Received: by 10.223.185.116 with SMTP id b49csp1101638wrg; Sat, 3 Mar 2018 15:36:00 -0800 (PST) X-Google-Smtp-Source: AG47ELvmYwT27WHmUc4jnypATbA55W/FsD0E3ckPkSXMBlw5xYugBdZntB9VMgEvpwZNFF+Enq8x X-Received: by 2002:a17:902:d83:: with SMTP id 3-v6mr9179017plv.47.1520120160284; Sat, 03 Mar 2018 15:36:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520120160; cv=none; d=google.com; s=arc-20160816; b=tYrNBzM6v6ZsDpjbOQLT5KX7ey8FHXmgwqHCmYvOY/ai3OZgHkpI4o85OaLOAlEhUs tz9BY5rtm5+5iuh1+aUdhNPprCyRWlZh3tosM4kykxSLKXHZuuotsBB5FHhA94goMm30 daYpo2x/8EAzzyHYSHaiFwYYeAt/QcA7vDI4VdTv8dvGUxw6JdXaaEQCq4QpBWToZNCT PSlkN/BiTJ8wt2SsdZWehy3KgX915XHXdLaCk8hDuKmR6gh5sYv6FuB+PyC7PS+LG1NE QGhL4quiuTjiHwt+t1UZuUTsC8histAndI5cwrHmc5iRKN8NvDXJHVYLSnuqMiI8iZot 7vkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=nk9wAcbVlykb6VlGB+TiM3SGTjuyLYEq09S2MRfNYyk=; b=O1tuqXbh+7ZwsoMbt7AVrXueB626ORFVUeBFGqpn1abTJUZFRC0O5FTdxoPPfOpPrk yZ7VzPqltGKxV2Hb8coecsarmlg3sm6+rW5LCTtxJADi6ShH9qoDW72DiB6D2ygi6vKW ywDJjS82jYEbmOZ5DeO/jJRqh5h3ML7PuKIOzksFlabCGcARnZay6hfqkhfMFfv0flOZ awQPjxcd/jgswCjQAxsnLkODfPmgvfhA+OS9VqvfMhvgOhshS9tEgRxaopLgt/MRxXH3 sW+rMK7E6XSsf+dapd12R0sPfMfIM/FlU9G9+xXbksds9zD1cTx60NvJP6+yRHq/NwW6 AZSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=dR0hfuOr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s4si6134400pgf.390.2018.03.03.15.35.46; Sat, 03 Mar 2018 15:36:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=dR0hfuOr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933888AbeCCXeY (ORCPT + 99 others); Sat, 3 Mar 2018 18:34:24 -0500 Received: from mail-bn3nam01on0090.outbound.protection.outlook.com ([104.47.33.90]:43384 "EHLO NAM01-BN3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S934467AbeCCWf5 (ORCPT ); Sat, 3 Mar 2018 17:35:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=nk9wAcbVlykb6VlGB+TiM3SGTjuyLYEq09S2MRfNYyk=; b=dR0hfuOrbDwrl9HADVV2lPwxyiC1iPNOrtsIHclAAqcAYLop8s56XBAIyAkvYDE8bAbADM1Thxy6X5/fRt98fySZJxl2kLzBogABL3O4KZs3lCEtksWKZPov0svjhx5dvrnkTmJqiL87lt0VI4kzXXY5sXsiF1gcri/Y0uf+Rnc= Received: from MW2PR2101MB1034.namprd21.prod.outlook.com (52.132.149.10) by MW2PR2101MB1034.namprd21.prod.outlook.com (52.132.149.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.3; Sat, 3 Mar 2018 22:35:47 +0000 Received: from MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0]) by MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0%3]) with mapi id 15.20.0567.006; Sat, 3 Mar 2018 22:35:47 +0000 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Dean Jenkins , Marcel Holtmann , Sasha Levin Subject: [PATCH AUTOSEL for 4.9 163/219] Bluetooth: Avoid bt_accept_unlink() double unlinking Thread-Topic: [PATCH AUTOSEL for 4.9 163/219] Bluetooth: Avoid bt_accept_unlink() double unlinking Thread-Index: AQHTsz8ZhmtGHi+kJUWUbuoiHPuGUg== Date: Sat, 3 Mar 2018 22:29:32 +0000 Message-ID: <20180303222716.26640-163-alexander.levin@microsoft.com> References: <20180303222716.26640-1-alexander.levin@microsoft.com> In-Reply-To: <20180303222716.26640-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;MW2PR2101MB1034;7:2RCE6mJ33zF3i5zvOxX6E64LTbcQSXrnuykfMAX9nzEW2fic7MeIfhZMin/J1t8jnloG0Hbv16PVSPgtOHJpc/1XxJx7b3+1OY11FGaCJ0tUvvJv39rRRB8qXELE1eb7sy9PEqlcLaImMQC0YAzpJaTnGmdBIG6mPS1UaRqWm/vZMhggJ8NHmQMqFjlqtz0JSq4m8MyDO6Q60rvy95nQ/QWJELDpW/pLkiX3puf09KWIf/INPPifcpy8nqDpY8xn x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 6d2e99cf-00a8-4aa8-7137-08d581571bd0 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020);SRVR:MW2PR2101MB1034; x-ms-traffictypediagnostic: MW2PR2101MB1034: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(61425038)(6040501)(2401047)(5005006)(8121501046)(3231220)(944501244)(52105095)(93006095)(93001095)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041288)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123560045)(6072148)(201708071742011);SRVR:MW2PR2101MB1034;BCL:0;PCL:0;RULEID:;SRVR:MW2PR2101MB1034; x-forefront-prvs: 0600F93FE1 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(376002)(346002)(39860400002)(39380400002)(366004)(396003)(199004)(189003)(99286004)(22452003)(72206003)(316002)(3846002)(6116002)(186003)(26005)(478600001)(76176011)(54906003)(110136005)(102836004)(97736004)(1076002)(2501003)(3660700001)(66066001)(5250100002)(5660300001)(86362001)(10090500001)(10290500003)(86612001)(6506007)(68736007)(575784001)(106356001)(25786009)(8676002)(4326008)(59450400001)(6512007)(305945005)(2906002)(14454004)(107886003)(8936002)(7736002)(81166006)(3280700002)(53936002)(105586002)(81156014)(6666003)(6486002)(36756003)(2900100001)(6436002)(2950100002)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR2101MB1034;H:MW2PR2101MB1034.namprd21.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: MSRq3lX4GBjKfnc/oIsdfg5sxSu31jeP9uX9y5yYTIkEZaIjrELbN3Qw3rj/Gl3Gyyaya7RbLZM0c7gt9GJvTHgq6ocNxQPW7OAArq79+X6I9ETmLYfK5yYg+/5Zjd59n/FhIzynkcePM0cBWG7sjHwJB/gY9Hs1Q95SnGnCfro= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6d2e99cf-00a8-4aa8-7137-08d581571bd0 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2018 22:29:32.0257 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR2101MB1034 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dean Jenkins [ Upstream commit 27bfbc21a0c0f711fa5382de026c7c0700c9ea28 ] There is a race condition between a thread calling bt_accept_dequeue() and a different thread calling bt_accept_unlink(). Protection against concurrency is implemented using sk locking. However, sk locking causes serialisation of the bt_accept_dequeue() and bt_accept_unlink() threads. This serialisation can cause bt_accept_dequeue() to obtain the sk from the parent list but becomes blocked waiting for the sk lock held by the bt_accept_unlink() thread. bt_accept_unlink() unlinks sk and this thread releases the sk lock unblocking bt_accept_dequeue() which potentially runs bt_accept_unlink() again on the same sk causing a crash. The attempt to double unlink the same sk from the parent list can cause a NULL pointer dereference crash due to bt_sk(sk)->parent becoming NULL on the first unlink, followed by the second unlink trying to execute bt_sk(sk)->parent->sk_ack_backlog-- in bt_accept_unlink() which crashes. When sk is in the parent list, bt_sk(sk)->parent will be not be NULL. When sk is removed from the parent list, bt_sk(sk)->parent is set to NULL. Therefore, add a defensive check for bt_sk(sk)->parent not being NULL to ensure that sk is still in the parent list after the sk lock has been taken in bt_accept_dequeue(). If bt_sk(sk)->parent is detected as being NULL then restart the loop so that the loop variables are refreshed to use the latest values. This is necessary as list_for_each_entry_safe() is not thread safe so causing a risk of an infinite loop occurring as sk could point to itself. In addition, in bt_accept_dequeue() increase the sk reference count to protect against early freeing of sk. Early freeing can be possible if the bt_accept_unlink() thread calls l2cap_sock_kill() or rfcomm_sock_kill() functions before bt_accept_dequeue() gets the sk lock. For test purposes, the probability of failure can be increased by putting a msleep of 1 second in bt_accept_dequeue() between getting the sk and waiting for the sk lock. This exposes the fact that the loop list_for_each_entry_safe(p, n, &bt_sk(parent)->accept_q) is not safe from threads that unlink sk from the list in parallel with the loop which can cause sk to become stale within the loop. Signed-off-by: Dean Jenkins Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- net/bluetooth/af_bluetooth.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c index 1aff2da9bc74..5d3698170004 100644 --- a/net/bluetooth/af_bluetooth.c +++ b/net/bluetooth/af_bluetooth.c @@ -163,6 +163,9 @@ void bt_accept_enqueue(struct sock *parent, struct sock= *sk) } EXPORT_SYMBOL(bt_accept_enqueue); =20 +/* Calling function must hold the sk lock. + * bt_sk(sk)->parent must be non-NULL meaning sk is in the parent list. + */ void bt_accept_unlink(struct sock *sk) { BT_DBG("sk %p state %d", sk, sk->sk_state); @@ -181,11 +184,32 @@ struct sock *bt_accept_dequeue(struct sock *parent, s= truct socket *newsock) =20 BT_DBG("parent %p", parent); =20 +restart: list_for_each_entry_safe(s, n, &bt_sk(parent)->accept_q, accept_q) { sk =3D (struct sock *)s; =20 + /* Prevent early freeing of sk due to unlink and sock_kill */ + sock_hold(sk); lock_sock(sk); =20 + /* Check sk has not already been unlinked via + * bt_accept_unlink() due to serialisation caused by sk locking + */ + if (!bt_sk(sk)->parent) { + BT_DBG("sk %p, already unlinked", sk); + release_sock(sk); + sock_put(sk); + + /* Restart the loop as sk is no longer in the list + * and also avoid a potential infinite loop because + * list_for_each_entry_safe() is not thread safe. + */ + goto restart; + } + + /* sk is safely in the parent list so reduce reference count */ + sock_put(sk); + /* FIXME: Is this check still needed */ if (sk->sk_state =3D=3D BT_CLOSED) { bt_accept_unlink(sk); --=20 2.14.1