| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230522143759.2880743-1-yinghsu@chromium.org>
Date: Mon, 22 May 2023 14:37:55 +0000
From: Ying Hsu <yinghsu@...omium.org>
To: linux-bluetooth@...r.kernel.org
Cc: chromeos-bluetooth-upstreaming@...omium.org,
Ying Hsu <yinghsu@...omium.org>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Johan Hedberg <johan.hedberg@...il.com>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>,
Marcel Holtmann <marcel@...tmann.org>,
Paolo Abeni <pabeni@...hat.com>,
linux-kernel@...r.kernel.org,
netdev@...r.kernel.org
Subject: [PATCH] Fix l2cap_disconnect_req deadlock
L2CAP assumes that the locks conn->chan_lock and chan->lock are
acquired in the order conn->chan_lock, chan->lock to avoid
potential deadlock.
For example, l2sock_shutdown acquires these locks in the order:
mutex_lock(&conn->chan_lock)
l2cap_chan_lock(chan)
However, l2cap_disconnect_req acquires chan->lock in
l2cap_get_chan_by_scid first and then acquires conn->chan_lock
before calling l2cap_chan_del. This means that these locks are
acquired in unexpected order, which leads to potential deadlock:
l2cap_chan_lock(c)
mutex_lock(&conn->chan_lock)
This patch uses __l2cap_get_chan_by_scid to replace
l2cap_get_chan_by_scid and adjusts the locking order to avoid the
potential deadlock.
Signed-off-by: Ying Hsu <yinghsu@...omium.org>
---
This commit has been tested on a Chromebook device.
net/bluetooth/l2cap_core.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 376b523c7b26..8f08192b8fb1 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4651,8 +4651,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
- chan = l2cap_get_chan_by_scid(conn, dcid);
+ mutex_lock(&conn->chan_lock);
+ chan = __l2cap_get_chan_by_scid(conn, dcid);
+ if (chan) {
+ chan = l2cap_chan_hold_unless_zero(chan);
+ if (chan)
+ l2cap_chan_lock(chan);
+ }
+
if (!chan) {
+ mutex_unlock(&conn->chan_lock);
cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
return 0;
}
@@ -4663,14 +4671,13 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
chan->ops->set_shutdown(chan);
- mutex_lock(&conn->chan_lock);
l2cap_chan_del(chan, ECONNRESET);
- mutex_unlock(&conn->chan_lock);
chan->ops->close(chan);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
+ mutex_unlock(&conn->chan_lock);
return 0;
}
@@ -4691,25 +4698,32 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
- chan = l2cap_get_chan_by_scid(conn, scid);
+ mutex_lock(&conn->chan_lock);
+ chan = __l2cap_get_chan_by_scid(conn, scid);
+ if (chan) {
+ chan = l2cap_chan_hold_unless_zero(chan);
+ if (chan)
+ l2cap_chan_lock(chan);
+ }
if (!chan) {
+ mutex_unlock(&conn->chan_lock);
return 0;
}
if (chan->state != BT_DISCONN) {
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
+ mutex_unlock(&conn->chan_lock);
return 0;
}
- mutex_lock(&conn->chan_lock);
l2cap_chan_del(chan, 0);
- mutex_unlock(&conn->chan_lock);
chan->ops->close(chan);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
+ mutex_unlock(&conn->chan_lock);
return 0;
}
--
2.40.1.698.g37aff9b760-goog
Powered by blists - more mailing lists