lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6E42A1B4DD2F7B4D80A1F26BB498BF9F8C9F8C1539@irsmsx501.ger.corp.intel.com>
Date:	Mon, 14 Mar 2011 14:56:20 +0000
From:	"Ferraton, Jean RegisX" <jean.regisx.ferraton@...el.com>
To:	"Gustavo F. Padovan" <padovan@...fusion.mobi>
CC:	"marcel@...tmann.org" <marcel@...tmann.org>,
	"davem@...emloft.net" <davem@...emloft.net>,
	"eric.dumazet@...il.com" <eric.dumazet@...il.com>,
	"xiaosuo@...il.com" <xiaosuo@...il.com>,
	"linux-bluetooth@...r.kernel.org" <linux-bluetooth@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: [PATCH] Fix "possible circular locking dependency" in rfcomm

No response from original post, submit again, more details below:

Changes in sock.c in function __rfcomm_sock_close, to release sock before calling rfcomm_dlc_close to avoid possible deadlock when calling rfcomm_lock (in rfcomm_dlc_close).

Signed-off-by: Jean Regis Ferraton <jrferraton@...il.com>

---
 net/bluetooth/rfcomm/sock.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 66cc1f0..3b5ec09 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -234,7 +234,10 @@ static void __rfcomm_sock_close(struct sock *sk)
 	case BT_CONNECT2:
 	case BT_CONFIG:
 	case BT_CONNECTED:
+		/* release_sock to avoid deadlock when calling rfcomm_lock() */
+		release_sock(sk);
 		rfcomm_dlc_close(d, 0);
+		lock_sock(sk);
 
 	default:
 		sock_set_flag(sk, SOCK_ZAPPED);
--
1.6.2.5



This patch solves a problem of "possible circular locking dependency" related to rfcomm. Problem seen on kernel 2.6.37. Maybe it's not a bug, just a warning, see the trace below.

This problem occurs in 2 cases:
1- When initiating a connection from the remote device
2- When browsing my BT device from my PC

My analysis is the following:
1- We call the function rfcomm_sock_shutdown() which locks a socket, an after calls __rfcomm_sock_close()
     	lock_sock(sk);
    	if (!sk->sk_shutdown) {
    		sk->sk_shutdown = SHUTDOWN_MASK;
    		__rfcomm_sock_close(sk);
2- In the function __rfcomm_sock_close(), we call rfcomm_dlc_close()
	case BT_CONNECTED:
    		rfcomm_dlc_close(d, 0);
3- In the function rfcomm_dlc_close(), we call rfcomm_lock() which locks a mutex on rfcomm, and this second lock causes the problem.
	rfcomm_lock();
	r = __rfcomm_dlc_close(d, err);

My message trace is the following (for remote connect):
[  113.995511] =======================================================
[  114.001897] [ INFO: possible circular locking dependency detected ] 
[  114.008157] 2.6.37.3jrf_fix #1 
[  114.011196] -------------------------------------------------------
[  114.017457] bluetoothd/511 is trying to acquire lock:
[  114.022499]  (rfcomm_mutex){+.+.+.}, at: [<c14f281a>] rfcomm_dlc_close+0x15/0x30 
[  114.029887] 
[  114.029892] but task is already holding lock:
[  114.035713]  (sk_lock-AF_BLUETOOTH){+.+.+.}, at: [<c14f4cfe>] rfcomm_sock_shutdown+0x17/0x5d 
[  114.044147] 
[  114.044152] which lock already depends on the new lock.
[  114.044158]
[  114.052319]
[  114.052324] the existing dependency chain (in reverse order) is:
[  114.059796]
[  114.059801] -> #1 (sk_lock-AF_BLUETOOTH){+.+.+.}:
[  114.065967]        [<c105d660>] lock_acquire+0xf9/0x135
[  114.071184]        [<c1445cf3>] lock_sock_nested+0x55/0x65
[  114.076662]        [<c14ed17d>] l2cap_sock_sendmsg+0x3f/0x606
[  114.082400]        [<c1443775>] sock_sendmsg+0xc9/0xe0
[  114.087530]        [<c14437b4>] kernel_sendmsg+0x28/0x37
[  114.092833]        [<c14f2278>] rfcomm_send_frame+0x2f/0x37
[  114.098398]        [<c14f232c>] rfcomm_send_ua+0x57/0x59
[  114.103701]        [<c14f3884>] rfcomm_run+0x431/0xb06
[  114.108830]        [<c104bc8f>] kthread+0x5f/0x64
[  114.113525]        [<c1002b7a>] kernel_thread_helper+0x6/0x1a
[  114.119265]
[  114.119270] -> #0 (rfcomm_mutex){+.+.+.}:
[  114.124739]        [<c105cff1>] __lock_acquire+0xe03/0x1379
[  114.130304]        [<c105d660>] lock_acquire+0xf9/0x135
[  114.135522]        [<c1522bf3>] mutex_lock_nested+0x45/0x286
[  114.141171]        [<c14f281a>] rfcomm_dlc_close+0x15/0x30
[  114.146650]        [<c14f4cdb>] __rfcomm_sock_close+0x5e/0x6a
[  114.152388]        [<c14f4d12>] rfcomm_sock_shutdown+0x2b/0x5d
[  114.158212]        [<c14f4d5d>] rfcomm_sock_release+0x19/0x60
[  114.163951]        [<c14445da>] sock_release+0x14/0x5b
[  114.169080]        [<c144463d>] sock_close+0x1c/0x20
[  114.174037]        [<c10bdd19>] fput+0xfa/0x19e
[  114.178557]        [<c10bb3c5>] filp_close+0x51/0x5b
[  114.183512]        [<c10bb488>] sys_close+0xb9/0xee
[  114.188381]        [<c1002650>] sysenter_do_call+0x12/0x36
[  114.193858]
[  114.193863] other info that might help us debug this:
[  114.193870]
[  114.201860] 1 lock held by bluetoothd/511:
[  114.205945]  #0:  (sk_lock-AF_BLUETOOTH){+.+.+.}, at: [<c14f4cfe>] rfcomm_sock_shutdown+0x17/0x5d
[  114.214811]
[  114.214816] stack backtrace:
[  114.219167] Pid: 511, comm: bluetoothd Tainted: G        WC  2.6.37.3jrf_fix #1
[  114.226463] Call Trace:
[  114.228913]  [<c152108a>] ? printk+0xf/0x11 
[  114.233086]  [<c105bc3b>] print_circular_bug+0x90/0x9c 
[  114.238211]  [<c105cff1>] __lock_acquire+0xe03/0x1379 
[  114.243260]  [<c14f281a>] ? rfcomm_dlc_close+0x15/0x30 
[  114.248382]  [<c105d660>] lock_acquire+0xf9/0x135 
[  114.253079]  [<c14f281a>] ? rfcomm_dlc_close+0x15/0x30 
[  114.258208]  [<c1522bf3>] mutex_lock_nested+0x45/0x286 
[  114.263338]  [<c14f281a>] ? rfcomm_dlc_close+0x15/0x30 
[  114.268469]  [<c105b68d>] ? trace_hardirqs_on_caller+0x100/0x121
[  114.274467]  [<c1445cf8>] ? lock_sock_nested+0x5a/0x65 
[  114.279597]  [<c105b6b9>] ? trace_hardirqs_on+0xb/0xd 
[  114.284639]  [<c14f281a>] rfcomm_dlc_close+0x15/0x30 
[  114.289594]  [<c14f4cdb>] __rfcomm_sock_close+0x5e/0x6a 
[  114.294811]  [<c14f4d12>] rfcomm_sock_shutdown+0x2b/0x5d 
[  114.300115]  [<c14f4d5d>] rfcomm_sock_release+0x19/0x60 
[  114.305331]  [<c14445da>] sock_release+0x14/0x5b 
[  114.309937]  [<c144463d>] sock_close+0x1c/0x20 
[  114.314373]  [<c10bdd19>] fput+0xfa/0x19e 
[  114.318371]  [<c10bb3c5>] filp_close+0x51/0x5b 
[  114.322804]  [<c10bb488>] sys_close+0xb9/0xee 
[  114.327151]  [<c1002650>] sysenter_do_call+0x12/0x36
---------------------------------------------------------------------
Intel Corporation SAS (French simplified joint stock company)
Registered headquarters: "Les Montalets"- 2, rue de Paris, 
92196 Meudon Cedex, France
Registration Number:  302 456 199 R.C.S. NANTERRE
Capital: 4,572,000 Euros

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ