* [PATCH 0/3] bluetooth: bug fixes for 3.3
@ 2012-03-09 15:43 Johan Hovold
2012-03-09 15:43 ` [PATCH 1/3] bluetooth: hci_ldisc: fix memory leak on tty_close Johan Hovold
` (3 more replies)
0 siblings, 4 replies; 13+ messages in thread
From: Johan Hovold @ 2012-03-09 15:43 UTC (permalink / raw)
To: Marcel Holtmann, Gustavo F. Padovan
Cc: David S. Miller, linux-bluetooth, linux-kernel, netdev,
David Herrmann, Greg KH, Johan Hovold
Hi,
This is a revised series which also contains a minimal fix to the memory leak
discovered by David Hermann upon which the first NULL-pointer-dereference fix
also depends.
These patches need to get to Linus ASAP as the problems are present in 3.3-rc6
as well as earlier kernels and thus should be backported to the stable trees as
well.
Thanks,
Johan
Johan Hovold (3):
bluetooth: hci_ldisc: fix memory leak on tty_close
bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
bluetooth: hci_core: fix NULL-pointer dereference at unregister
drivers/bluetooth/hci_ldisc.c | 4 ++--
include/net/bluetooth/hci.h | 2 ++
net/bluetooth/hci_core.c | 7 +++++++
3 files changed, 11 insertions(+), 2 deletions(-)
--
1.7.8.4
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH 1/3] bluetooth: hci_ldisc: fix memory leak on tty_close
2012-03-09 15:43 [PATCH 0/3] bluetooth: bug fixes for 3.3 Johan Hovold
@ 2012-03-09 15:43 ` Johan Hovold
2012-03-09 15:43 ` [PATCH 2/3] bluetooth: hci_ldisc: fix NULL-pointer dereference " Johan Hovold
` (2 subsequent siblings)
3 siblings, 0 replies; 13+ messages in thread
From: Johan Hovold @ 2012-03-09 15:43 UTC (permalink / raw)
To: Marcel Holtmann, Gustavo F. Padovan
Cc: David S. Miller, linux-bluetooth, linux-kernel, netdev,
David Herrmann, Greg KH, Johan Hovold, stable
The hci_uart is never freed when tty is closed if the protocol has not
been set.
This was discovered by David Hermann and fixed in bluetooth-next. Those
patches are more intrusive as they remove the mandatory destructor
completely.
This is the minimal fix, which leaves the destructor as an empty dummy
call for now.
Cc: David Herrmann <dh.herrmann@googlemail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
---
drivers/bluetooth/hci_ldisc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 0711448..97c5faa 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -237,7 +237,6 @@ static void hci_uart_destruct(struct hci_dev *hdev)
return;
BT_DBG("%s", hdev->name);
- kfree(hdev->driver_data);
}
/* ------ LDISC part ------ */
@@ -316,6 +315,7 @@ static void hci_uart_tty_close(struct tty_struct *tty)
hci_free_dev(hdev);
}
}
+ kfree(hu);
}
}
--
1.7.8.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 2/3] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
2012-03-09 15:43 [PATCH 0/3] bluetooth: bug fixes for 3.3 Johan Hovold
2012-03-09 15:43 ` [PATCH 1/3] bluetooth: hci_ldisc: fix memory leak on tty_close Johan Hovold
@ 2012-03-09 15:43 ` Johan Hovold
2012-03-09 15:50 ` Johan Hovold
2012-03-09 15:43 ` [PATCH 3/3] bluetooth: hci_core: fix NULL-pointer dereference at unregister Johan Hovold
2012-03-14 11:25 ` [PATCH 0/3] bluetooth: bug fixes for 3.3 Johan Hovold
3 siblings, 1 reply; 13+ messages in thread
From: Johan Hovold @ 2012-03-09 15:43 UTC (permalink / raw)
To: Marcel Holtmann, Gustavo F. Padovan
Cc: David S. Miller, linux-bluetooth, linux-kernel, netdev,
David Herrmann, Greg KH, Johan Hovold, stable
Do not close protocol driver until device has been unregistered.
This fixes a race between tty_close and hci_dev_open which can result in
a NULL-pointer dereference.
The line discipline closes the protocol driver while we may still have
hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer
dereference when lock is acquired and hci_init_req called.
Bug is 100% reproducible using hciattach and a disconnected serial port:
0. # hciattach -n ttyO1 any noflow
1. hci_dev_open called from hci_power_on grabs req lock
2. hci_init_req executes but device fails to initialise (times out
eventually)
3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
4. hci_uart_tty_close detaches protocol driver and cancels init req
5. hci_dev_open (1) releases req lock
6. hci_dev_open (3) grabs req lock, calls hci_init_req, which triggers oops
when request is prepared in hci_uart_send_frame
[ 137.201263] Unable to handle kernel NULL pointer dereference at virtual address 00000028
[ 137.209838] pgd = c0004000
[ 137.212677] [00000028] *pgd=00000000
[ 137.216430] Internal error: Oops: 17 [#1]
[ 137.220642] Modules linked in:
[ 137.223846] CPU: 0 Tainted: G W (3.3.0-rc6-dirty #406)
[ 137.230529] PC is at __lock_acquire+0x5c/0x1ab0
[ 137.235290] LR is at lock_acquire+0x9c/0x128
[ 137.239776] pc : [<c0071490>] lr : [<c00733f8>] psr: 20000093
[ 137.239776] sp : cf869dd8 ip : c0529554 fp : c051c730
[ 137.251800] r10: 00000000 r9 : cf8673c0 r8 : 00000080
[ 137.257293] r7 : 00000028 r6 : 00000002 r5 : 00000000 r4 : c053fd70
[ 137.264129] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : 00000001
[ 137.270965] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
[ 137.278717] Control: 10c5387d Table: 8f0f4019 DAC: 00000015
[ 137.284729] Process kworker/u:1 (pid: 7, stack limit = 0xcf8682e8)
[ 137.291229] Stack: (0xcf869dd8 to 0xcf86a000)
[ 137.295776] 9dc0: c0529554 00000000
[ 137.304351] 9de0: cf8673c0 cf868000 d03ea1ef cf868000 000001ef 00000470 00000000 00000002
[ 137.312927] 9e00: cf8673c0 00000001 c051c730 c00716ec 0000000c 00000440 c0529554 00000001
[ 137.321533] 9e20: c051c730 cf868000 d03ea1f3 00000000 c053b978 00000000 00000028 cf868000
[ 137.330078] 9e40: 00000000 00000000 00000002 00000000 00000000 c00733f8 00000002 00000080
[ 137.338684] 9e60: 00000000 c02a1d50 00000000 00000001 60000013 c0969a1c 60000093 c053b96c
[ 137.347259] 9e80: 00000002 00000018 20000013 c02a1d50 cf0ac000 00000000 00000002 cf868000
[ 137.355834] 9ea0: 00000089 c0374130 00000002 00000000 c02a1d50 cf0ac000 0000000c cf0fc540
[ 137.364410] 9ec0: 00000018 c02a1d50 cf0fc540 00000000 cf0fc540 c0282238 c028220c cf178d80
[ 137.372985] 9ee0: 127525d8 c02821cc 9a1fa451 c032727c 9a1fa451 127525d8 cf0fc540 cf0ac4ec
[ 137.381561] 9f00: cf0ac000 cf0fc540 cf0ac584 c03285f4 c0328580 cf0ac4ec cf85c740 c05510cc
[ 137.390136] 9f20: ce825400 c004c914 00000002 00000000 c004c884 ce8254f5 cf869f48 00000000
[ 137.398712] 9f40: c0328580 ce825415 c0a7f914 c061af64 00000000 c048cf3c cf8673c0 cf85c740
[ 137.407287] 9f60: c05510cc c051a66c c05510ec c05510c4 cf85c750 cf868000 00000089 c004d6ac
[ 137.415863] 9f80: 00000000 c0073d14 00000001 cf853ed8 cf85c740 c004d558 00000013 00000000
[ 137.424438] 9fa0: 00000000 00000000 00000000 c00516b0 00000000 00000000 cf85c740 00000000
[ 137.433013] 9fc0: 00000001 dead4ead ffffffff ffffffff c0551674 00000000 00000000 c0450aa4
[ 137.441589] 9fe0: cf869fe0 cf869fe0 cf853ed8 c005162c c0013b30 c0013b30 00ffff00 00ffff00
[ 137.450164] [<c0071490>] (__lock_acquire+0x5c/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
[ 137.459503] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58)
[ 137.469360] [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58) from [<c02a1d50>] (skb_queue_tail+0x18/0x48)
[ 137.479339] [<c02a1d50>] (skb_queue_tail+0x18/0x48) from [<c0282238>] (h4_enqueue+0x2c/0x34)
[ 137.488189] [<c0282238>] (h4_enqueue+0x2c/0x34) from [<c02821cc>] (hci_uart_send_frame+0x34/0x68)
[ 137.497497] [<c02821cc>] (hci_uart_send_frame+0x34/0x68) from [<c032727c>] (hci_send_frame+0x50/0x88)
[ 137.507171] [<c032727c>] (hci_send_frame+0x50/0x88) from [<c03285f4>] (hci_cmd_work+0x74/0xd4)
[ 137.516204] [<c03285f4>] (hci_cmd_work+0x74/0xd4) from [<c004c914>] (process_one_work+0x1a0/0x4ec)
[ 137.525604] [<c004c914>] (process_one_work+0x1a0/0x4ec) from [<c004d6ac>] (worker_thread+0x154/0x344)
[ 137.535278] [<c004d6ac>] (worker_thread+0x154/0x344) from [<c00516b0>] (kthread+0x84/0x90)
[ 137.543975] [<c00516b0>] (kthread+0x84/0x90) from [<c0013b30>] (kernel_thread_exit+0x0/0x8)
[ 137.552734] Code: e59f4e5c e5941000 e3510000 0a000031 (e5971000)
[ 137.559234] ---[ end trace 1b75b31a2719ed1e ]---
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
---
drivers/bluetooth/hci_ldisc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 97c5faa..5119c4b 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -309,11 +309,11 @@ static void hci_uart_tty_close(struct tty_struct *tty)
hci_uart_close(hdev);
if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
- hu->proto->close(hu);
if (hdev) {
hci_unregister_dev(hdev);
hci_free_dev(hdev);
}
+ hu->proto->close(hu);
}
kfree(hu);
}
--
1.7.8.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 3/3] bluetooth: hci_core: fix NULL-pointer dereference at unregister
2012-03-09 15:43 [PATCH 0/3] bluetooth: bug fixes for 3.3 Johan Hovold
2012-03-09 15:43 ` [PATCH 1/3] bluetooth: hci_ldisc: fix memory leak on tty_close Johan Hovold
2012-03-09 15:43 ` [PATCH 2/3] bluetooth: hci_ldisc: fix NULL-pointer dereference " Johan Hovold
@ 2012-03-09 15:43 ` Johan Hovold
2012-03-14 11:25 ` [PATCH 0/3] bluetooth: bug fixes for 3.3 Johan Hovold
3 siblings, 0 replies; 13+ messages in thread
From: Johan Hovold @ 2012-03-09 15:43 UTC (permalink / raw)
To: Marcel Holtmann, Gustavo F. Padovan
Cc: David S. Miller, linux-bluetooth, linux-kernel, netdev,
David Herrmann, Greg KH, Johan Hovold, stable
Make sure hci_dev_open returns immediately if hci_dev_unregister has
been called.
This fixes a race between hci_dev_open and hci_dev_unregister which can
lead to a NULL-pointer dereference.
Bug is 100% reproducible using hciattach and a disconnected serial port:
0. # hciattach -n /dev/ttyO1 any noflow
1. hci_dev_open called from hci_power_on grabs req lock
2. hci_init_req executes but device fails to initialise (times out
eventually)
3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
4. hci_uart_tty_close calls hci_dev_unregister and sleeps on req lock in
hci_dev_do_close
5. hci_dev_open (1) releases req lock
6. hci_dev_do_close grabs req lock and returns as device is not up
7. hci_dev_unregister sleeps in destroy_workqueue
8. hci_dev_open (3) grabs req lock, calls hci_init_req and eventually sleeps
9. hci_dev_unregister finishes, while hci_dev_open is still running...
[ 79.627136] INFO: trying to register non-static key.
[ 79.632354] the code is fine but needs lockdep annotation.
[ 79.638122] turning off the locking correctness validator.
[ 79.643920] [<c00188bc>] (unwind_backtrace+0x0/0xf8) from [<c00729c4>] (__lock_acquire+0x1590/0x1ab0)
[ 79.653594] [<c00729c4>] (__lock_acquire+0x1590/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
[ 79.663085] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0040a88>] (run_timer_softirq+0x150/0x3ac)
[ 79.672668] [<c0040a88>] (run_timer_softirq+0x150/0x3ac) from [<c003a3b8>] (__do_softirq+0xd4/0x22c)
[ 79.682281] [<c003a3b8>] (__do_softirq+0xd4/0x22c) from [<c003a924>] (irq_exit+0x8c/0x94)
[ 79.690856] [<c003a924>] (irq_exit+0x8c/0x94) from [<c0013a50>] (handle_IRQ+0x34/0x84)
[ 79.699157] [<c0013a50>] (handle_IRQ+0x34/0x84) from [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c)
[ 79.708648] [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c) from [<c037499c>] (__irq_usr+0x3c/0x60)
[ 79.718048] Exception stack(0xcf281fb0 to 0xcf281ff8)
[ 79.723358] 1fa0: 0001e6a0 be8dab00 0001e698 00036698
[ 79.731933] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
[ 79.740509] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff
[ 79.747497] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 79.756011] pgd = cf3b4000
[ 79.758850] [00000000] *pgd=8f0c7831, *pte=00000000, *ppte=00000000
[ 79.765502] Internal error: Oops: 80000007 [#1]
[ 79.770294] Modules linked in:
[ 79.773529] CPU: 0 Tainted: G W (3.3.0-rc6-00002-gb5d5c87 #421)
[ 79.781066] PC is at 0x0
[ 79.783721] LR is at run_timer_softirq+0x16c/0x3ac
[ 79.788787] pc : [<00000000>] lr : [<c0040aa4>] psr: 60000113
[ 79.788787] sp : cf281ee0 ip : 00000000 fp : cf280000
[ 79.800903] r10: 00000004 r9 : 00000100 r8 : b6f234d0
[ 79.806427] r7 : c0519c28 r6 : cf093488 r5 : c0561a00 r4 : 00000000
[ 79.813323] r3 : 00000000 r2 : c054eee0 r1 : 00000001 r0 : 00000000
[ 79.820190] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 79.827728] Control: 10c5387d Table: 8f3b4019 DAC: 00000015
[ 79.833801] Process gpsd (pid: 1265, stack limit = 0xcf2802e8)
[ 79.839965] Stack: (0xcf281ee0 to 0xcf282000)
[ 79.844573] 1ee0: 00000002 00000000 c0040a24 00000000 00000002 cf281f08 00200200 00000000
[ 79.853210] 1f00: 00000000 cf281f18 cf281f08 00000000 00000000 00000000 cf281f18 cf281f18
[ 79.861816] 1f20: 00000000 00000001 c056184c 00000000 00000001 b6f234d0 c0561848 00000004
[ 79.870452] 1f40: cf280000 c003a3b8 c051e79c 00000001 00000000 00000100 3fa9e7b8 0000000a
[ 79.879089] 1f60: 00000025 cf280000 00000025 00000000 00000000 b6f234d0 00000000 00000004
[ 79.887756] 1f80: 00000000 c003a924 c053ad38 c0013a50 fa200000 cf281fb0 ffffffff c0008530
[ 79.896362] 1fa0: 0001e6a0 0000aab8 80000010 c037499c 0001e6a0 be8dab00 0001e698 00036698
[ 79.904998] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
[ 79.913665] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff 00fbf700 04ffff00
[ 79.922302] [<c0040aa4>] (run_timer_softirq+0x16c/0x3ac) from [<c003a3b8>] (__do_softirq+0xd4/0x22c)
[ 79.931945] [<c003a3b8>] (__do_softirq+0xd4/0x22c) from [<c003a924>] (irq_exit+0x8c/0x94)
[ 79.940582] [<c003a924>] (irq_exit+0x8c/0x94) from [<c0013a50>] (handle_IRQ+0x34/0x84)
[ 79.948913] [<c0013a50>] (handle_IRQ+0x34/0x84) from [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c)
[ 79.958404] [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c) from [<c037499c>] (__irq_usr+0x3c/0x60)
[ 79.967773] Exception stack(0xcf281fb0 to 0xcf281ff8)
[ 79.973083] 1fa0: 0001e6a0 be8dab00 0001e698 00036698
[ 79.981658] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
[ 79.990234] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff
[ 79.997161] Code: bad PC value
[ 80.000396] ---[ end trace 6f6739840475f9ee ]---
[ 80.005279] Kernel panic - not syncing: Fatal exception in interrupt
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
---
include/net/bluetooth/hci.h | 2 ++
net/bluetooth/hci_core.c | 7 +++++++
2 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 00596e8..e8879b9 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -93,6 +93,8 @@ enum {
* states from the controller.
*/
enum {
+ HCI_UNREGISTER,
+
HCI_LE_SCAN,
};
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 5aeb624..9a01451 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -525,6 +525,11 @@ int hci_dev_open(__u16 dev)
hci_req_lock(hdev);
+ if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
+ ret = -ENODEV;
+ goto done;
+ }
+
if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
ret = -ERFKILL;
goto done;
@@ -1577,6 +1582,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
+ set_bit(HCI_UNREGISTER, &hdev->dev_flags);
+
write_lock(&hci_dev_list_lock);
list_del(&hdev->list);
write_unlock(&hci_dev_list_lock);
--
1.7.8.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH 2/3] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
2012-03-09 15:43 ` [PATCH 2/3] bluetooth: hci_ldisc: fix NULL-pointer dereference " Johan Hovold
@ 2012-03-09 15:50 ` Johan Hovold
0 siblings, 0 replies; 13+ messages in thread
From: Johan Hovold @ 2012-03-09 15:50 UTC (permalink / raw)
To: David Herrmann
Cc: David S. Miller, linux-bluetooth, linux-kernel, netdev, Greg KH,
stable, Marcel Holtmann, Gustavo F. Padovan
On Fri, Mar 09, 2012 at 04:43:25PM +0100, Johan Hovold wrote:
> Do not close protocol driver until device has been unregistered.
>
> This fixes a race between tty_close and hci_dev_open which can result in
> a NULL-pointer dereference.
>
> The line discipline closes the protocol driver while we may still have
> hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer
> dereference when lock is acquired and hci_init_req called.
[...]
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Johan Hovold <jhovold@gmail.com>
David (Herrmann), I forgot to add your Reviewed-by on this one. Feel
free to add it again if you want to.
Thanks,
Johan
> ---
> drivers/bluetooth/hci_ldisc.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
> index 97c5faa..5119c4b 100644
> --- a/drivers/bluetooth/hci_ldisc.c
> +++ b/drivers/bluetooth/hci_ldisc.c
> @@ -309,11 +309,11 @@ static void hci_uart_tty_close(struct tty_struct *tty)
> hci_uart_close(hdev);
>
> if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
> - hu->proto->close(hu);
> if (hdev) {
> hci_unregister_dev(hdev);
> hci_free_dev(hdev);
> }
> + hu->proto->close(hu);
> }
> kfree(hu);
> }
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 0/3] bluetooth: bug fixes for 3.3
2012-03-09 15:43 [PATCH 0/3] bluetooth: bug fixes for 3.3 Johan Hovold
` (2 preceding siblings ...)
2012-03-09 15:43 ` [PATCH 3/3] bluetooth: hci_core: fix NULL-pointer dereference at unregister Johan Hovold
@ 2012-03-14 11:25 ` Johan Hovold
2012-03-14 18:16 ` Marcel Holtmann
3 siblings, 1 reply; 13+ messages in thread
From: Johan Hovold @ 2012-03-14 11:25 UTC (permalink / raw)
To: Marcel Holtmann, Gustavo F. Padovan
Cc: David S. Miller, linux-bluetooth, linux-kernel, netdev,
David Herrmann, Greg KH
Hi Marcel and Gustavo,
On Fri, Mar 09, 2012 at 04:43:23PM +0100, Johan Hovold wrote:
> This is a revised series which also contains a minimal fix to the memory leak
> discovered by David Hermann upon which the first NULL-pointer-dereference fix
> also depends.
>
> These patches need to get to Linus ASAP as the problems are present in 3.3-rc6
> as well as earlier kernels and thus should be backported to the stable trees as
> well.
Any chance to get these into 3.3? Otherwise, is it possible to rebase
bluetooth-next on top of these so that Greg can get them into 3.3.1 (and
the other stable trees) once bluetooth-next is merged?
All three bugs can be used to crash any kernel with HCI-UART support and
can probably be used for exploits as they are extremely easy to trigger
reliably.
Thanks,
Johan
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 0/3] bluetooth: bug fixes for 3.3
2012-03-14 11:25 ` [PATCH 0/3] bluetooth: bug fixes for 3.3 Johan Hovold
@ 2012-03-14 18:16 ` Marcel Holtmann
2012-03-15 13:47 ` bluetooth: bug fixes for bluetooth-next Johan Hovold
0 siblings, 1 reply; 13+ messages in thread
From: Marcel Holtmann @ 2012-03-14 18:16 UTC (permalink / raw)
To: Johan Hovold
Cc: Gustavo F. Padovan, David S. Miller, linux-bluetooth,
linux-kernel, netdev, David Herrmann, Greg KH
Hi Johan,
> > This is a revised series which also contains a minimal fix to the memory leak
> > discovered by David Hermann upon which the first NULL-pointer-dereference fix
> > also depends.
> >
> > These patches need to get to Linus ASAP as the problems are present in 3.3-rc6
> > as well as earlier kernels and thus should be backported to the stable trees as
> > well.
>
> Any chance to get these into 3.3? Otherwise, is it possible to rebase
> bluetooth-next on top of these so that Greg can get them into 3.3.1 (and
> the other stable trees) once bluetooth-next is merged?
>
> All three bugs can be used to crash any kernel with HCI-UART support and
> can probably be used for exploits as they are extremely easy to trigger
> reliably.
only if you have access to the TTY device node in the first place. If
you do not have access to that device node, you can not crash the
kernel.
Can you resend a clean set of patches for bluetooth-next and once we
have that merged, we can talk on how to backport this to 3.3 and also
-stable.
Regards
Marcel
^ permalink raw reply [flat|nested] 13+ messages in thread
* bluetooth: bug fixes for bluetooth-next
2012-03-14 18:16 ` Marcel Holtmann
@ 2012-03-15 13:47 ` Johan Hovold
2012-03-15 13:48 ` [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Johan Hovold
0 siblings, 1 reply; 13+ messages in thread
From: Johan Hovold @ 2012-03-15 13:47 UTC (permalink / raw)
To: Marcel Holtmann, Gustavo F. Padovan
Cc: David S. Miller, linux-bluetooth, linux-kernel, netdev,
David Herrmann, Greg KH, Johan Hovold
On Wed, Mar 14, 2012 at 11:16:54AM -0700, Marcel Holtmann wrote:
> > > This is a revised series which also contains a minimal fix to the memory leak
> > > discovered by David Hermann upon which the first NULL-pointer-dereference fix
> > > also depends.
> > >
> > > These patches need to get to Linus ASAP as the problems are present in 3.3-rc6
> > > as well as earlier kernels and thus should be backported to the stable trees as
> > > well.
> >
> > Any chance to get these into 3.3? Otherwise, is it possible to rebase
> > bluetooth-next on top of these so that Greg can get them into 3.3.1 (and
> > the other stable trees) once bluetooth-next is merged?
> >
> > All three bugs can be used to crash any kernel with HCI-UART support and
> > can probably be used for exploits as they are extremely easy to trigger
> > reliably.
>
> only if you have access to the TTY device node in the first place. If
> you do not have access to that device node, you can not crash the
> kernel.
>
> Can you resend a clean set of patches for bluetooth-next and once we
> have that merged, we can talk on how to backport this to 3.3 and also
> -stable.
I'll respond to this mail with the two NULL-deref fixes against
bluetooth-next of today (44e612b3e6566f0b).
As I've mentioned before, a fix for the memory leak is already in
bluetooth-next and my first patch depends on it. Unfortunately, the
memory-leak fix in bluetooth-next is not a minimal fix but a more
invasive one:
797fe796c4335b3 ("Bluetooth: uart-ldisc: Fix memory leak and
remove destruct cb")
and it also depends on a second commit (from bluetooth-next):
010666a126fce7b ("Bluetooth: Make hci-destruct callback
optional")
Neither is marked for stable (and at least the latter probably shouldn't
be).
Please make sure that the memory leak fix also gets backported to
stable. A minimal (2-line) fix can be found here:
http://marc.info/?l=linux-bluetooth&m=133130797428708&w=2
Thanks,
Johan
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
2012-03-15 13:47 ` bluetooth: bug fixes for bluetooth-next Johan Hovold
@ 2012-03-15 13:48 ` Johan Hovold
2012-03-15 13:48 ` [PATCH 2/2] bluetooth: hci_core: fix NULL-pointer dereference at unregister Johan Hovold
2012-03-15 15:21 ` [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Marcel Holtmann
0 siblings, 2 replies; 13+ messages in thread
From: Johan Hovold @ 2012-03-15 13:48 UTC (permalink / raw)
To: Marcel Holtmann, Gustavo F. Padovan
Cc: David S. Miller, linux-bluetooth, linux-kernel, netdev,
David Herrmann, Greg KH, Johan Hovold, stable
Do not close protocol driver until device has been unregistered.
This fixes a race between tty_close and hci_dev_open which can result in
a NULL-pointer dereference.
The line discipline closes the protocol driver while we may still have
hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer
dereference when lock is acquired and hci_init_req called.
Bug is 100% reproducible using hciattach and a disconnected serial port:
0. # hciattach -n ttyO1 any noflow
1. hci_dev_open called from hci_power_on grabs req lock
2. hci_init_req executes but device fails to initialise (times out
eventually)
3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
4. hci_uart_tty_close detaches protocol driver and cancels init req
5. hci_dev_open (1) releases req lock
6. hci_dev_open (3) grabs req lock, calls hci_init_req, which triggers oops
when request is prepared in hci_uart_send_frame
[ 137.201263] Unable to handle kernel NULL pointer dereference at virtual address 00000028
[ 137.209838] pgd = c0004000
[ 137.212677] [00000028] *pgd=00000000
[ 137.216430] Internal error: Oops: 17 [#1]
[ 137.220642] Modules linked in:
[ 137.223846] CPU: 0 Tainted: G W (3.3.0-rc6-dirty #406)
[ 137.230529] PC is at __lock_acquire+0x5c/0x1ab0
[ 137.235290] LR is at lock_acquire+0x9c/0x128
[ 137.239776] pc : [<c0071490>] lr : [<c00733f8>] psr: 20000093
[ 137.239776] sp : cf869dd8 ip : c0529554 fp : c051c730
[ 137.251800] r10: 00000000 r9 : cf8673c0 r8 : 00000080
[ 137.257293] r7 : 00000028 r6 : 00000002 r5 : 00000000 r4 : c053fd70
[ 137.264129] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : 00000001
[ 137.270965] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
[ 137.278717] Control: 10c5387d Table: 8f0f4019 DAC: 00000015
[ 137.284729] Process kworker/u:1 (pid: 7, stack limit = 0xcf8682e8)
[ 137.291229] Stack: (0xcf869dd8 to 0xcf86a000)
[ 137.295776] 9dc0: c0529554 00000000
[ 137.304351] 9de0: cf8673c0 cf868000 d03ea1ef cf868000 000001ef 00000470 00000000 00000002
[ 137.312927] 9e00: cf8673c0 00000001 c051c730 c00716ec 0000000c 00000440 c0529554 00000001
[ 137.321533] 9e20: c051c730 cf868000 d03ea1f3 00000000 c053b978 00000000 00000028 cf868000
[ 137.330078] 9e40: 00000000 00000000 00000002 00000000 00000000 c00733f8 00000002 00000080
[ 137.338684] 9e60: 00000000 c02a1d50 00000000 00000001 60000013 c0969a1c 60000093 c053b96c
[ 137.347259] 9e80: 00000002 00000018 20000013 c02a1d50 cf0ac000 00000000 00000002 cf868000
[ 137.355834] 9ea0: 00000089 c0374130 00000002 00000000 c02a1d50 cf0ac000 0000000c cf0fc540
[ 137.364410] 9ec0: 00000018 c02a1d50 cf0fc540 00000000 cf0fc540 c0282238 c028220c cf178d80
[ 137.372985] 9ee0: 127525d8 c02821cc 9a1fa451 c032727c 9a1fa451 127525d8 cf0fc540 cf0ac4ec
[ 137.381561] 9f00: cf0ac000 cf0fc540 cf0ac584 c03285f4 c0328580 cf0ac4ec cf85c740 c05510cc
[ 137.390136] 9f20: ce825400 c004c914 00000002 00000000 c004c884 ce8254f5 cf869f48 00000000
[ 137.398712] 9f40: c0328580 ce825415 c0a7f914 c061af64 00000000 c048cf3c cf8673c0 cf85c740
[ 137.407287] 9f60: c05510cc c051a66c c05510ec c05510c4 cf85c750 cf868000 00000089 c004d6ac
[ 137.415863] 9f80: 00000000 c0073d14 00000001 cf853ed8 cf85c740 c004d558 00000013 00000000
[ 137.424438] 9fa0: 00000000 00000000 00000000 c00516b0 00000000 00000000 cf85c740 00000000
[ 137.433013] 9fc0: 00000001 dead4ead ffffffff ffffffff c0551674 00000000 00000000 c0450aa4
[ 137.441589] 9fe0: cf869fe0 cf869fe0 cf853ed8 c005162c c0013b30 c0013b30 00ffff00 00ffff00
[ 137.450164] [<c0071490>] (__lock_acquire+0x5c/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
[ 137.459503] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58)
[ 137.469360] [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58) from [<c02a1d50>] (skb_queue_tail+0x18/0x48)
[ 137.479339] [<c02a1d50>] (skb_queue_tail+0x18/0x48) from [<c0282238>] (h4_enqueue+0x2c/0x34)
[ 137.488189] [<c0282238>] (h4_enqueue+0x2c/0x34) from [<c02821cc>] (hci_uart_send_frame+0x34/0x68)
[ 137.497497] [<c02821cc>] (hci_uart_send_frame+0x34/0x68) from [<c032727c>] (hci_send_frame+0x50/0x88)
[ 137.507171] [<c032727c>] (hci_send_frame+0x50/0x88) from [<c03285f4>] (hci_cmd_work+0x74/0xd4)
[ 137.516204] [<c03285f4>] (hci_cmd_work+0x74/0xd4) from [<c004c914>] (process_one_work+0x1a0/0x4ec)
[ 137.525604] [<c004c914>] (process_one_work+0x1a0/0x4ec) from [<c004d6ac>] (worker_thread+0x154/0x344)
[ 137.535278] [<c004d6ac>] (worker_thread+0x154/0x344) from [<c00516b0>] (kthread+0x84/0x90)
[ 137.543975] [<c00516b0>] (kthread+0x84/0x90) from [<c0013b30>] (kernel_thread_exit+0x0/0x8)
[ 137.552734] Code: e59f4e5c e5941000 e3510000 0a000031 (e5971000)
[ 137.559234] ---[ end trace 1b75b31a2719ed1e ]---
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
---
drivers/bluetooth/hci_ldisc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index fd5adb4..98a8c05 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -299,11 +299,11 @@ static void hci_uart_tty_close(struct tty_struct *tty)
hci_uart_close(hdev);
if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
- hu->proto->close(hu);
if (hdev) {
hci_unregister_dev(hdev);
hci_free_dev(hdev);
}
+ hu->proto->close(hu);
}
kfree(hu);
--
1.7.8.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 2/2] bluetooth: hci_core: fix NULL-pointer dereference at unregister
2012-03-15 13:48 ` [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Johan Hovold
@ 2012-03-15 13:48 ` Johan Hovold
2012-03-15 15:23 ` Marcel Holtmann
2012-03-15 15:21 ` [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Marcel Holtmann
1 sibling, 1 reply; 13+ messages in thread
From: Johan Hovold @ 2012-03-15 13:48 UTC (permalink / raw)
To: Marcel Holtmann, Gustavo F. Padovan
Cc: David S. Miller, linux-bluetooth, linux-kernel, netdev,
David Herrmann, Greg KH, Johan Hovold, stable
Make sure hci_dev_open returns immediately if hci_dev_unregister has
been called.
This fixes a race between hci_dev_open and hci_dev_unregister which can
lead to a NULL-pointer dereference.
Bug is 100% reproducible using hciattach and a disconnected serial port:
0. # hciattach -n /dev/ttyO1 any noflow
1. hci_dev_open called from hci_power_on grabs req lock
2. hci_init_req executes but device fails to initialise (times out
eventually)
3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
4. hci_uart_tty_close calls hci_dev_unregister and sleeps on req lock in
hci_dev_do_close
5. hci_dev_open (1) releases req lock
6. hci_dev_do_close grabs req lock and returns as device is not up
7. hci_dev_unregister sleeps in destroy_workqueue
8. hci_dev_open (3) grabs req lock, calls hci_init_req and eventually sleeps
9. hci_dev_unregister finishes, while hci_dev_open is still running...
[ 79.627136] INFO: trying to register non-static key.
[ 79.632354] the code is fine but needs lockdep annotation.
[ 79.638122] turning off the locking correctness validator.
[ 79.643920] [<c00188bc>] (unwind_backtrace+0x0/0xf8) from [<c00729c4>] (__lock_acquire+0x1590/0x1ab0)
[ 79.653594] [<c00729c4>] (__lock_acquire+0x1590/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
[ 79.663085] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0040a88>] (run_timer_softirq+0x150/0x3ac)
[ 79.672668] [<c0040a88>] (run_timer_softirq+0x150/0x3ac) from [<c003a3b8>] (__do_softirq+0xd4/0x22c)
[ 79.682281] [<c003a3b8>] (__do_softirq+0xd4/0x22c) from [<c003a924>] (irq_exit+0x8c/0x94)
[ 79.690856] [<c003a924>] (irq_exit+0x8c/0x94) from [<c0013a50>] (handle_IRQ+0x34/0x84)
[ 79.699157] [<c0013a50>] (handle_IRQ+0x34/0x84) from [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c)
[ 79.708648] [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c) from [<c037499c>] (__irq_usr+0x3c/0x60)
[ 79.718048] Exception stack(0xcf281fb0 to 0xcf281ff8)
[ 79.723358] 1fa0: 0001e6a0 be8dab00 0001e698 00036698
[ 79.731933] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
[ 79.740509] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff
[ 79.747497] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 79.756011] pgd = cf3b4000
[ 79.758850] [00000000] *pgd=8f0c7831, *pte=00000000, *ppte=00000000
[ 79.765502] Internal error: Oops: 80000007 [#1]
[ 79.770294] Modules linked in:
[ 79.773529] CPU: 0 Tainted: G W (3.3.0-rc6-00002-gb5d5c87 #421)
[ 79.781066] PC is at 0x0
[ 79.783721] LR is at run_timer_softirq+0x16c/0x3ac
[ 79.788787] pc : [<00000000>] lr : [<c0040aa4>] psr: 60000113
[ 79.788787] sp : cf281ee0 ip : 00000000 fp : cf280000
[ 79.800903] r10: 00000004 r9 : 00000100 r8 : b6f234d0
[ 79.806427] r7 : c0519c28 r6 : cf093488 r5 : c0561a00 r4 : 00000000
[ 79.813323] r3 : 00000000 r2 : c054eee0 r1 : 00000001 r0 : 00000000
[ 79.820190] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 79.827728] Control: 10c5387d Table: 8f3b4019 DAC: 00000015
[ 79.833801] Process gpsd (pid: 1265, stack limit = 0xcf2802e8)
[ 79.839965] Stack: (0xcf281ee0 to 0xcf282000)
[ 79.844573] 1ee0: 00000002 00000000 c0040a24 00000000 00000002 cf281f08 00200200 00000000
[ 79.853210] 1f00: 00000000 cf281f18 cf281f08 00000000 00000000 00000000 cf281f18 cf281f18
[ 79.861816] 1f20: 00000000 00000001 c056184c 00000000 00000001 b6f234d0 c0561848 00000004
[ 79.870452] 1f40: cf280000 c003a3b8 c051e79c 00000001 00000000 00000100 3fa9e7b8 0000000a
[ 79.879089] 1f60: 00000025 cf280000 00000025 00000000 00000000 b6f234d0 00000000 00000004
[ 79.887756] 1f80: 00000000 c003a924 c053ad38 c0013a50 fa200000 cf281fb0 ffffffff c0008530
[ 79.896362] 1fa0: 0001e6a0 0000aab8 80000010 c037499c 0001e6a0 be8dab00 0001e698 00036698
[ 79.904998] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
[ 79.913665] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff 00fbf700 04ffff00
[ 79.922302] [<c0040aa4>] (run_timer_softirq+0x16c/0x3ac) from [<c003a3b8>] (__do_softirq+0xd4/0x22c)
[ 79.931945] [<c003a3b8>] (__do_softirq+0xd4/0x22c) from [<c003a924>] (irq_exit+0x8c/0x94)
[ 79.940582] [<c003a924>] (irq_exit+0x8c/0x94) from [<c0013a50>] (handle_IRQ+0x34/0x84)
[ 79.948913] [<c0013a50>] (handle_IRQ+0x34/0x84) from [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c)
[ 79.958404] [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c) from [<c037499c>] (__irq_usr+0x3c/0x60)
[ 79.967773] Exception stack(0xcf281fb0 to 0xcf281ff8)
[ 79.973083] 1fa0: 0001e6a0 be8dab00 0001e698 00036698
[ 79.981658] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
[ 79.990234] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff
[ 79.997161] Code: bad PC value
[ 80.000396] ---[ end trace 6f6739840475f9ee ]---
[ 80.005279] Kernel panic - not syncing: Fatal exception in interrupt
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
---
include/net/bluetooth/hci.h | 1 +
net/bluetooth/hci_core.c | 7 +++++++
2 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 344b0f9..8f928f7 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -92,6 +92,7 @@ enum {
HCI_SERVICE_CACHE,
HCI_LINK_KEYS,
HCI_DEBUG_KEYS,
+ HCI_UNREGISTER,
HCI_LE_SCAN,
HCI_SSP_ENABLED,
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 2f3e1bb..2e3f193 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -666,6 +666,11 @@ int hci_dev_open(__u16 dev)
hci_req_lock(hdev);
+ if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
+ ret = -ENODEV;
+ goto done;
+ }
+
if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
ret = -ERFKILL;
goto done;
@@ -1850,6 +1855,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
+ set_bit(HCI_UNREGISTER, &hdev->dev_flags);
+
write_lock(&hci_dev_list_lock);
list_del(&hdev->list);
write_unlock(&hci_dev_list_lock);
--
1.7.8.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
2012-03-15 13:48 ` [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Johan Hovold
2012-03-15 13:48 ` [PATCH 2/2] bluetooth: hci_core: fix NULL-pointer dereference at unregister Johan Hovold
@ 2012-03-15 15:21 ` Marcel Holtmann
2012-03-16 16:03 ` Johan Hedberg
1 sibling, 1 reply; 13+ messages in thread
From: Marcel Holtmann @ 2012-03-15 15:21 UTC (permalink / raw)
To: Johan Hovold
Cc: Gustavo F. Padovan, David S. Miller, linux-bluetooth,
linux-kernel, netdev, David Herrmann, Greg KH, stable
Hi Johan,
> Do not close protocol driver until device has been unregistered.
>
> This fixes a race between tty_close and hci_dev_open which can result in
> a NULL-pointer dereference.
>
> The line discipline closes the protocol driver while we may still have
> hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer
> dereference when lock is acquired and hci_init_req called.
>
> Bug is 100% reproducible using hciattach and a disconnected serial port:
>
> 0. # hciattach -n ttyO1 any noflow
>
> 1. hci_dev_open called from hci_power_on grabs req lock
> 2. hci_init_req executes but device fails to initialise (times out
> eventually)
> 3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
> 4. hci_uart_tty_close detaches protocol driver and cancels init req
> 5. hci_dev_open (1) releases req lock
> 6. hci_dev_open (3) grabs req lock, calls hci_init_req, which triggers oops
> when request is prepared in hci_uart_send_frame
>
> [ 137.201263] Unable to handle kernel NULL pointer dereference at virtual address 00000028
> [ 137.209838] pgd = c0004000
> [ 137.212677] [00000028] *pgd=00000000
> [ 137.216430] Internal error: Oops: 17 [#1]
> [ 137.220642] Modules linked in:
> [ 137.223846] CPU: 0 Tainted: G W (3.3.0-rc6-dirty #406)
> [ 137.230529] PC is at __lock_acquire+0x5c/0x1ab0
> [ 137.235290] LR is at lock_acquire+0x9c/0x128
> [ 137.239776] pc : [<c0071490>] lr : [<c00733f8>] psr: 20000093
> [ 137.239776] sp : cf869dd8 ip : c0529554 fp : c051c730
> [ 137.251800] r10: 00000000 r9 : cf8673c0 r8 : 00000080
> [ 137.257293] r7 : 00000028 r6 : 00000002 r5 : 00000000 r4 : c053fd70
> [ 137.264129] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : 00000001
> [ 137.270965] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
> [ 137.278717] Control: 10c5387d Table: 8f0f4019 DAC: 00000015
> [ 137.284729] Process kworker/u:1 (pid: 7, stack limit = 0xcf8682e8)
> [ 137.291229] Stack: (0xcf869dd8 to 0xcf86a000)
> [ 137.295776] 9dc0: c0529554 00000000
> [ 137.304351] 9de0: cf8673c0 cf868000 d03ea1ef cf868000 000001ef 00000470 00000000 00000002
> [ 137.312927] 9e00: cf8673c0 00000001 c051c730 c00716ec 0000000c 00000440 c0529554 00000001
> [ 137.321533] 9e20: c051c730 cf868000 d03ea1f3 00000000 c053b978 00000000 00000028 cf868000
> [ 137.330078] 9e40: 00000000 00000000 00000002 00000000 00000000 c00733f8 00000002 00000080
> [ 137.338684] 9e60: 00000000 c02a1d50 00000000 00000001 60000013 c0969a1c 60000093 c053b96c
> [ 137.347259] 9e80: 00000002 00000018 20000013 c02a1d50 cf0ac000 00000000 00000002 cf868000
> [ 137.355834] 9ea0: 00000089 c0374130 00000002 00000000 c02a1d50 cf0ac000 0000000c cf0fc540
> [ 137.364410] 9ec0: 00000018 c02a1d50 cf0fc540 00000000 cf0fc540 c0282238 c028220c cf178d80
> [ 137.372985] 9ee0: 127525d8 c02821cc 9a1fa451 c032727c 9a1fa451 127525d8 cf0fc540 cf0ac4ec
> [ 137.381561] 9f00: cf0ac000 cf0fc540 cf0ac584 c03285f4 c0328580 cf0ac4ec cf85c740 c05510cc
> [ 137.390136] 9f20: ce825400 c004c914 00000002 00000000 c004c884 ce8254f5 cf869f48 00000000
> [ 137.398712] 9f40: c0328580 ce825415 c0a7f914 c061af64 00000000 c048cf3c cf8673c0 cf85c740
> [ 137.407287] 9f60: c05510cc c051a66c c05510ec c05510c4 cf85c750 cf868000 00000089 c004d6ac
> [ 137.415863] 9f80: 00000000 c0073d14 00000001 cf853ed8 cf85c740 c004d558 00000013 00000000
> [ 137.424438] 9fa0: 00000000 00000000 00000000 c00516b0 00000000 00000000 cf85c740 00000000
> [ 137.433013] 9fc0: 00000001 dead4ead ffffffff ffffffff c0551674 00000000 00000000 c0450aa4
> [ 137.441589] 9fe0: cf869fe0 cf869fe0 cf853ed8 c005162c c0013b30 c0013b30 00ffff00 00ffff00
> [ 137.450164] [<c0071490>] (__lock_acquire+0x5c/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
> [ 137.459503] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58)
> [ 137.469360] [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58) from [<c02a1d50>] (skb_queue_tail+0x18/0x48)
> [ 137.479339] [<c02a1d50>] (skb_queue_tail+0x18/0x48) from [<c0282238>] (h4_enqueue+0x2c/0x34)
> [ 137.488189] [<c0282238>] (h4_enqueue+0x2c/0x34) from [<c02821cc>] (hci_uart_send_frame+0x34/0x68)
> [ 137.497497] [<c02821cc>] (hci_uart_send_frame+0x34/0x68) from [<c032727c>] (hci_send_frame+0x50/0x88)
> [ 137.507171] [<c032727c>] (hci_send_frame+0x50/0x88) from [<c03285f4>] (hci_cmd_work+0x74/0xd4)
> [ 137.516204] [<c03285f4>] (hci_cmd_work+0x74/0xd4) from [<c004c914>] (process_one_work+0x1a0/0x4ec)
> [ 137.525604] [<c004c914>] (process_one_work+0x1a0/0x4ec) from [<c004d6ac>] (worker_thread+0x154/0x344)
> [ 137.535278] [<c004d6ac>] (worker_thread+0x154/0x344) from [<c00516b0>] (kthread+0x84/0x90)
> [ 137.543975] [<c00516b0>] (kthread+0x84/0x90) from [<c0013b30>] (kernel_thread_exit+0x0/0x8)
> [ 137.552734] Code: e59f4e5c e5941000 e3510000 0a000031 (e5971000)
> [ 137.559234] ---[ end trace 1b75b31a2719ed1e ]---
>
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Johan Hovold <jhovold@gmail.com>
> ---
> drivers/bluetooth/hci_ldisc.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Regards
Marcel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 2/2] bluetooth: hci_core: fix NULL-pointer dereference at unregister
2012-03-15 13:48 ` [PATCH 2/2] bluetooth: hci_core: fix NULL-pointer dereference at unregister Johan Hovold
@ 2012-03-15 15:23 ` Marcel Holtmann
0 siblings, 0 replies; 13+ messages in thread
From: Marcel Holtmann @ 2012-03-15 15:23 UTC (permalink / raw)
To: Johan Hovold
Cc: Gustavo F. Padovan, David S. Miller, linux-bluetooth,
linux-kernel, netdev, David Herrmann, Greg KH, stable
Hi Johan,
> Make sure hci_dev_open returns immediately if hci_dev_unregister has
> been called.
>
> This fixes a race between hci_dev_open and hci_dev_unregister which can
> lead to a NULL-pointer dereference.
>
> Bug is 100% reproducible using hciattach and a disconnected serial port:
>
> 0. # hciattach -n /dev/ttyO1 any noflow
>
> 1. hci_dev_open called from hci_power_on grabs req lock
> 2. hci_init_req executes but device fails to initialise (times out
> eventually)
> 3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
> 4. hci_uart_tty_close calls hci_dev_unregister and sleeps on req lock in
> hci_dev_do_close
> 5. hci_dev_open (1) releases req lock
> 6. hci_dev_do_close grabs req lock and returns as device is not up
> 7. hci_dev_unregister sleeps in destroy_workqueue
> 8. hci_dev_open (3) grabs req lock, calls hci_init_req and eventually sleeps
> 9. hci_dev_unregister finishes, while hci_dev_open is still running...
>
> [ 79.627136] INFO: trying to register non-static key.
> [ 79.632354] the code is fine but needs lockdep annotation.
> [ 79.638122] turning off the locking correctness validator.
> [ 79.643920] [<c00188bc>] (unwind_backtrace+0x0/0xf8) from [<c00729c4>] (__lock_acquire+0x1590/0x1ab0)
> [ 79.653594] [<c00729c4>] (__lock_acquire+0x1590/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
> [ 79.663085] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0040a88>] (run_timer_softirq+0x150/0x3ac)
> [ 79.672668] [<c0040a88>] (run_timer_softirq+0x150/0x3ac) from [<c003a3b8>] (__do_softirq+0xd4/0x22c)
> [ 79.682281] [<c003a3b8>] (__do_softirq+0xd4/0x22c) from [<c003a924>] (irq_exit+0x8c/0x94)
> [ 79.690856] [<c003a924>] (irq_exit+0x8c/0x94) from [<c0013a50>] (handle_IRQ+0x34/0x84)
> [ 79.699157] [<c0013a50>] (handle_IRQ+0x34/0x84) from [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c)
> [ 79.708648] [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c) from [<c037499c>] (__irq_usr+0x3c/0x60)
> [ 79.718048] Exception stack(0xcf281fb0 to 0xcf281ff8)
> [ 79.723358] 1fa0: 0001e6a0 be8dab00 0001e698 00036698
> [ 79.731933] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
> [ 79.740509] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff
> [ 79.747497] Unable to handle kernel NULL pointer dereference at virtual address 00000000
> [ 79.756011] pgd = cf3b4000
> [ 79.758850] [00000000] *pgd=8f0c7831, *pte=00000000, *ppte=00000000
> [ 79.765502] Internal error: Oops: 80000007 [#1]
> [ 79.770294] Modules linked in:
> [ 79.773529] CPU: 0 Tainted: G W (3.3.0-rc6-00002-gb5d5c87 #421)
> [ 79.781066] PC is at 0x0
> [ 79.783721] LR is at run_timer_softirq+0x16c/0x3ac
> [ 79.788787] pc : [<00000000>] lr : [<c0040aa4>] psr: 60000113
> [ 79.788787] sp : cf281ee0 ip : 00000000 fp : cf280000
> [ 79.800903] r10: 00000004 r9 : 00000100 r8 : b6f234d0
> [ 79.806427] r7 : c0519c28 r6 : cf093488 r5 : c0561a00 r4 : 00000000
> [ 79.813323] r3 : 00000000 r2 : c054eee0 r1 : 00000001 r0 : 00000000
> [ 79.820190] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
> [ 79.827728] Control: 10c5387d Table: 8f3b4019 DAC: 00000015
> [ 79.833801] Process gpsd (pid: 1265, stack limit = 0xcf2802e8)
> [ 79.839965] Stack: (0xcf281ee0 to 0xcf282000)
> [ 79.844573] 1ee0: 00000002 00000000 c0040a24 00000000 00000002 cf281f08 00200200 00000000
> [ 79.853210] 1f00: 00000000 cf281f18 cf281f08 00000000 00000000 00000000 cf281f18 cf281f18
> [ 79.861816] 1f20: 00000000 00000001 c056184c 00000000 00000001 b6f234d0 c0561848 00000004
> [ 79.870452] 1f40: cf280000 c003a3b8 c051e79c 00000001 00000000 00000100 3fa9e7b8 0000000a
> [ 79.879089] 1f60: 00000025 cf280000 00000025 00000000 00000000 b6f234d0 00000000 00000004
> [ 79.887756] 1f80: 00000000 c003a924 c053ad38 c0013a50 fa200000 cf281fb0 ffffffff c0008530
> [ 79.896362] 1fa0: 0001e6a0 0000aab8 80000010 c037499c 0001e6a0 be8dab00 0001e698 00036698
> [ 79.904998] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
> [ 79.913665] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff 00fbf700 04ffff00
> [ 79.922302] [<c0040aa4>] (run_timer_softirq+0x16c/0x3ac) from [<c003a3b8>] (__do_softirq+0xd4/0x22c)
> [ 79.931945] [<c003a3b8>] (__do_softirq+0xd4/0x22c) from [<c003a924>] (irq_exit+0x8c/0x94)
> [ 79.940582] [<c003a924>] (irq_exit+0x8c/0x94) from [<c0013a50>] (handle_IRQ+0x34/0x84)
> [ 79.948913] [<c0013a50>] (handle_IRQ+0x34/0x84) from [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c)
> [ 79.958404] [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c) from [<c037499c>] (__irq_usr+0x3c/0x60)
> [ 79.967773] Exception stack(0xcf281fb0 to 0xcf281ff8)
> [ 79.973083] 1fa0: 0001e6a0 be8dab00 0001e698 00036698
> [ 79.981658] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
> [ 79.990234] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff
> [ 79.997161] Code: bad PC value
> [ 80.000396] ---[ end trace 6f6739840475f9ee ]---
> [ 80.005279] Kernel panic - not syncing: Fatal exception in interrupt
>
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Johan Hovold <jhovold@gmail.com>
> ---
> include/net/bluetooth/hci.h | 1 +
> net/bluetooth/hci_core.c | 7 +++++++
> 2 files changed, 8 insertions(+), 0 deletions(-)
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Regards
Marcel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
2012-03-15 15:21 ` [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Marcel Holtmann
@ 2012-03-16 16:03 ` Johan Hedberg
0 siblings, 0 replies; 13+ messages in thread
From: Johan Hedberg @ 2012-03-16 16:03 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Johan Hovold, Gustavo F. Padovan, David S. Miller,
linux-bluetooth, linux-kernel, netdev, David Herrmann, Greg KH,
stable
Hi,
On Thu, Mar 15, 2012, Marcel Holtmann wrote:
> Hi Johan,
>
> > Do not close protocol driver until device has been unregistered.
> >
> > This fixes a race between tty_close and hci_dev_open which can result in
> > a NULL-pointer dereference.
> >
> > The line discipline closes the protocol driver while we may still have
> > hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer
> > dereference when lock is acquired and hci_init_req called.
> >
> > Bug is 100% reproducible using hciattach and a disconnected serial port:
> >
> > 0. # hciattach -n ttyO1 any noflow
> >
> > 1. hci_dev_open called from hci_power_on grabs req lock
> > 2. hci_init_req executes but device fails to initialise (times out
> > eventually)
> > 3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
> > 4. hci_uart_tty_close detaches protocol driver and cancels init req
> > 5. hci_dev_open (1) releases req lock
> > 6. hci_dev_open (3) grabs req lock, calls hci_init_req, which triggers oops
> > when request is prepared in hci_uart_send_frame
> >
> > [ 137.201263] Unable to handle kernel NULL pointer dereference at virtual address 00000028
> > [ 137.209838] pgd = c0004000
> > [ 137.212677] [00000028] *pgd=00000000
> > [ 137.216430] Internal error: Oops: 17 [#1]
> > [ 137.220642] Modules linked in:
> > [ 137.223846] CPU: 0 Tainted: G W (3.3.0-rc6-dirty #406)
> > [ 137.230529] PC is at __lock_acquire+0x5c/0x1ab0
> > [ 137.235290] LR is at lock_acquire+0x9c/0x128
> > [ 137.239776] pc : [<c0071490>] lr : [<c00733f8>] psr: 20000093
> > [ 137.239776] sp : cf869dd8 ip : c0529554 fp : c051c730
> > [ 137.251800] r10: 00000000 r9 : cf8673c0 r8 : 00000080
> > [ 137.257293] r7 : 00000028 r6 : 00000002 r5 : 00000000 r4 : c053fd70
> > [ 137.264129] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : 00000001
> > [ 137.270965] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
> > [ 137.278717] Control: 10c5387d Table: 8f0f4019 DAC: 00000015
> > [ 137.284729] Process kworker/u:1 (pid: 7, stack limit = 0xcf8682e8)
> > [ 137.291229] Stack: (0xcf869dd8 to 0xcf86a000)
> > [ 137.295776] 9dc0: c0529554 00000000
> > [ 137.304351] 9de0: cf8673c0 cf868000 d03ea1ef cf868000 000001ef 00000470 00000000 00000002
> > [ 137.312927] 9e00: cf8673c0 00000001 c051c730 c00716ec 0000000c 00000440 c0529554 00000001
> > [ 137.321533] 9e20: c051c730 cf868000 d03ea1f3 00000000 c053b978 00000000 00000028 cf868000
> > [ 137.330078] 9e40: 00000000 00000000 00000002 00000000 00000000 c00733f8 00000002 00000080
> > [ 137.338684] 9e60: 00000000 c02a1d50 00000000 00000001 60000013 c0969a1c 60000093 c053b96c
> > [ 137.347259] 9e80: 00000002 00000018 20000013 c02a1d50 cf0ac000 00000000 00000002 cf868000
> > [ 137.355834] 9ea0: 00000089 c0374130 00000002 00000000 c02a1d50 cf0ac000 0000000c cf0fc540
> > [ 137.364410] 9ec0: 00000018 c02a1d50 cf0fc540 00000000 cf0fc540 c0282238 c028220c cf178d80
> > [ 137.372985] 9ee0: 127525d8 c02821cc 9a1fa451 c032727c 9a1fa451 127525d8 cf0fc540 cf0ac4ec
> > [ 137.381561] 9f00: cf0ac000 cf0fc540 cf0ac584 c03285f4 c0328580 cf0ac4ec cf85c740 c05510cc
> > [ 137.390136] 9f20: ce825400 c004c914 00000002 00000000 c004c884 ce8254f5 cf869f48 00000000
> > [ 137.398712] 9f40: c0328580 ce825415 c0a7f914 c061af64 00000000 c048cf3c cf8673c0 cf85c740
> > [ 137.407287] 9f60: c05510cc c051a66c c05510ec c05510c4 cf85c750 cf868000 00000089 c004d6ac
> > [ 137.415863] 9f80: 00000000 c0073d14 00000001 cf853ed8 cf85c740 c004d558 00000013 00000000
> > [ 137.424438] 9fa0: 00000000 00000000 00000000 c00516b0 00000000 00000000 cf85c740 00000000
> > [ 137.433013] 9fc0: 00000001 dead4ead ffffffff ffffffff c0551674 00000000 00000000 c0450aa4
> > [ 137.441589] 9fe0: cf869fe0 cf869fe0 cf853ed8 c005162c c0013b30 c0013b30 00ffff00 00ffff00
> > [ 137.450164] [<c0071490>] (__lock_acquire+0x5c/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
> > [ 137.459503] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58)
> > [ 137.469360] [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58) from [<c02a1d50>] (skb_queue_tail+0x18/0x48)
> > [ 137.479339] [<c02a1d50>] (skb_queue_tail+0x18/0x48) from [<c0282238>] (h4_enqueue+0x2c/0x34)
> > [ 137.488189] [<c0282238>] (h4_enqueue+0x2c/0x34) from [<c02821cc>] (hci_uart_send_frame+0x34/0x68)
> > [ 137.497497] [<c02821cc>] (hci_uart_send_frame+0x34/0x68) from [<c032727c>] (hci_send_frame+0x50/0x88)
> > [ 137.507171] [<c032727c>] (hci_send_frame+0x50/0x88) from [<c03285f4>] (hci_cmd_work+0x74/0xd4)
> > [ 137.516204] [<c03285f4>] (hci_cmd_work+0x74/0xd4) from [<c004c914>] (process_one_work+0x1a0/0x4ec)
> > [ 137.525604] [<c004c914>] (process_one_work+0x1a0/0x4ec) from [<c004d6ac>] (worker_thread+0x154/0x344)
> > [ 137.535278] [<c004d6ac>] (worker_thread+0x154/0x344) from [<c00516b0>] (kthread+0x84/0x90)
> > [ 137.543975] [<c00516b0>] (kthread+0x84/0x90) from [<c0013b30>] (kernel_thread_exit+0x0/0x8)
> > [ 137.552734] Code: e59f4e5c e5941000 e3510000 0a000031 (e5971000)
> > [ 137.559234] ---[ end trace 1b75b31a2719ed1e ]---
> >
> > Cc: stable <stable@vger.kernel.org>
> > Signed-off-by: Johan Hovold <jhovold@gmail.com>
> > ---
> > drivers/bluetooth/hci_ldisc.c | 2 +-
> > 1 files changed, 1 insertions(+), 1 deletions(-)
>
> Acked-by: Marcel Holtmann <marcel@holtmann.org>
Both patches have been applied to my bluetooth-next tree. Thanks.
Johan
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2012-03-16 16:03 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-03-09 15:43 [PATCH 0/3] bluetooth: bug fixes for 3.3 Johan Hovold
2012-03-09 15:43 ` [PATCH 1/3] bluetooth: hci_ldisc: fix memory leak on tty_close Johan Hovold
2012-03-09 15:43 ` [PATCH 2/3] bluetooth: hci_ldisc: fix NULL-pointer dereference " Johan Hovold
2012-03-09 15:50 ` Johan Hovold
2012-03-09 15:43 ` [PATCH 3/3] bluetooth: hci_core: fix NULL-pointer dereference at unregister Johan Hovold
2012-03-14 11:25 ` [PATCH 0/3] bluetooth: bug fixes for 3.3 Johan Hovold
2012-03-14 18:16 ` Marcel Holtmann
2012-03-15 13:47 ` bluetooth: bug fixes for bluetooth-next Johan Hovold
2012-03-15 13:48 ` [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Johan Hovold
2012-03-15 13:48 ` [PATCH 2/2] bluetooth: hci_core: fix NULL-pointer dereference at unregister Johan Hovold
2012-03-15 15:23 ` Marcel Holtmann
2012-03-15 15:21 ` [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Marcel Holtmann
2012-03-16 16:03 ` Johan Hedberg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).