Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp2699167rwr; Fri, 28 Apr 2023 14:31:19 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4xxnEaVWItRT8wR0EBE9zSefeDAA8MxcLZijMh+N8p4g8U5JQcg1vxo5stqCNHgt+phjWP X-Received: by 2002:a17:902:d4c5:b0:1a9:6467:aa8d with SMTP id o5-20020a170902d4c500b001a96467aa8dmr7962145plg.1.1682717479575; Fri, 28 Apr 2023 14:31:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682717479; cv=none; d=google.com; s=arc-20160816; b=Ep36rsGF1IT3Ktd/YZnl+fgslKRyA6ecI25yM6jAMYOlqe2MFHVQl4+FL03eOOkU2s SjjG0fV4izpOYp0T68zTeGwwU12SConFe6d2mQ20wW63RHTqmQJFXDZEgMel+GzELde0 QcMXt3SU07a0GaPaoG2ELzKvkgwKfbAXxObV0Tob9+7XN/4oPj+v88Bo5o8rKyop9npE Xdt4YhpkzJJzKYFX+Wecjx9l5hkJ6vKRLGlzC8wcfPXnLlUWDnaZTncYz/2GpKbYBaU6 wzheB4LG3voiK1O1fZcMrKS50sn1C2qUkp3M2VMkoBm2XNZtEZ9/PNzqEHIWEJjCieHp 6fcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=9rljzU0VELiX9EsAkZDXnPVtLWxUnAXmWBWCF+oOAaY=; b=z2JyUpICFfX3erfmoBgdIgmr6Yq4d/EbGfzJBUV4pvcb8/moL3zb6/RYPqek0Tmd8h g1U0I4DspKmwdOhVRW5nVuRSvSH1pf5cj5x8vnMnfy9RQ3pYcQfo+nMopjI5VzWcHt+P zHQ0IyO4ps/Bmz0CNbV4cAVohRQNAAkN42YAqaDprYaEMnPqCLTqlvYHaOFyPAyNtNaL cDVrpUQJLqls3Zp6ZsUnb9ZEYaMeMx7u30v8VFXuFovedi43vI7qkwdnQDg/m23rV7ht vB1LDJL+qdBcBN1n7gSbnuFRfPddF8D5WA2HYwslrpX6HCpujHo1oS3Y3UxhEJBlojHY Z82g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=Q5MkxR2Z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z13-20020a1709027e8d00b0019a78d4c761si21954907pla.93.2023.04.28.14.31.03; Fri, 28 Apr 2023 14:31:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=Q5MkxR2Z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346116AbjD1VY6 (ORCPT + 99 others); Fri, 28 Apr 2023 17:24:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50330 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229751AbjD1VY5 (ORCPT ); Fri, 28 Apr 2023 17:24:57 -0400 Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 383431BFA; Fri, 28 Apr 2023 14:24:55 -0700 (PDT) Received: by mail-lj1-x233.google.com with SMTP id 38308e7fff4ca-2a8bdcf87f4so1760141fa.2; Fri, 28 Apr 2023 14:24:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682717093; x=1685309093; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=9rljzU0VELiX9EsAkZDXnPVtLWxUnAXmWBWCF+oOAaY=; b=Q5MkxR2ZExbckiOE+IJDWTRSaZUEwLv8xt4VK0TOnv+3I2cmNdSM89Gki5tvc5TYDM xj+8Xgdzp03DWqnUbeddAFlRQzKuMUnaTdxHvQIp/sFQMfBQosV2BaAQYrPnH/Y1TB26 8toagzZu9WS/PpsNxTcmywXhtICGQseS8IR5f4HOkQP9njFtbuEU36HcuhjHPyIdmgdF LX325IZNhynqJc5tcHQSkGFJdzTeg12L9r1ExhixfDswOOQERXGDK59uYjQgq0p1R9PM M+1IE+yq7+a1Bl0OHFIow3lsr47mNDeNuD2lR1mrxsK6fIXUhMQHJGOq1yIWPA6vpyAx tZtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682717093; x=1685309093; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9rljzU0VELiX9EsAkZDXnPVtLWxUnAXmWBWCF+oOAaY=; b=ICH+JvPa/hU8sjuUvhPcL0s1A/d8tHtHoqazd740KavOcbWkjHYUs3jqDtvEPqMYB7 v8EF6smHjfHJKIY8erDH6CkHHoa0nK8UmzR/by7hp3nwOEcVIjwfiEn+hoAbdfNznxQp E2hFeCCV9iDEjL1dGlTiOf00UC6hFtJSOr2FfozD1CNB3gadQucvrkXItwsbeP2yPync m/d+ATJwZqQPbMAacbRsZRQa/rq9hHmmt479ippZoXqcH86am0UOPRyLES90OIYt7xie 2mHZLk/bLG4KeE9+7smDQeMG2EDZeqC/UVtN05aA6Ne5HWoIKyRpEqVeMQjolMfzgCwa yqPQ== X-Gm-Message-State: AC+VfDwKMASQ/+5YTZQk9Ld2y1xwu9ITUxBExJQFZRg+HZMSTIrljwqZ oIc/C9NraUqQqRyYVFS4C+aH3H45SuGeVAPy868= X-Received: by 2002:a2e:88cd:0:b0:2a8:d0f0:584e with SMTP id a13-20020a2e88cd000000b002a8d0f0584emr1826301ljk.16.1682717093101; Fri, 28 Apr 2023 14:24:53 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Luiz Augusto von Dentz Date: Fri, 28 Apr 2023 14:24:40 -0700 Message-ID: Subject: Re: [BUG][RESEND] Bluetooth: L2CAP: possible data race in __sco_sock_close() To: Li Tuo Cc: marcel@holtmann.org, johan.hedberg@gmail.com, "David S. Miller" , edumazet@google.com, Jakub Kicinski , pabeni@redhat.com, linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, Linux Kernel , baijiaju1990@outlook.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Fri, Apr 28, 2023 at 3:27=E2=80=AFAM Li Tuo wrote: > > Hello, > > Our static analysis tool finds a possible data race in the l2cap protocol > in Linux 6.3.0-rc7: > > In most calling contexts, the variable sk->sk_socket is accessed > with holding the lock sk->sk_callback_lock. Here is an example: > > l2cap_sock_accept() --> Line 346 in net/bluetooth/l2cap_sock.c > bt_accept_dequeue() --> Line 368 in net/bluetooth/l2cap_sock.c > sock_graft() --> Line 240 in net/bluetooth/af_bluetooth.c > write_lock_bh(&sk->sk_callback_lock); --> Line 2081 in incl= ude/net/sock.h (Lock sk->sk_callback_lock) > sk_set_socket() --> Line 2084 in include/net/sock.h > sk->sk_socket =3D sock; --> Line 2054 in include/net/so= ck.h (Access sk->sk_socket) > > However, in the following calling context: > > sco_sock_shutdown() --> Line 1227 in net/bluetooth/sco.c > __sco_sock_close() --> Line 1243 in net/bluetooth/sco.c > BT_DBG(..., sk->sk_socket); --> Line 431 in net/bluetooth/sco.c= (Access sk->sk_socket) > > the variable sk->sk_socket is accessed without holding the lock > sk->sk_callback_lock, and thus a data race may occur. > > Reported-by: BassCheck Need to check in detail what it means to hold the sk_callback_lock, btw is this static analysis tool of yours something public that we can use in our CI to detect these problems? --=20 Luiz Augusto von Dentz