Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp701248pxb; Wed, 16 Feb 2022 02:25:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJxRzeoR7vCnHiGiBaaik9XK7tO5aNyrWNQYfhPQKi6jzf/yajLbMi5tNFfDiQD53Q9qqS5A X-Received: by 2002:a05:6a00:16d6:b0:4bf:325:de2f with SMTP id l22-20020a056a0016d600b004bf0325de2fmr2488076pfc.7.1645007112607; Wed, 16 Feb 2022 02:25:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645007112; cv=none; d=google.com; s=arc-20160816; b=O4eUtl7ApO4saenqLL0ViLFBpge+JStyAaXbaeLOYUBMI+5G49+sFpnBpM4NG5Sjpj UTjhu487H4HaJNW/Rbng0rTRXVbNJneuSi9Rf6G/Xj109PCpXJmBxh7WmXT8V8bDwu8W HbOQbgypcqg+EfOs5uPv2WWNx4j7M5Dobba6PvcRrF5hZGKJWDIS5nYCYpARSl9UpGba 6El+XuuNYlJKwPUukdZ+JrRu4dZQA+CvJTE3mRF9JWf44KTyFbb/yzwRbj33j+t80ryM FquulTVnm8TDT5ltYZBQFxKqxbjmRhhlaEDhWbojy267mR7asWWN8hjc6QqGYLG2to1k RJDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=VHZhjTEYBixSQFVjpPq5o6izxmb2UH5m5+31oC7IiDQ=; b=z/e8hor6+RJhmXoUlXJDLsrJH6SeCrmpvgzxLjGOcmx3fAXM4Ic1Qb08h1D9/nhcjQ ZjJGfzhf6qaZPlUs2UsYD6w1FN6f8Hl6WOEhIRniYUNvjwlr7KBB9l4j14g6PxUAJWbp XllR3rvi7e40JjteEtuOM8viMjqQyMRd+b6/3UndkZOHI189i+Yi/v4pjThrrsd82xrN i6bAbRjqsuGUEuSSHkJHNbhzGND1UMczUxO9A5ik+W0gipBt6WdWWANZlmEgqgtOWwQX JHfHZ0qq3zGPoiubuU6vPprj4nCMkhBfZ1ASF20ZpBOQdJymvvRfW9+JrGZAUtCtmVA9 aC6A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k3si20344091plk.582.2022.02.16.02.24.41; Wed, 16 Feb 2022 02:25:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229695AbiBPKYH convert rfc822-to-8bit (ORCPT + 99 others); Wed, 16 Feb 2022 05:24:07 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:37678 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229636AbiBPKYH (ORCPT ); Wed, 16 Feb 2022 05:24:07 -0500 Received: from mail.holtmann.org (coyote.holtmann.net [212.227.132.17]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5AB742069AA for ; Wed, 16 Feb 2022 02:23:54 -0800 (PST) Received: from smtpclient.apple (p4fefcd07.dip0.t-ipconnect.de [79.239.205.7]) by mail.holtmann.org (Postfix) with ESMTPSA id 410AECEDE2; Wed, 16 Feb 2022 11:23:53 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\)) Subject: Re: [PATCH v1] Bluetooth: fix data races in smp_unregister(), smp_del_chan() From: Marcel Holtmann In-Reply-To: <20220216043714.22011-1-linma@zju.edu.cn> Date: Wed, 16 Feb 2022 11:23:52 +0100 Cc: Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , linux-bluetooth@vger.kernel.org Content-Transfer-Encoding: 8BIT Message-Id: <7C579AAE-EB97-4C87-9E5E-C39ACF6FF37B@holtmann.org> References: <20220216043714.22011-1-linma@zju.edu.cn> To: Lin Ma X-Mailer: Apple Mail (2.3693.60.0.1.1) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Lin, > Previous commit e04480920d1e ("Bluetooth: defer cleanup of resources > in hci_unregister_dev()") defers all destructive actions to > hci_release_dev() to prevent cocurrent problems like NPD, UAF. > > However, there are still some exceptions that are ignored. > > The smp_unregister() in hci_dev_close_sync() (previously in > hci_dev_do_close) will release resources like the sensitive channel > and the smp_dev objects. Consider the situations the device is detaching > or power down while the kernel is still operating on it, the following > data race could take place. > > thread-A hci_dev_close_sync | thread-B read_local_oob_ext_data > | > hci_dev_unlock() | > ... | hci_dev_lock() > if (hdev->smp_data) | > chan = hdev->smp_data | > | chan = hdev->smp_data (3) > | > hdev->smp_data = NULL (1) | if (!chan || !chan->data) (4) > ... | > smp = chan->data | smp = chan->data > if (smp) | > chan->data = NULL (2) | > ... | > kfree_sensitive(smp) | > | // dereference smp trigger UFA > > That is, the objects hdev->smp_data and chan->data both suffer from the > data races. In a preempt-enable kernel, the above schedule (when (3) is > before (1) and (4) is before (2)) leads to UAF bugs. It can be > reproduced in the latest kernel and below is part of the report: > > [ 49.097146] ================================================================ > [ 49.097611] BUG: KASAN: use-after-free in smp_generate_oob+0x2dd/0x570 > [ 49.097611] Read of size 8 at addr ffff888006528360 by task generate_oob/155 > [ 49.097611] > [ 49.097611] Call Trace: > [ 49.097611] > [ 49.097611] dump_stack_lvl+0x34/0x44 > [ 49.097611] print_address_description.constprop.0+0x1f/0x150 > [ 49.097611] ? smp_generate_oob+0x2dd/0x570 > [ 49.097611] ? smp_generate_oob+0x2dd/0x570 > [ 49.097611] kasan_report.cold+0x7f/0x11b > [ 49.097611] ? smp_generate_oob+0x2dd/0x570 > [ 49.097611] smp_generate_oob+0x2dd/0x570 > [ 49.097611] read_local_oob_ext_data+0x689/0xc30 > [ 49.097611] ? hci_event_packet+0xc80/0xc80 > [ 49.097611] ? sysvec_apic_timer_interrupt+0x9b/0xc0 > [ 49.097611] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 > [ 49.097611] ? mgmt_init_hdev+0x1c/0x240 > [ 49.097611] ? mgmt_init_hdev+0x28/0x240 > [ 49.097611] hci_sock_sendmsg+0x1880/0x1e70 > [ 49.097611] ? create_monitor_event+0x890/0x890 > [ 49.097611] ? create_monitor_event+0x890/0x890 > [ 49.097611] sock_sendmsg+0xdf/0x110 > [ 49.097611] __sys_sendto+0x19e/0x270 > [ 49.097611] ? __ia32_sys_getpeername+0xa0/0xa0 > [ 49.097611] ? kernel_fpu_begin_mask+0x1c0/0x1c0 > [ 49.097611] __x64_sys_sendto+0xd8/0x1b0 > [ 49.097611] ? syscall_exit_to_user_mode+0x1d/0x40 > [ 49.097611] do_syscall_64+0x3b/0x90 > [ 49.097611] entry_SYSCALL_64_after_hwframe+0x44/0xae > [ 49.097611] RIP: 0033:0x7f5a59f51f64 > ... > [ 49.097611] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5a59f51f64 > [ 49.097611] RDX: 0000000000000007 RSI: 00007f5a59d6ac70 RDI: 0000000000000006 > [ 49.097611] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 > [ 49.097611] R10: 0000000000000040 R11: 0000000000000246 R12: 00007ffec26916ee > [ 49.097611] R13: 00007ffec26916ef R14: 00007f5a59d6afc0 R15: 00007f5a59d6b700 > > To solve these data races, this patch places the smp_unregister() > function in the protected area by the hci_dev_lock(). That is, the > smp_unregister() function can not be concurrently executed when > operating functions (most of them are mgmt operations in mgmt.c) hold > the device lock. > > This patch is tested with kernel LOCK DEBUGGING enabled. The price from > the extended holding time of the device lock is supposed to be low as the > smp_unregister() function is fairly short and efficient. > > Signed-off-by: Lin Ma > --- > net/bluetooth/hci_sync.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) patch has been applied to bluetooth-next tree. Regards Marcel