| Message ID | 9deece33-5d7f-9dcb-9aaa-94c60d28fc9a@i-love.sakura.ne.jp |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] Bluetooth: call lock_sock() outside of spinlock section | expand |
Hi Tetsuo, On Wed, Jul 7, 2021 at 2:43 AM Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote: > > syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to > calling lock_sock() with rw spinlock held [1]. Defer calling lock_sock() > via sock_hold(). > > Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1] > Reported-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> > Tested-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com> > Fixes: e305509e678b3a4a ("Bluetooth: use correct lock to prevent UAF of hdev object") > --- > Changes in v2: > Take hci_sk_list.lock for write in case bt_sock_unlink() is called after > sk_hashed(sk) test, and defer hci_dev_put(hdev) till schedulable context. > > net/bluetooth/hci_sock.c | 32 +++++++++++++++++++++++++++++--- > 1 file changed, 29 insertions(+), 3 deletions(-) > > diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c > index b04a5a02ecf3..d8e1ac1ae10d 100644 > --- a/net/bluetooth/hci_sock.c > +++ b/net/bluetooth/hci_sock.c > @@ -758,20 +758,46 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) > > if (event == HCI_DEV_UNREG) { > struct sock *sk; > + bool put_dev; > > +restart: > + put_dev = false; > /* Detach sockets from device */ > read_lock(&hci_sk_list.lock); > sk_for_each(sk, &hci_sk_list.head) { > + /* hci_sk_list.lock is preventing hci_sock_release() > + * from calling bt_sock_unlink(). > + */ > + if (hci_pi(sk)->hdev != hdev || sk_unhashed(sk)) > + continue; > + /* Take a ref because we can't call lock_sock() with > + * hci_sk_list.lock held. > + */ > + sock_hold(sk); > + read_unlock(&hci_sk_list.lock); > lock_sock(sk); > - if (hci_pi(sk)->hdev == hdev) { > + /* Since hci_sock_release() might have already called > + * bt_sock_unlink() while waiting for lock_sock(), > + * use sk_hashed(sk) for checking that bt_sock_unlink() > + * is not yet called. > + */ > + write_lock(&hci_sk_list.lock); > + if (sk_hashed(sk) && hci_pi(sk)->hdev == hdev) { > hci_pi(sk)->hdev = NULL; > sk->sk_err = EPIPE; > sk->sk_state = BT_OPEN; > sk->sk_state_change(sk); > - > - hci_dev_put(hdev); > + put_dev = true; > } > + write_unlock(&hci_sk_list.lock); > release_sock(sk); > + sock_put(sk); > + if (put_dev) > + hci_dev_put(hdev); > + /* Restarting is safe, for hci_pi(sk)->hdev != hdev if > + * condition met and sk_unhashed(sk) == true otherwise. > + */ > + goto restart; This sounds a little too complicated, afaik backward goto is not even consider a good practice either, since it appears we don't unlink the sockets here we could perhaps don't release the reference to hdev either and leave hci_sock_release to deal with it and then perhaps we can take away the backward goto, actually why are you restarting to begin with? It is also weird that this only manifests in the Bluetooth HCI sockets or other subsystems don't use such locking mechanism anymore? > } > read_unlock(&hci_sk_list.lock); > } > -- > 2.18.4 > >
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=511891
---Test result---
Test Summary:
CheckPatch FAIL 0.66 seconds
GitLint FAIL 0.13 seconds
BuildKernel PASS 670.72 seconds
TestRunner: Setup PASS 443.19 seconds
TestRunner: l2cap-tester PASS 2.99 seconds
TestRunner: bnep-tester PASS 2.16 seconds
TestRunner: mgmt-tester PASS 34.81 seconds
TestRunner: rfcomm-tester PASS 2.44 seconds
TestRunner: sco-tester PASS 2.40 seconds
TestRunner: smp-tester FAIL 2.49 seconds
TestRunner: userchan-tester PASS 2.14 seconds
Details
##############################
Test: CheckPatch - FAIL - 0.66 seconds
Run checkpatch.pl script with rule in .checkpatch.conf
Bluetooth: call lock_sock() outside of spinlock section
WARNING: From:/Signed-off-by: email address mismatch: 'From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>' != 'Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>'
total: 0 errors, 1 warnings, 0 checks, 49 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
"[PATCH] Bluetooth: call lock_sock() outside of spinlock section" has style problems, please review.
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL - 0.13 seconds
Run gitlint with rule in .gitlint
Bluetooth: call lock_sock() outside of spinlock section
11: B1 Line exceeds max length (85>80): "Fixes: e305509e678b3a4a ("Bluetooth: use correct lock to prevent UAF of hdev object")"
##############################
Test: BuildKernel - PASS - 670.72 seconds
Build Kernel with minimal configuration supports Bluetooth
##############################
Test: TestRunner: Setup - PASS - 443.19 seconds
Setup environment for running Test Runner
##############################
Test: TestRunner: l2cap-tester - PASS - 2.99 seconds
Run test-runner with l2cap-tester
Total: 40, Passed: 40 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: bnep-tester - PASS - 2.16 seconds
Run test-runner with bnep-tester
Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: mgmt-tester - PASS - 34.81 seconds
Run test-runner with mgmt-tester
Total: 446, Passed: 443 (99.3%), Failed: 0, Not Run: 3
##############################
Test: TestRunner: rfcomm-tester - PASS - 2.44 seconds
Run test-runner with rfcomm-tester
Total: 9, Passed: 9 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: sco-tester - PASS - 2.40 seconds
Run test-runner with sco-tester
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: smp-tester - FAIL - 2.49 seconds
Run test-runner with smp-tester
Total: 8, Passed: 7 (87.5%), Failed: 1, Not Run: 0
Failed Test Cases
SMP Client - SC Request 2 Failed 0.036 seconds
##############################
Test: TestRunner: userchan-tester - PASS - 2.14 seconds
Run test-runner with userchan-tester
Total: 3, Passed: 3 (100.0%), Failed: 0, Not Run: 0
---
Regards,
Linux Bluetooth
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index b04a5a02ecf3..d8e1ac1ae10d 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -758,20 +758,46 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) if (event == HCI_DEV_UNREG) { struct sock *sk; + bool put_dev; +restart: + put_dev = false; /* Detach sockets from device */ read_lock(&hci_sk_list.lock); sk_for_each(sk, &hci_sk_list.head) { + /* hci_sk_list.lock is preventing hci_sock_release() + * from calling bt_sock_unlink(). + */ + if (hci_pi(sk)->hdev != hdev || sk_unhashed(sk)) + continue; + /* Take a ref because we can't call lock_sock() with + * hci_sk_list.lock held. + */ + sock_hold(sk); + read_unlock(&hci_sk_list.lock); lock_sock(sk); - if (hci_pi(sk)->hdev == hdev) { + /* Since hci_sock_release() might have already called + * bt_sock_unlink() while waiting for lock_sock(), + * use sk_hashed(sk) for checking that bt_sock_unlink() + * is not yet called. + */ + write_lock(&hci_sk_list.lock); + if (sk_hashed(sk) && hci_pi(sk)->hdev == hdev) { hci_pi(sk)->hdev = NULL; sk->sk_err = EPIPE; sk->sk_state = BT_OPEN; sk->sk_state_change(sk); - - hci_dev_put(hdev); + put_dev = true; } + write_unlock(&hci_sk_list.lock); release_sock(sk); + sock_put(sk); + if (put_dev) + hci_dev_put(hdev); + /* Restarting is safe, for hci_pi(sk)->hdev != hdev if + * condition met and sk_unhashed(sk) == true otherwise. + */ + goto restart; } read_unlock(&hci_sk_list.lock); }