lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 4 Aug 2021 18:43:15 +0700
From:   Ammar Faizi <ammarfaizi2@...weeb.org>
To:     Hillf Danton <hdanton@...a.com>
Cc:     Lin Ma <linma@....edu.cn>, Marcel Holtmann <marcel@...tmann.org>,
        Ammar Faizi <ammarfaizi2@...il.com>,
        linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: WARNING: possible circular locking dependency detected
 (hci_sock_dev_event+0x17d/0x1f0)

See the original report here:
https://lore.kernel.org/lkml/2c40741c-8c8f-a105-1846-aa1ed15a6c7e@gnuweeb.org/

On 8/4/21 3:56 PM, Hillf Danton wrote:
> On Mon, 2 Aug 2021 20:17:02 +0700 Ammar Faizi wrote:
>> Hi everyone,
>>
>> I found a potential deadlock at hci_sock_dev_event.
>
> Thanks for your report.
>
> Can you try and see if reverting e305509e678b3a4af2b3cfd410f409f7cdaabb52
> ("Bluetooth: use correct lock to prevent UAF of hdev object") is a cure.
>

Hi Hillf,

Thank you for your response.

Here is what I have tried:
1. Reverted e305509e678b3a4af2b3cfd410f409f7cdaabb52.
2. Compile and install reverted version.
3. Rebooted 5.14.0-rc3 (c7d102232649, before revert) and try to
reproduce again. At this point I am able to reproduce it.
4. Booted 5.14.0-rc3 (the reverted version). The deadlock warning is
gone after reverting it. No more deadlock warning.

------------------------------------------------------------
[ 51207ee38ab65db86554655300a912e8c661525e is my local revert. ]
Revert diff:
ammarfaizi2@...egral:~/project/now/linux$ git diff
c7d102232649226a69dddd58a4942cf13cff4f7c
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index b04a5a02ecf3..590467345c5f 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -762,7 +762,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
                /* Detach sockets from device */
                read_lock(&hci_sk_list.lock);
                sk_for_each(sk, &hci_sk_list.head) {
-                       lock_sock(sk);
+                       bh_lock_sock_nested(sk);
                        if (hci_pi(sk)->hdev == hdev) {
                                hci_pi(sk)->hdev = NULL;
                                sk->sk_err = EPIPE;
@@ -771,7 +771,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)

                                hci_dev_put(hdev);
                        }
-                       release_sock(sk);
+                       bh_unlock_sock(sk);
                }
                read_unlock(&hci_sk_list.lock);
        }
ammarfaizi2@...egral:~/project/now/linux$
------------------------------------------------------------

Summary:
Reverting e305509e678b3a4af2b3cfd410f409f7cdaabb52 is a cure.

Although it fixes the deadlock, there is probably something still goes
wrong regarding "prevent UAF" as the commit message says.

Will anyone create a patch for this?
I want to be the tester, I am new at kernel development and want to
start contributing, so please guide me :)

I also attached dmesg log before and after revert if you want to see the
full log.

Adding Lin as the author of e305509e678b3a4af2b3cfd410f409f7cdaabb52 to
CC list...


--
Ammar


View attachment "dmesg_after_revert.txt" of type "text/plain" (226163 bytes)

View attachment "dmesg_before_revert.txt" of type "text/plain" (233641 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ