* [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb
@ 2023-01-19 1:34 Sungwoo Kim
2023-01-19 1:40 ` BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x4c/0xc0 Sungwoo Kim
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Sungwoo Kim @ 2023-01-19 1:34 UTC (permalink / raw)
Cc: daveti, wuruoyu, benquike, Sungwoo Kim, Marcel Holtmann,
Johan Hedberg, Luiz Augusto von Dentz, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni,
open list:BLUETOOTH SUBSYSTEM, open list:NETWORKING [GENERAL],
open list
The L2CAP socket shutdown invokes l2cap_sock_destruct without a lock
on conn->chan_lock, assigning NULL to chan->data *just before*
the l2cap_disconnect_req thread that accesses to chan->data.
This patch prevent it by adding a null check for a workaround, instead
of fixing a lock.
This bug is found by FuzzBT, a modified Syzkaller by Sungwoo Kim(me).
Ruoyu Wu(wuruoyu@me.com) and Hui Peng(benquike@gmail.com) has helped
the FuzzBT project.
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
---
net/bluetooth/l2cap_sock.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index ca8f07f35..350c7afdf 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1681,9 +1681,11 @@ static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
{
struct sock *sk = chan->data;
- lock_sock(sk);
- sk->sk_shutdown = SHUTDOWN_MASK;
- release_sock(sk);
+ if (!sk) {
+ lock_sock(sk);
+ sk->sk_shutdown = SHUTDOWN_MASK;
+ release_sock(sk);
+ }
}
static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
--
2.25.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x4c/0xc0
2023-01-19 1:34 [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb Sungwoo Kim
@ 2023-01-19 1:40 ` Sungwoo Kim
2023-01-19 2:04 ` [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb Sungwoo Kim
2023-01-19 3:57 ` BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x4c/0xc0 Eric Dumazet
2023-01-19 2:44 ` L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb bluez.test.bot
2023-01-19 4:16 ` [PATCH] " Eric Dumazet
2 siblings, 2 replies; 8+ messages in thread
From: Sungwoo Kim @ 2023-01-19 1:40 UTC (permalink / raw)
To: iam
Cc: benquike, davem, daveti, edumazet, johan.hedberg, kuba,
linux-bluetooth, linux-kernel, luiz.dentz, marcel, netdev,
pabeni, wuruoyu
Write of size 4 at addr 0000000000000098 by task kworker/u3:0/76
CPU: 0 PID: 76 Comm: kworker/u3:0 Not tainted 6.1.0-rc2 #129
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Workqueue: hci0 hci_rx_work
Call Trace:
<TASK>
dump_stack_lvl+0x7b/0xb3
print_report+0xed/0x200
? __virt_addr_valid+0x5c/0x240
? kasan_addr_to_slab+0xd/0xa0
? _raw_spin_lock_bh+0x4c/0xc0
kasan_report+0xd3/0x100
? _raw_spin_lock_bh+0x4c/0xc0
kasan_check_range+0x2d3/0x310
__kasan_check_write+0x14/0x20
_raw_spin_lock_bh+0x4c/0xc0
lock_sock_nested+0x3f/0x160
? queue_work_on+0x90/0xd0
l2cap_sock_set_shutdown_cb+0x3d/0x60
l2cap_disconnect_req+0x1e3/0x2e0
l2cap_bredr_sig_cmd+0x3d2/0x5ec0
? vprintk_emit+0x29b/0x4d0
? vprintk_default+0x2b/0x30
? vprintk+0xdc/0x100
? _printk+0x67/0x85
? bt_err+0x7f/0xc0
? bt_err+0x9a/0xc0
l2cap_recv_frame+0x7bc/0x4e10
? _printk+0x67/0x85
? bt_err+0x7f/0xc0
? __wake_up_klogd+0xc4/0xf0
l2cap_recv_acldata+0x327/0x650
? hci_conn_enter_active_mode+0x1b7/0x1f0
hci_rx_work+0x6b7/0x7c0
process_one_work+0x461/0xaf0
worker_thread+0x5f8/0xba0
kthread+0x1c5/0x200
? process_one_work+0xaf0/0xaf0
? kthread_blkcg+0x90/0x90
ret_from_fork+0x1f/0x30
</TASK>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb
2023-01-19 1:40 ` BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x4c/0xc0 Sungwoo Kim
@ 2023-01-19 2:04 ` Sungwoo Kim
2023-01-19 2:46 ` bluez.test.bot
2023-01-19 3:57 ` BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x4c/0xc0 Eric Dumazet
1 sibling, 1 reply; 8+ messages in thread
From: Sungwoo Kim @ 2023-01-19 2:04 UTC (permalink / raw)
To: iam
Cc: benquike, davem, daveti, edumazet, johan.hedberg, kuba,
linux-bluetooth, linux-kernel, luiz.dentz, marcel, netdev,
pabeni, wuruoyu
Fix a critical typo on the prev patch - Sorry!
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
---
net/bluetooth/l2cap_sock.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index ca8f07f35..b9381d45d 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1681,9 +1681,11 @@ static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
{
struct sock *sk = chan->data;
- lock_sock(sk);
- sk->sk_shutdown = SHUTDOWN_MASK;
- release_sock(sk);
+ if (sk) {
+ lock_sock(sk);
+ sk->sk_shutdown = SHUTDOWN_MASK;
+ release_sock(sk);
+ }
}
static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
--
2.25.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* RE: L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb
2023-01-19 1:34 [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb Sungwoo Kim
2023-01-19 1:40 ` BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x4c/0xc0 Sungwoo Kim
@ 2023-01-19 2:44 ` bluez.test.bot
2023-01-19 4:16 ` [PATCH] " Eric Dumazet
2 siblings, 0 replies; 8+ messages in thread
From: bluez.test.bot @ 2023-01-19 2:44 UTC (permalink / raw)
To: linux-bluetooth, iam
[-- Attachment #1: Type: text/plain, Size: 1597 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=713481
---Test result---
Test Summary:
CheckPatch PASS 1.94 seconds
GitLint PASS 0.34 seconds
SubjectPrefix FAIL 0.53 seconds
BuildKernel PASS 38.21 seconds
CheckAllWarning PASS 41.62 seconds
CheckSparse PASS 46.12 seconds
CheckSmatch PASS 124.89 seconds
BuildKernel32 PASS 36.50 seconds
TestRunnerSetup PASS 513.51 seconds
TestRunner_l2cap-tester PASS 18.77 seconds
TestRunner_iso-tester PASS 19.40 seconds
TestRunner_bnep-tester PASS 6.99 seconds
TestRunner_mgmt-tester PASS 123.49 seconds
TestRunner_rfcomm-tester PASS 10.74 seconds
TestRunner_sco-tester PASS 9.58 seconds
TestRunner_ioctl-tester PASS 10.96 seconds
TestRunner_mesh-tester PASS 8.25 seconds
TestRunner_smp-tester PASS 9.34 seconds
TestRunner_userchan-tester PASS 6.94 seconds
IncrementalBuild PASS 34.93 seconds
Details
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb
2023-01-19 2:04 ` [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb Sungwoo Kim
@ 2023-01-19 2:46 ` bluez.test.bot
0 siblings, 0 replies; 8+ messages in thread
From: bluez.test.bot @ 2023-01-19 2:46 UTC (permalink / raw)
To: linux-bluetooth, iam
[-- Attachment #1: Type: text/plain, Size: 1599 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=713488
---Test result---
Test Summary:
CheckPatch PASS 1.74 seconds
GitLint PASS 0.27 seconds
SubjectPrefix FAIL 0.45 seconds
BuildKernel PASS 43.01 seconds
CheckAllWarning PASS 46.26 seconds
CheckSparse PASS 51.28 seconds
CheckSmatch PASS 136.55 seconds
BuildKernel32 PASS 40.25 seconds
TestRunnerSetup PASS 579.35 seconds
TestRunner_l2cap-tester PASS 20.05 seconds
TestRunner_iso-tester PASS 21.75 seconds
TestRunner_bnep-tester PASS 7.20 seconds
TestRunner_mgmt-tester PASS 136.12 seconds
TestRunner_rfcomm-tester PASS 11.25 seconds
TestRunner_sco-tester PASS 10.28 seconds
TestRunner_ioctl-tester PASS 12.13 seconds
TestRunner_mesh-tester PASS 9.21 seconds
TestRunner_smp-tester PASS 10.40 seconds
TestRunner_userchan-tester PASS 7.64 seconds
IncrementalBuild PASS 38.50 seconds
Details
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x4c/0xc0
2023-01-19 1:40 ` BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x4c/0xc0 Sungwoo Kim
2023-01-19 2:04 ` [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb Sungwoo Kim
@ 2023-01-19 3:57 ` Eric Dumazet
1 sibling, 0 replies; 8+ messages in thread
From: Eric Dumazet @ 2023-01-19 3:57 UTC (permalink / raw)
To: Sungwoo Kim
Cc: benquike, davem, daveti, johan.hedberg, kuba, linux-bluetooth,
linux-kernel, luiz.dentz, marcel, netdev, pabeni, wuruoyu
On Thu, Jan 19, 2023 at 2:41 AM Sungwoo Kim <iam@sung-woo.kim> wrote:
>
> Write of size 4 at addr 0000000000000098 by task kworker/u3:0/76
>
> CPU: 0 PID: 76 Comm: kworker/u3:0 Not tainted 6.1.0-rc2 #129
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> Workqueue: hci0 hci_rx_work
> Call Trace:
> <TASK>
> dump_stack_lvl+0x7b/0xb3
> print_report+0xed/0x200
> ? __virt_addr_valid+0x5c/0x240
> ? kasan_addr_to_slab+0xd/0xa0
> ? _raw_spin_lock_bh+0x4c/0xc0
> kasan_report+0xd3/0x100
> ? _raw_spin_lock_bh+0x4c/0xc0
> kasan_check_range+0x2d3/0x310
> __kasan_check_write+0x14/0x20
> _raw_spin_lock_bh+0x4c/0xc0
> lock_sock_nested+0x3f/0x160
> ? queue_work_on+0x90/0xd0
> l2cap_sock_set_shutdown_cb+0x3d/0x60
> l2cap_disconnect_req+0x1e3/0x2e0
> l2cap_bredr_sig_cmd+0x3d2/0x5ec0
> ? vprintk_emit+0x29b/0x4d0
> ? vprintk_default+0x2b/0x30
> ? vprintk+0xdc/0x100
> ? _printk+0x67/0x85
> ? bt_err+0x7f/0xc0
> ? bt_err+0x9a/0xc0
> l2cap_recv_frame+0x7bc/0x4e10
> ? _printk+0x67/0x85
> ? bt_err+0x7f/0xc0
> ? __wake_up_klogd+0xc4/0xf0
> l2cap_recv_acldata+0x327/0x650
> ? hci_conn_enter_active_mode+0x1b7/0x1f0
> hci_rx_work+0x6b7/0x7c0
> process_one_work+0x461/0xaf0
> worker_thread+0x5f8/0xba0
> kthread+0x1c5/0x200
> ? process_one_work+0xaf0/0xaf0
> ? kthread_blkcg+0x90/0x90
> ret_from_fork+0x1f/0x30
> </TASK>
If you plan sending more stack traces like that in the future, always
run scripts/decode_stacktrace.sh
so that the public report includes symbols.
Thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb
2023-01-19 1:34 [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb Sungwoo Kim
2023-01-19 1:40 ` BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x4c/0xc0 Sungwoo Kim
2023-01-19 2:44 ` L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb bluez.test.bot
@ 2023-01-19 4:16 ` Eric Dumazet
2023-01-20 22:09 ` Luiz Augusto von Dentz
2 siblings, 1 reply; 8+ messages in thread
From: Eric Dumazet @ 2023-01-19 4:16 UTC (permalink / raw)
To: Sungwoo Kim
Cc: daveti, wuruoyu, benquike, Marcel Holtmann, Johan Hedberg,
Luiz Augusto von Dentz, David S. Miller, Jakub Kicinski,
Paolo Abeni, open list:BLUETOOTH SUBSYSTEM,
open list:NETWORKING [GENERAL],
open list
On Thu, Jan 19, 2023 at 2:35 AM Sungwoo Kim <iam@sung-woo.kim> wrote:
>
> The L2CAP socket shutdown invokes l2cap_sock_destruct without a lock
> on conn->chan_lock, assigning NULL to chan->data *just before*
> the l2cap_disconnect_req thread that accesses to chan->data.
This is racy then ?
> This patch prevent it by adding a null check for a workaround, instead
> of fixing a lock.
This would at least require some barriers I think.
What about other _cb helpers also reading/using chan->data ?
>
> This bug is found by FuzzBT, a modified Syzkaller by Sungwoo Kim(me).
> Ruoyu Wu(wuruoyu@me.com) and Hui Peng(benquike@gmail.com) has helped
> the FuzzBT project.
>
> Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
I would also add
Fixes: 1bff51ea59a9 ("Bluetooth: fix use-after-free error in
lock_sock_nested()")
> ---
> net/bluetooth/l2cap_sock.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
> index ca8f07f35..350c7afdf 100644
> --- a/net/bluetooth/l2cap_sock.c
> +++ b/net/bluetooth/l2cap_sock.c
> @@ -1681,9 +1681,11 @@ static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
> {
> struct sock *sk = chan->data;
>
Other similar fixes simply do:
if (!sk)
return;
I would chose to use the same coding style in net/bluetooth/l2cap_sock.c
> - lock_sock(sk);
> - sk->sk_shutdown = SHUTDOWN_MASK;
> - release_sock(sk);
> + if (!sk) {
> + lock_sock(sk);
> + sk->sk_shutdown = SHUTDOWN_MASK;
> + release_sock(sk);
> + }
> }
>
> static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb
2023-01-19 4:16 ` [PATCH] " Eric Dumazet
@ 2023-01-20 22:09 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 8+ messages in thread
From: Luiz Augusto von Dentz @ 2023-01-20 22:09 UTC (permalink / raw)
To: Eric Dumazet
Cc: Sungwoo Kim, daveti, wuruoyu, benquike, Marcel Holtmann,
Johan Hedberg, David S. Miller, Jakub Kicinski, Paolo Abeni,
open list:BLUETOOTH SUBSYSTEM, open list:NETWORKING [GENERAL],
open list
Hi Kim, Eric,
On Wed, Jan 18, 2023 at 8:16 PM Eric Dumazet <edumazet@google.com> wrote:
>
> On Thu, Jan 19, 2023 at 2:35 AM Sungwoo Kim <iam@sung-woo.kim> wrote:
> >
> > The L2CAP socket shutdown invokes l2cap_sock_destruct without a lock
> > on conn->chan_lock, assigning NULL to chan->data *just before*
> > the l2cap_disconnect_req thread that accesses to chan->data.
>
> This is racy then ?
>
> > This patch prevent it by adding a null check for a workaround, instead
> > of fixing a lock.
>
> This would at least require some barriers I think.
>
> What about other _cb helpers also reading/using chan->data ?
Perhaps it would be a good idea to include the stack backtrace so we
can better understand it, at some point we might need to refactor or
locks to avoid circular dependencies.
> >
> > This bug is found by FuzzBT, a modified Syzkaller by Sungwoo Kim(me).
> > Ruoyu Wu(wuruoyu@me.com) and Hui Peng(benquike@gmail.com) has helped
> > the FuzzBT project.
> >
> > Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
>
> I would also add
>
> Fixes: 1bff51ea59a9 ("Bluetooth: fix use-after-free error in
> lock_sock_nested()")
+1
> > ---
> > net/bluetooth/l2cap_sock.c | 8 +++++---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
> > index ca8f07f35..350c7afdf 100644
> > --- a/net/bluetooth/l2cap_sock.c
> > +++ b/net/bluetooth/l2cap_sock.c
> > @@ -1681,9 +1681,11 @@ static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
> > {
> > struct sock *sk = chan->data;
> >
>
> Other similar fixes simply do:
>
> if (!sk)
> return;
>
> I would chose to use the same coding style in net/bluetooth/l2cap_sock.c
Yep, at least l2cap_sock_close_cb and l2cap_sock_shutdown do that already.
>
> > - lock_sock(sk);
> > - sk->sk_shutdown = SHUTDOWN_MASK;
> > - release_sock(sk);
> > + if (!sk) {
> > + lock_sock(sk);
> > + sk->sk_shutdown = SHUTDOWN_MASK;
> > + release_sock(sk);
> > + }
> > }
> >
> > static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
> > --
> > 2.25.1
> >
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-01-20 22:10 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-19 1:34 [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb Sungwoo Kim
2023-01-19 1:40 ` BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x4c/0xc0 Sungwoo Kim
2023-01-19 2:04 ` [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb Sungwoo Kim
2023-01-19 2:46 ` bluez.test.bot
2023-01-19 3:57 ` BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x4c/0xc0 Eric Dumazet
2023-01-19 2:44 ` L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb bluez.test.bot
2023-01-19 4:16 ` [PATCH] " Eric Dumazet
2023-01-20 22:09 ` Luiz Augusto von Dentz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.