| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 Aug 2022 12:23:26 -0700
From: Luiz Augusto von Dentz <luiz.dentz@...il.com>
To: Desmond Cheong Zhi Xi <desmondcheongzx@...il.com>
Cc: Jiacheng Xu <578001344xu@...il.com>,
"linux-bluetooth@...r.kernel.org" <linux-bluetooth@...r.kernel.org>,
Jakub Kicinski <kuba@...nel.org>,
"open list:NETWORKING [GENERAL]" <netdev@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>,
David Miller <davem@...emloft.net>,
Paolo Abeni <pabeni@...hat.com>
Subject: Re: possible deadlock in rfcomm_sk_state_change
Hi Desmond,
On Tue, Aug 30, 2022 at 10:41 AM Luiz Augusto von Dentz
<luiz.dentz@...il.com> wrote:
>
> Hi Desmond,
>
> On Mon, Aug 29, 2022 at 11:48 PM Desmond Cheong Zhi Xi
> <desmondcheongzx@...il.com> wrote:
> >
> > +cc Bluetooth and Networking maintainers
> >
> > Hi Jiacheng,
> >
> > On 28/8/22 04:03, Jiacheng Xu wrote:
> > > Hi,
> > >
> > > I believe the deadlock is more than possible but actually real.
> > > I got a poc that could stably trigger the deadlock.
> > >
> > > poc: https://drive.google.com/file/d/1PjqvMtHsrrGM1MIRGKl_zJGR-teAMMQy/view?usp=sharing
> > >
> > > Description/Root cause:
> > > In rfcomm_sock_shutdown(), lock_sock() is called when releasing and
> > > shutting down socket.
> > > However, lock_sock() has to be called once more when the sk_state is
> > > changed because the
> > > lock is not always held when rfcomm_sk_state_change() is called. One
> > > such call stack is:
> > >
> > > rfcomm_sock_shutdown():
> > > lock_sock();
> > > __rfcomm_sock_close():
> > > rfcomm_dlc_close():
> > > __rfcomm_dlc_close():
> > > rfcomm_dlc_lock();
> > > rfcomm_sk_state_change():
> > > lock_sock();
> > >
> > > Besides the recursive deadlock, there is also an
> > > issue of a lock hierarchy inversion between rfcomm_dlc_lock() and
> > > lock_sock() if the socket is locked in rfcomm_sk_state_change().
> >
> >
> > Thanks for the poc and for following the trail all the way to the root
> > cause - this was a known issue and I didn't realize the patch wasn't
> > applied.
> >
> > > > Reference:
> > https://lore.kernel.org/all/20211004180734.434511-1-desmondcheongzx@gmail.com/
> > >
> >
> > Fwiw, I tested the patch again with syzbot. It still applies cleanly to
> > the head of bluetooth-next and seems to address the root cause.
> >
> > Any thoughts from the maintainers on this issue and the proposed fix?
>
> We probably need to introduce a test to rfcomm-tester to reproduce
> this sort of problem, I also would like to avoid introducing a work
> just to trigger a state change since we don't have such problem on the
> likes of L2CAP socket so perhaps we need to rework the code a little
> bit to avoid the locking problems.
It looks like for L2CAP we use lock_sock_nested on teardown, we don't
have the exact same behavior in RFCOMM but I think that might be worth
a try if we can use that instead of introducing yet another work item.
> > Best,
> > Desmond
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
Powered by blists - more mailing lists