| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <80e24ed7-a34a-7fac-c709-06ccad6d2612@gnuweeb.org>
Date: Wed, 4 Aug 2021 18:43:15 +0700
From: Ammar Faizi <ammarfaizi2@...weeb.org>
To: Hillf Danton <hdanton@...a.com>
Cc: Lin Ma <linma@....edu.cn>, Marcel Holtmann <marcel@...tmann.org>,
Ammar Faizi <ammarfaizi2@...il.com>,
linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: WARNING: possible circular locking dependency detected
(hci_sock_dev_event+0x17d/0x1f0)
See the original report here:
https://lore.kernel.org/lkml/2c40741c-8c8f-a105-1846-aa1ed15a6c7e@gnuweeb.org/
On 8/4/21 3:56 PM, Hillf Danton wrote:
> On Mon, 2 Aug 2021 20:17:02 +0700 Ammar Faizi wrote:
>> Hi everyone,
>>
>> I found a potential deadlock at hci_sock_dev_event.
>
> Thanks for your report.
>
> Can you try and see if reverting e305509e678b3a4af2b3cfd410f409f7cdaabb52
> ("Bluetooth: use correct lock to prevent UAF of hdev object") is a cure.
>
Hi Hillf,
Thank you for your response.
Here is what I have tried:
1. Reverted e305509e678b3a4af2b3cfd410f409f7cdaabb52.
2. Compile and install reverted version.
3. Rebooted 5.14.0-rc3 (c7d102232649, before revert) and try to
reproduce again. At this point I am able to reproduce it.
4. Booted 5.14.0-rc3 (the reverted version). The deadlock warning is
gone after reverting it. No more deadlock warning.
------------------------------------------------------------
[ 51207ee38ab65db86554655300a912e8c661525e is my local revert. ]
Revert diff:
ammarfaizi2@...egral:~/project/now/linux$ git diff
c7d102232649226a69dddd58a4942cf13cff4f7c
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index b04a5a02ecf3..590467345c5f 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -762,7 +762,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
/* Detach sockets from device */
read_lock(&hci_sk_list.lock);
sk_for_each(sk, &hci_sk_list.head) {
- lock_sock(sk);
+ bh_lock_sock_nested(sk);
if (hci_pi(sk)->hdev == hdev) {
hci_pi(sk)->hdev = NULL;
sk->sk_err = EPIPE;
@@ -771,7 +771,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
hci_dev_put(hdev);
}
- release_sock(sk);
+ bh_unlock_sock(sk);
}
read_unlock(&hci_sk_list.lock);
}
ammarfaizi2@...egral:~/project/now/linux$
------------------------------------------------------------
Summary:
Reverting e305509e678b3a4af2b3cfd410f409f7cdaabb52 is a cure.
Although it fixes the deadlock, there is probably something still goes
wrong regarding "prevent UAF" as the commit message says.
Will anyone create a patch for this?
I want to be the tester, I am new at kernel development and want to
start contributing, so please guide me :)
I also attached dmesg log before and after revert if you want to see the
full log.
Adding Lin as the author of e305509e678b3a4af2b3cfd410f409f7cdaabb52 to
CC list...
--
Ammar
View attachment "dmesg_after_revert.txt" of type "text/plain" (226163 bytes)
View attachment "dmesg_before_revert.txt" of type "text/plain" (233641 bytes)
Powered by blists - more mailing lists