Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp4069080pxf; Tue, 23 Mar 2021 01:34:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxq9pgqqwkewEPQqBr1tBD0xRgB+AT4molt01b2GcIGbRDN4H44EOHHfhY0UmUBl2vmTj/+ X-Received: by 2002:a05:6402:354d:: with SMTP id f13mr3547219edd.228.1616488460078; Tue, 23 Mar 2021 01:34:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616488460; cv=none; d=google.com; s=arc-20160816; b=cWVzaq+0a9pF44zzw2kq2+HdYYL7bBV6RQGe4o/cwyZwYbqtunNqLt0k6+WqiDJKWn FZnSmnA/7+BbBKZW3GZ1hLuvM27spO3KNGAZZBtOX268oXpAbBIKFdNfrwOMVQHcsFQ/ mn9gRaQISSB2VDzCcI/whfnNo0HVAK8LA8aJLFpeo3wV6h4gh51NDvuCU/Ii5SE7nChF r35UgqhurdYZQ8VTpgn1glRjJRqz2b6wQWPl6CPONo92v3IO+rVT3BnAg2l+wBbEGjO7 az5RWZ1TaK0wKg6NpZcGmaCf9qXCNmkOJzs6Pm3mKFkwwOPgzMzhODi8cBrd8VTrhewn cwAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=KtQvqrz3w6xBtTxWdXYr5PEiVwRgjP+6HysrGaoX6eU=; b=XdbJnq5SwiGlMpHQZ6gylZ/C8RPekedjddeeXGkvHyCx/zlGbkMeibh7Ai2W1THr7b cwmbI/cfB21tzBZKfq1ucuCBG36prPHQ16Y5OtvnvM1xtI5Os1LlL5FW6A+XIIXculdc 3mPC3DfK3sRCZsaBh10IBnCHiR7OwZAMOa5uhIUu+ZetfYu5tpJ7miTkzOqCpGA3mntc 0hNTz58NaKJhOXxPdZLgmkHy7Nv5t/C9v6Fb/P1E7f5qs5SDiX+uu9gwJ+ttqZHVsJB9 uMJVXp7ALxVo6NbM3QzjbsKhEVTt551rfBemgmNpp5av5gfSEvytym63TYfSjdTw95Lf yJzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=DlM4X9aA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z2si12490954edb.287.2021.03.23.01.33.56; Tue, 23 Mar 2021 01:34:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=DlM4X9aA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229812AbhCWIdA (ORCPT + 99 others); Tue, 23 Mar 2021 04:33:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56204 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229728AbhCWIc1 (ORCPT ); Tue, 23 Mar 2021 04:32:27 -0400 Received: from mail-pg1-x549.google.com (mail-pg1-x549.google.com [IPv6:2607:f8b0:4864:20::549]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC1CDC061763 for ; Tue, 23 Mar 2021 01:32:26 -0700 (PDT) Received: by mail-pg1-x549.google.com with SMTP id o9so1260977pgm.15 for ; Tue, 23 Mar 2021 01:32:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=KtQvqrz3w6xBtTxWdXYr5PEiVwRgjP+6HysrGaoX6eU=; b=DlM4X9aAYWJc8Kcs/DrMzz5CAXYgCgxLO6eh8pdqDX8KSkfklA/9aW54+tDVNPAcHm wIw0s6/IXg/axF4KydHQHgM87VjUuPtVS8otmgkic5ye4vMJ1SgnNc+Ex61qzV/wKvTL JodG8sNLBwGvJvnnoP8B7d3xe4k4w/hGe2P1Slte6KbmxHtmB4Lg8KxLoKQMeH2joxmM 4CVtT8sLX4lAk5L/GL5pshLVYMczqGS+ySwTYJB3WpBbQttsElTZjg1fgXoRxlj4TFGY 6ZIu6I6hsJdbqZo9EctKYo1WfPFB019LRLA58gwe3NrH+WYYOvZeBEE1ZecCb7JDkCU/ GJfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=KtQvqrz3w6xBtTxWdXYr5PEiVwRgjP+6HysrGaoX6eU=; b=ZeXhSmOpusDtAlwcCxm6T/06zDsD3I36ETS6nKHul6W/RFTlEVk0yRiInXwmnzfnSh rxftgI0bR8vwiPASkeZaux9U8P7ak+Smx4PI658QBRxrcI8PIcPybKkzVZcgRo9ZCHBH KQlQEjnIrfO33x0u7761NvZEqYF+WHEbOcapph6vBTcIqdf1snTPA2KsnhbSaLu201FH 96poep3TZk2HClBAJuzQ1tjV+UT0phdtHpf3UKjiWD3HSKoE5G40HUOuPb2VfOqapehE RVZK27wcjW1WJC+HlcOmTXN1jm8Kuv1su2qPjG6O0LxlS0pcARZEtvCNTYTiruZ2as+B eeaw== X-Gm-Message-State: AOAM533YZyZKSSRBPrmtiZxfokpEmz4F6PUN5ezVAaaCEtwZbOSPPyIL Q9rqJleRJHXPet8WdqoVSuQhF97RL5uy X-Received: from apusaka-p920.tpe.corp.google.com ([2401:fa00:1:b:fdf3:9f7d:e4e3:ccad]) (user=apusaka job=sendgmr) by 2002:a62:e708:0:b029:1f8:c092:ff93 with SMTP id s8-20020a62e7080000b02901f8c092ff93mr3763813pfh.21.1616488345892; Tue, 23 Mar 2021 01:32:25 -0700 (PDT) Date: Tue, 23 Mar 2021 16:32:20 +0800 Message-Id: <20210323163141.v2.1.I6c4306f6e8ba3ccc9106067d4eb70092f8cb2a49@changeid> Mime-Version: 1.0 X-Mailer: git-send-email 2.31.0.291.g576ba9dcdaf-goog Subject: [PATCH v2] Bluetooth: check for zapped sk before connecting From: Archie Pusaka To: linux-bluetooth , Marcel Holtmann Cc: CrosBT Upstreaming , Archie Pusaka , syzbot+abfc0f5e668d4099af73@syzkaller.appspotmail.com, Alain Michaud , Abhishek Pandit-Subedi , Guenter Roeck , "David S. Miller" , Jakub Kicinski , Johan Hedberg , Luiz Augusto von Dentz , linux-kernel@vger.kernel.org, netdev@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Archie Pusaka There is a possibility of receiving a zapped sock on l2cap_sock_connect(). This could lead to interesting crashes, one such case is tearing down an already tore l2cap_sock as is happened with this call trace: __dump_stack lib/dump_stack.c:15 [inline] dump_stack+0xc4/0x118 lib/dump_stack.c:56 register_lock_class kernel/locking/lockdep.c:792 [inline] register_lock_class+0x239/0x6f6 kernel/locking/lockdep.c:742 __lock_acquire+0x209/0x1e27 kernel/locking/lockdep.c:3105 lock_acquire+0x29c/0x2fb kernel/locking/lockdep.c:3599 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline] _raw_spin_lock_bh+0x38/0x47 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:307 [inline] lock_sock_nested+0x44/0xfa net/core/sock.c:2518 l2cap_sock_teardown_cb+0x88/0x2fb net/bluetooth/l2cap_sock.c:1345 l2cap_chan_del+0xa3/0x383 net/bluetooth/l2cap_core.c:598 l2cap_chan_close+0x537/0x5dd net/bluetooth/l2cap_core.c:756 l2cap_chan_timeout+0x104/0x17e net/bluetooth/l2cap_core.c:429 process_one_work+0x7e3/0xcb0 kernel/workqueue.c:2064 worker_thread+0x5a5/0x773 kernel/workqueue.c:2196 kthread+0x291/0x2a6 kernel/kthread.c:211 ret_from_fork+0x4e/0x80 arch/x86/entry/entry_64.S:604 Signed-off-by: Archie Pusaka Reported-by: syzbot+abfc0f5e668d4099af73@syzkaller.appspotmail.com Reviewed-by: Alain Michaud Reviewed-by: Abhishek Pandit-Subedi Reviewed-by: Guenter Roeck --- Changes in v2: * Modify locking order for better visibility net/bluetooth/l2cap_sock.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index f1b1edd0b697..c99d65ef13b1 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -179,9 +179,17 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, struct l2cap_chan *chan = l2cap_pi(sk)->chan; struct sockaddr_l2 la; int len, err = 0; + bool zapped; BT_DBG("sk %p", sk); + lock_sock(sk); + zapped = sock_flag(sk, SOCK_ZAPPED); + release_sock(sk); + + if (zapped) + return -EINVAL; + if (!addr || alen < offsetofend(struct sockaddr, sa_family) || addr->sa_family != AF_BLUETOOTH) return -EINVAL; -- 2.31.0.291.g576ba9dcdaf-goog