From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> To: Marcel Holtmann <marcel@holtmann.org>, Johan Hedberg <johan.hedberg@gmail.com>, Luiz Augusto von Dentz <luiz.dentz@gmail.com>, linux-bluetooth@vger.kernel.org Cc: "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Lin Ma <linma@zju.edu.cn>, netdev@vger.kernel.org, Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Subject: [PATCH] Bluetooth: call lock_sock() outside of spinlock section Date: Sun, 27 Jun 2021 22:11:34 +0900 [thread overview] Message-ID: <20210627131134.5434-1-penguin-kernel@I-love.SAKURA.ne.jp> (raw) syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to calling lock_sock() with rw spinlock held [1]. Defer calling lock_sock() via sock_hold(). Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1] Reported-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Tested-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com> Fixes: e305509e678b3a4a ("Bluetooth: use correct lock to prevent UAF of hdev object") --- net/bluetooth/hci_sock.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index eed0dd066e12..64e54ab0892f 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -759,19 +759,39 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) if (event == HCI_DEV_UNREG) { struct sock *sk; +restart: /* Detach sockets from device */ read_lock(&hci_sk_list.lock); sk_for_each(sk, &hci_sk_list.head) { + /* hci_sk_list.lock is preventing hci_sock_release() + * from calling bt_sock_unlink(). + */ + if (hci_pi(sk)->hdev != hdev || sk_unhashed(sk)) + continue; + /* Take a ref because we can't call lock_sock() with + * hci_sk_list.lock held. + */ + sock_hold(sk); + read_unlock(&hci_sk_list.lock); lock_sock(sk); - if (hci_pi(sk)->hdev == hdev) { + /* Since hci_sock_release() might have already called + * bt_sock_unlink() while waiting for lock_sock(), + * use sk_hashed(sk) for checking that bt_sock_unlink() + * is not yet called. + */ + if (sk_hashed(sk) && hci_pi(sk)->hdev == hdev) { hci_pi(sk)->hdev = NULL; sk->sk_err = EPIPE; sk->sk_state = BT_OPEN; sk->sk_state_change(sk); - hci_dev_put(hdev); } release_sock(sk); + sock_put(sk); + /* Restarting is safe, for hci_pi(sk)->hdev is now NULL + * if condition met and will "continue;" otherwise. + */ + goto restart; } read_unlock(&hci_sk_list.lock); } -- 2.18.4
next reply other threads:[~2021-06-27 13:12 UTC|newest] Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-06-27 13:11 Tetsuo Handa [this message] 2021-06-27 14:05 ` bluez.test.bot 2021-07-07 9:43 ` [PATCH v2] " Tetsuo Handa 2021-07-07 10:08 ` [v2] " bluez.test.bot 2021-07-07 18:20 ` [PATCH v2] " Luiz Augusto von Dentz 2021-07-07 23:33 ` Tetsuo Handa 2021-07-08 1:00 ` LinMa 2021-07-09 13:50 ` Tetsuo Handa 2021-07-10 13:34 ` Tetsuo Handa 2021-07-08 7:16 ` [v2] " bluez.test.bot 2021-07-13 11:27 ` [PATCH v3] " Tetsuo Handa 2021-07-13 11:57 ` [v3] " bluez.test.bot 2021-07-14 19:20 ` [PATCH v3] " Luiz Augusto von Dentz 2021-07-15 3:03 ` LinMa 2021-07-16 3:47 ` Desmond Cheong Zhi Xi 2021-07-16 4:11 ` Desmond Cheong Zhi Xi 2021-07-16 14:48 ` Tetsuo Handa 2021-07-16 15:26 ` LinMa 2021-07-17 15:41 ` Yet Another Patch for CVE-2021-3573 LinMa 2021-07-17 15:45 ` LinMa 2021-07-22 9:36 ` [PATCH v3] Bluetooth: call lock_sock() outside of spinlock section Tetsuo Handa 2021-07-22 4:47 ` LinMa 2021-07-22 5:16 ` Tetsuo Handa
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210627131134.5434-1-penguin-kernel@I-love.SAKURA.ne.jp \ --to=penguin-kernel@i-love.sakura.ne.jp \ --cc=davem@davemloft.net \ --cc=johan.hedberg@gmail.com \ --cc=kuba@kernel.org \ --cc=linma@zju.edu.cn \ --cc=linux-bluetooth@vger.kernel.org \ --cc=luiz.dentz@gmail.com \ --cc=marcel@holtmann.org \ --cc=netdev@vger.kernel.org \ --subject='Re: [PATCH] Bluetooth: call lock_sock() outside of spinlock section' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.