Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 024/112] crypto: omap-sham - fix digcnt register handling with export/import Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 025/112] media: tc358743: initialize variable Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 026/112] media: ti-vpe: Fix a missing check and reference count leak Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 027/112] ath6kl: prevent potential array overflow in ath6kl_add_new_sta() Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 028/112] ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() Greg Kroah-Hartman
2020-10-27 13:48 ` [PATCH 4.4 029/112] wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 030/112] mwifiex: Do not use GFP_KERNEL in atomic context Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 031/112] drm/gma500: fix error check Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 032/112] scsi: qla4xxx: Fix an error handling path in qla4xxx_get_host_stats() Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 033/112] scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 034/112] backlight: sky81452-backlight: Fix refcount imbalance on error Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 035/112] VMCI: check return value of get_user_pages_fast() for errors Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 036/112] tty: serial: earlycon dependency Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 037/112] tty: hvcs: Dont NULL tty->driver_data until hvcs_cleanup() Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 038/112] pty: do tty_flip_buffer_push without port->lock in pty_write Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 039/112] drivers/virt/fsl_hypervisor: Fix error handling path Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 040/112] video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 041/112] video: fbdev: sis: fix null ptr dereference Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 042/112] HID: roccat: add bounds checking in kone_sysfs_write_settings() Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 043/112] ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 044/112] misc: mic: scif: Fix error handling path Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 045/112] ALSA: seq: oss: Avoid mutex lock for a long-time ioctl Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 046/112] quota: clear padding in v2r1_mem2diskdqb() Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 047/112] net: enic: Cure the enic api locking trainwreck Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 048/112] mfd: sm501: Fix leaks in probe() Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 049/112] usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 050/112] nl80211: fix non-split wiphy information Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 051/112] mwifiex: fix double free Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 052/112] net: korina: fix kfree of rx/tx descriptor array Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 053/112] IB/mlx4: Adjust delayed work when a dup is observed Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 054/112] powerpc/pseries: Fix missing of_node_put() in rng_init() Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 055/112] powerpc/icp-hv: Fix missing of_node_put() in success path Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 056/112] mtd: lpddr: fix excessive stack usage with clang Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 057/112] mtd: mtdoops: Dont write panic data twice Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 058/112] ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT values Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 059/112] powerpc/tau: Use appropriate temperature sample interval Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 060/112] powerpc/tau: Remove duplicated set_thresholds() call Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 061/112] powerpc/tau: Disable TAU between measurements Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 062/112] perf intel-pt: Fix "context_switch event has no tid" error Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 063/112] kdb: Fix pager search for multi-line strings Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 064/112] powerpc/perf/hv-gpci: Fix starting index value Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 065/112] cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_reboot_notifier Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 066/112] lib/crc32.c: fix trivial typo in preprocessor condition Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 067/112] vfio/pci: Clear token on bypass registration failure Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 068/112] Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 069/112] Input: ep93xx_keypad - fix handling of platform_get_irq() error Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 070/112] Input: omap4-keypad " Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 071/112] Input: sun4i-ps2 " Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 072/112] KVM: x86: emulating RDPID failure shall return #UD rather than #GP Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 073/112] memory: omap-gpmc: Fix a couple off by ones Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 074/112] memory: fsl-corenet-cf: Fix handling of platform_get_irq() error Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 075/112] arm64: dts: zynqmp: Remove additional compatible string for i2c IPs Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 076/112] powerpc/powernv/dump: Fix race while processing OPAL dump Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 077/112] media: firewire: fix memory leak Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 078/112] media: ati_remote: sanity check for both endpoints Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 079/112] media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 080/112] media: exynos4-is: Fix a reference count leak " Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 081/112] media: exynos4-is: Fix a reference count leak Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 082/112] media: bdisp: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 083/112] media: media/pci: prevent memory leak in bttv_probe Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 084/112] media: uvcvideo: Ensure all probed info is returned to v4l2 Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 085/112] mmc: sdio: Check for CISTPL_VERS_1 buffer size Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 086/112] media: saa7134: avoid a shift overflow Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 087/112] ntfs: add check for mft record size in superblock Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 088/112] PM: hibernate: remove the bogus call to get_gendisk() in software_resume() Greg Kroah-Hartman
2020-10-27 13:49 ` [PATCH 4.4 089/112] scsi: mvumi: Fix error return in mvumi_io_attach() Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 090/112] scsi: target: core: Add CONTROL field for trace events Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 091/112] usb: gadget: function: printer: fix use-after-free in __lock_acquire Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 092/112] udf: Limit sparing table size Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 093/112] udf: Avoid accessing uninitialized data on failed inode read Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 094/112] ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 095/112] misc: rtsx: Fix memory leak in rtsx_pci_probe Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 096/112] reiserfs: only call unlock_new_inode() if I_NEW Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 097/112] xfs: make sure the rt allocator doesnt run off the end Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 098/112] usb: ohci: Default to per-port over-current protection Greg Kroah-Hartman
2020-10-27 13:50 ` Greg Kroah-Hartman [this message]
2020-10-27 13:50 ` [PATCH 4.4 100/112] scsi: ibmvfc: Fix error return in ibmvfc_probe() Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 101/112] brcmsmac: fix memory leak in wlc_phy_attach_lcnphy Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 102/112] rtl8xxxu: prevent potential memory leak Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 103/112] Fix use after free in get_capset_info callback Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 104/112] tty: ipwireless: fix error handling Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 105/112] ipvs: Fix uninit-value in do_ip_vs_set_ctl() Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 106/112] reiserfs: Fix memory leak in reiserfs_parse_options() Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 107/112] brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 108/112] usb: core: Solve race condition in anchor cleanup functions Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 109/112] ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 110/112] net: korina: cast KSEG0 address to pointer in kfree Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 111/112] usb: cdc-acm: add quirk to blacklist ETAS ES58X devices Greg Kroah-Hartman
2020-10-27 13:50 ` [PATCH 4.4 112/112] USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() Greg Kroah-Hartman
2020-10-28 13:50 ` [PATCH 4.4 000/112] 4.4.241-rc1 review Naresh Kamboju
2020-10-28 15:54 ` Pavel Machek
2020-10-28 19:28 ` Jon Hunter
[not found] ` <20201028170621.GA118534@roeck-us.net>
2020-10-28 19:46 ` Guenter Roeck
2020-10-28 20:33 ` Daniel Díaz
2020-10-28 20:47 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201027134905.225233912@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=abhishekpandit@chromium.org \
--cc=bgodavar@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=mmandlik@chromium.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.