linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@linuxfoundation.org>
To: Hillf Danton <hdanton@sina.com>
Cc: Leon Romanovsky <leon@kernel.org>, SyzScope <syzscope@gmail.com>,
	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org,
	linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
	Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
	marcel@holtmann.org, netdev@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in hci_chan_del
Date: Tue, 8 Jun 2021 10:40:12 +0200	[thread overview]
Message-ID: <YL8s7F1pPEw6Oc5s@kroah.com> (raw)
In-Reply-To: <20210608081800.3484-1-hdanton@sina.com>

On Tue, Jun 08, 2021 at 04:18:00PM +0800, Hillf Danton wrote:
> On Mon, 7 Jun 2021 12:31:39 +0200 Greg KH wrote:
> >On Mon, Jun 07, 2021 at 06:02:01PM +0800, Hillf Danton wrote:
> >> After taking another look at the added user track, I realised that it serves
> >> no more than a one-off state word that prevents channel from being released.
> >> Then the race behind the uaf can be fixed by adding a state on top of the
> >> dryrun introduced even without tracking users.
> >> 
> >> The state machine works as the following,
> >> 1) it is initialised to be backoff that means channel cannot be released
> >>    at the moment.
> >> 2) it is changed to be dryrun on releasing to cut the race that survived
> >>    backoff.
> >> 3) it is finally set to zero for release after cutting the chance for race.
> >
> >Adding another state on top of this feels rough, does it really solve
> >the race here?
> 
> No, frankly, given the list_del_rcu() in hci_chan_del().
> 
> >Normally a reference count should be enough to properly
> >tear things down when needed, rolling back from a "can I try this now"
> >state still seems racy without the needed lock somewhere.
> 
> The rollback is added only for making sure that the channel released in
> l2cap_conn_del() would not be freed in the other pathes. That exclusiveness
> adds more barriers than thought to fixing the rare race with kref and spinlock
> in the usual and simple manner.
> 
> If OTOH channel is created with the exclusiveness taken into account by adding
> the exclusive create and delete methods for l2cap, then the race can be fixed
> by checking the exclusive mark in addition to aquiring the hdev lock at release
> time.

One would think that the state machine for the channel would fix this
whole mess, why do we need an "additional" state here in the first
place?

Would be nice if one of the bluetooth maintainers weighed in on this...

thanks,

greg k-h

  parent reply	other threads:[~2021-06-08  8:40 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-02 20:45 KASAN: use-after-free Read in hci_chan_del syzbot
2020-08-03 17:08 ` syzbot
2021-05-04 21:50 ` ETenal
2021-05-06  6:01   ` Dan Carpenter
2021-05-06  6:42     ` SyzScope
2021-06-04  9:48   ` Greg KH
2021-06-04 17:11     ` SyzScope
2021-06-05  7:43       ` Greg KH
2021-06-05 18:12         ` SyzScope
2021-06-06  5:16           ` Greg KH
2021-06-06  5:29             ` Leon Romanovsky
2021-06-06  5:06         ` Leon Romanovsky
     [not found]         ` <20210606085004.12212-1-hdanton@sina.com>
2021-06-06  9:54           ` Greg KH
     [not found]           ` <20210607074828.3259-1-hdanton@sina.com>
2021-06-07  7:55             ` Greg KH
     [not found]             ` <20210607100201.3345-1-hdanton@sina.com>
2021-06-07 10:31               ` Greg KH
     [not found]               ` <20210608081800.3484-1-hdanton@sina.com>
2021-06-08  8:40                 ` Greg KH [this message]
2021-05-28 21:12 ` SyzScope
2021-06-03 18:30   ` SyzScope
2021-06-03 18:36     ` Greg KH
2021-06-07 10:21   ` Jason A. Donenfeld
2021-06-07 10:28     ` Dmitry Vyukov
2021-06-07 11:20     ` Greg KH
2021-06-07 18:26       ` SyzScope
2021-06-08  8:46         ` Greg KH
2021-06-08  8:53     ` Dan Carpenter
2021-06-07 22:25 ` [syzbot] " syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YL8s7F1pPEw6Oc5s@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=hdanton@sina.com \
    --cc=johan.hedberg@gmail.com \
    --cc=kuba@kernel.org \
    --cc=leon@kernel.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luiz.dentz@gmail.com \
    --cc=marcel@holtmann.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=syzscope@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).