Message ID | 9deece33-5d7f-9dcb-9aaa-94c60d28fc9a@i-love.sakura.ne.jp |
---|---|
State | New |
Headers | show |
Series | [v2] Bluetooth: call lock_sock() outside of spinlock section | expand |
Hi Tetsuo, On Wed, Jul 7, 2021 at 2:43 AM Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote: > > syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to > calling lock_sock() with rw spinlock held [1]. Defer calling lock_sock() > via sock_hold(). > > Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1] > Reported-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> > Tested-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com> > Fixes: e305509e678b3a4a ("Bluetooth: use correct lock to prevent UAF of hdev object") > --- > Changes in v2: > Take hci_sk_list.lock for write in case bt_sock_unlink() is called after > sk_hashed(sk) test, and defer hci_dev_put(hdev) till schedulable context. > > net/bluetooth/hci_sock.c | 32 +++++++++++++++++++++++++++++--- > 1 file changed, 29 insertions(+), 3 deletions(-) > > diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c > index b04a5a02ecf3..d8e1ac1ae10d 100644 > --- a/net/bluetooth/hci_sock.c > +++ b/net/bluetooth/hci_sock.c > @@ -758,20 +758,46 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) > > if (event == HCI_DEV_UNREG) { > struct sock *sk; > + bool put_dev; > > +restart: > + put_dev = false; > /* Detach sockets from device */ > read_lock(&hci_sk_list.lock); > sk_for_each(sk, &hci_sk_list.head) { > + /* hci_sk_list.lock is preventing hci_sock_release() > + * from calling bt_sock_unlink(). > + */ > + if (hci_pi(sk)->hdev != hdev || sk_unhashed(sk)) > + continue; > + /* Take a ref because we can't call lock_sock() with > + * hci_sk_list.lock held. > + */ > + sock_hold(sk); > + read_unlock(&hci_sk_list.lock); > lock_sock(sk); > - if (hci_pi(sk)->hdev == hdev) { > + /* Since hci_sock_release() might have already called > + * bt_sock_unlink() while waiting for lock_sock(), > + * use sk_hashed(sk) for checking that bt_sock_unlink() > + * is not yet called. > + */ > + write_lock(&hci_sk_list.lock); > + if (sk_hashed(sk) && hci_pi(sk)->hdev == hdev) { > hci_pi(sk)->hdev = NULL; > sk->sk_err = EPIPE; > sk->sk_state = BT_OPEN; > sk->sk_state_change(sk); > - > - hci_dev_put(hdev); > + put_dev = true; > } > + write_unlock(&hci_sk_list.lock); > release_sock(sk); > + sock_put(sk); > + if (put_dev) > + hci_dev_put(hdev); > + /* Restarting is safe, for hci_pi(sk)->hdev != hdev if > + * condition met and sk_unhashed(sk) == true otherwise. > + */ > + goto restart; This sounds a little too complicated, afaik backward goto is not even consider a good practice either, since it appears we don't unlink the sockets here we could perhaps don't release the reference to hdev either and leave hci_sock_release to deal with it and then perhaps we can take away the backward goto, actually why are you restarting to begin with? It is also weird that this only manifests in the Bluetooth HCI sockets or other subsystems don't use such locking mechanism anymore? > } > read_unlock(&hci_sk_list.lock); > } > -- > 2.18.4 > >
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=511891 ---Test result--- Test Summary: CheckPatch FAIL 0.66 seconds GitLint FAIL 0.13 seconds BuildKernel PASS 670.72 seconds TestRunner: Setup PASS 443.19 seconds TestRunner: l2cap-tester PASS 2.99 seconds TestRunner: bnep-tester PASS 2.16 seconds TestRunner: mgmt-tester PASS 34.81 seconds TestRunner: rfcomm-tester PASS 2.44 seconds TestRunner: sco-tester PASS 2.40 seconds TestRunner: smp-tester FAIL 2.49 seconds TestRunner: userchan-tester PASS 2.14 seconds Details ############################## Test: CheckPatch - FAIL - 0.66 seconds Run checkpatch.pl script with rule in .checkpatch.conf Bluetooth: call lock_sock() outside of spinlock section WARNING: From:/Signed-off-by: email address mismatch: 'From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>' != 'Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>' total: 0 errors, 1 warnings, 0 checks, 49 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. "[PATCH] Bluetooth: call lock_sock() outside of spinlock section" has style problems, please review. NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. ############################## Test: GitLint - FAIL - 0.13 seconds Run gitlint with rule in .gitlint Bluetooth: call lock_sock() outside of spinlock section 11: B1 Line exceeds max length (85>80): "Fixes: e305509e678b3a4a ("Bluetooth: use correct lock to prevent UAF of hdev object")" ############################## Test: BuildKernel - PASS - 670.72 seconds Build Kernel with minimal configuration supports Bluetooth ############################## Test: TestRunner: Setup - PASS - 443.19 seconds Setup environment for running Test Runner ############################## Test: TestRunner: l2cap-tester - PASS - 2.99 seconds Run test-runner with l2cap-tester Total: 40, Passed: 40 (100.0%), Failed: 0, Not Run: 0 ############################## Test: TestRunner: bnep-tester - PASS - 2.16 seconds Run test-runner with bnep-tester Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0 ############################## Test: TestRunner: mgmt-tester - PASS - 34.81 seconds Run test-runner with mgmt-tester Total: 446, Passed: 443 (99.3%), Failed: 0, Not Run: 3 ############################## Test: TestRunner: rfcomm-tester - PASS - 2.44 seconds Run test-runner with rfcomm-tester Total: 9, Passed: 9 (100.0%), Failed: 0, Not Run: 0 ############################## Test: TestRunner: sco-tester - PASS - 2.40 seconds Run test-runner with sco-tester Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0 ############################## Test: TestRunner: smp-tester - FAIL - 2.49 seconds Run test-runner with smp-tester Total: 8, Passed: 7 (87.5%), Failed: 1, Not Run: 0 Failed Test Cases SMP Client - SC Request 2 Failed 0.036 seconds ############################## Test: TestRunner: userchan-tester - PASS - 2.14 seconds Run test-runner with userchan-tester Total: 3, Passed: 3 (100.0%), Failed: 0, Not Run: 0 --- Regards, Linux Bluetooth
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index b04a5a02ecf3..d8e1ac1ae10d 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -758,20 +758,46 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) if (event == HCI_DEV_UNREG) { struct sock *sk; + bool put_dev; +restart: + put_dev = false; /* Detach sockets from device */ read_lock(&hci_sk_list.lock); sk_for_each(sk, &hci_sk_list.head) { + /* hci_sk_list.lock is preventing hci_sock_release() + * from calling bt_sock_unlink(). + */ + if (hci_pi(sk)->hdev != hdev || sk_unhashed(sk)) + continue; + /* Take a ref because we can't call lock_sock() with + * hci_sk_list.lock held. + */ + sock_hold(sk); + read_unlock(&hci_sk_list.lock); lock_sock(sk); - if (hci_pi(sk)->hdev == hdev) { + /* Since hci_sock_release() might have already called + * bt_sock_unlink() while waiting for lock_sock(), + * use sk_hashed(sk) for checking that bt_sock_unlink() + * is not yet called. + */ + write_lock(&hci_sk_list.lock); + if (sk_hashed(sk) && hci_pi(sk)->hdev == hdev) { hci_pi(sk)->hdev = NULL; sk->sk_err = EPIPE; sk->sk_state = BT_OPEN; sk->sk_state_change(sk); - - hci_dev_put(hdev); + put_dev = true; } + write_unlock(&hci_sk_list.lock); release_sock(sk); + sock_put(sk); + if (put_dev) + hci_dev_put(hdev); + /* Restarting is safe, for hci_pi(sk)->hdev != hdev if + * condition met and sk_unhashed(sk) == true otherwise. + */ + goto restart; } read_unlock(&hci_sk_list.lock); }