Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3066333pxb; Sat, 26 Mar 2022 10:14:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxgpSzuIy6N4JhcCa/3xyeU+8odu4+r17m+jipYockEwWp2Abcq4mkDaESkA1kN0Vyyr7pC X-Received: by 2002:a05:6830:82a:b0:5b2:36d5:1603 with SMTP id t10-20020a056830082a00b005b236d51603mr6916400ots.240.1648314892325; Sat, 26 Mar 2022 10:14:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648314892; cv=none; d=google.com; s=arc-20160816; b=o1ZP/Ufh5c9en6ytlFH1XupKkvriS0UTPGWJ3+0lOdUWhjcjUJfBcBGZuDBQ97GuoC Zqu39VfsI5i3ON/G4+rf4j+qpW+BNMTmaY/JuykVnAlaTMMTOTh7oRc00zSMo3Dhtgo/ nqHQMe/5gYilK6ZYvZufJbcCFwtusBqo063zVzEkXiI7n2Zz9dUeTXvqsPay3OXsT3zM YxG6x31/GBtB5rsFVv1toD5TplI0YHhTuKkd2XUPiaD5teg/bszkBBecjvTAD2ROwxpO aNW7otO4VBCr2rQay+a0DWulgZ+uzJ+JciunqQNWf6wvBcqKe4ePzjbcqm+WxE1NMUaP azoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=PTLKNJ1HHVa/CC/OMIeEXrqEsVbWaZOp7AFQBATXJDQ=; b=B2qZ7DiNQVRF9Bz4h+cQtiwRAsXW0CZrfgKUDfjpd9EIXrwrTpncXxTJLELaHSGnwH kD23BAnmgNVXy4qADeHX63OLDPN28dpGIWJ9RLGXrug2mjIG1t4QXr42kXqiB9c7pgYI Dlfvr0FhUXhqlqZwOlinb/lAVbscQEQwxK2v/Mi80XyKdNwuPkBusoa0z5VDvNTL3+SO czD8dUTNSQ5jVvw0VjOR7WorQIq89KOUIe9FLX8KYrnYc8JrG6YIoRo3Utpsa7hQz1pO v9VX151sBQxsIpxnfkftpEUGSPK5/f/IcjcU3ZligQ5PturDGmhFXtVROSFNnUIG70a9 hJZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=lUQtPiSM; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n25-20020a056870241900b000de985398d9si4271116oap.251.2022.03.26.10.14.39; Sat, 26 Mar 2022 10:14:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=lUQtPiSM; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230098AbiCZGdM (ORCPT + 99 others); Sat, 26 Mar 2022 02:33:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41070 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229846AbiCZGdL (ORCPT ); Sat, 26 Mar 2022 02:33:11 -0400 Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 80E3627CFF for ; Fri, 25 Mar 2022 23:31:34 -0700 (PDT) Received: by mail-qt1-x82d.google.com with SMTP id t2so8236845qtw.9 for ; Fri, 25 Mar 2022 23:31:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PTLKNJ1HHVa/CC/OMIeEXrqEsVbWaZOp7AFQBATXJDQ=; b=lUQtPiSM3Sqlxdd43fL+DfdNXAvAAY1bKNTHEfSflmKVRuwGdp6JHLhjUjDv6nQq+g 0/+YIxlNQvlXokJXnrkraDIf4Q9elqAoG4z+oUBHynRN61oKnnJ3Z9oHJQKmMoCclCE3 Jt9kSWDc+ZfmZRkWINyz0I50DPIYgmEScNspI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PTLKNJ1HHVa/CC/OMIeEXrqEsVbWaZOp7AFQBATXJDQ=; b=0M+6vgNteFNOWki/Ub0grkPGraF0NLSos5cuWSslbM+P0L35VXN4BPuA/06jmPfx35 yqCf4jPCOOfZ5ppjprF+e8IBN5iGvQuvLBew6Hh9/UXmZ1qV0Zu6SoSFNBdpOkgSTers 3iu2xdaVhIJovl/+HdHdbwgdHsVjeHyJLczHycC/ak/zGIjtGURkiu611vvN7gVGwyJF yb7YUTXYiCk7EafMoro/Vw+QTPenKxKbEYeaZdHpwSbPz6DVxJkqncurlglTnj3cp5KW H06Y8nxMBU8YZUYFqRhyZns2v28CzBv7jAT38SgY00js+r4TJY74MYrCPjBfKbOQKGTt RGJA== X-Gm-Message-State: AOAM531dGKs16veXe/JGOm5k3vrxfld2SDz512EU5fcNBpMs+0qTBrf/ 8w7XYGq4K5Q8QLu91+A3fEHr9ck84BMu+YUPblQAVw== X-Received: by 2002:ac8:7ee3:0:b0:2e1:a508:c500 with SMTP id r3-20020ac87ee3000000b002e1a508c500mr12523470qtc.117.1648276293617; Fri, 25 Mar 2022 23:31:33 -0700 (PDT) MIME-Version: 1.0 References: <20220325033028.1.I67f8ad854ac2f48701902bfb34d6e2070011b779@changeid> In-Reply-To: From: Ying Hsu Date: Sat, 26 Mar 2022 14:31:22 +0800 Message-ID: Subject: Re: [PATCH] Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout To: Luiz Augusto von Dentz Cc: Marcel Holtmann , ChromeOS Bluetooth Upstreaming , Joseph Hwang , "David S. Miller" , Jakub Kicinski , Johan Hedberg , Paolo Abeni , "linux-bluetooth@vger.kernel.org" , Linux Kernel Mailing List , "open list:NETWORKING [GENERAL]" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Luiz, I compiled and ran the c-reproducer: https://syzkaller.appspot.com/x/repro.c?x=152b93e8700000 I will add relevant links in the commit message. Thanks for the reminder. While fixing the use-after-free problem , I also found a possible deadlock in sco_sock_connect() and sco_sock_getsockopt() : sco_sock_connect() { hci_dev_lock(hdev); lock_sock(sk); } sco_sock_getsockopt() { lock_sock(sk); case BT_CODEC: hci_dev_lock(hdev); } So, adjusting the locking order in sco_sock_connect() can also avoid the possible deadlock. Ying On Sat, Mar 26, 2022 at 2:50 AM Luiz Augusto von Dentz wrote: > > Hi Ying, > > On Thu, Mar 24, 2022 at 8:31 PM Ying Hsu wrote: > > > > Connecting the same socket twice consecutively in sco_sock_connect() > > could lead to a race condition where two sco_conn objects are created > > but only one is associated with the socket. If the socket is closed > > before the SCO connection is established, the timer associated with the > > dangling sco_conn object won't be canceled. As the sock object is being > > freed, the use-after-free problem happens when the timer callback > > function sco_sock_timeout() accesses the socket. Here's the call trace: > > > > dump_stack+0x107/0x163 > > ? refcount_inc+0x1c/ > > print_address_description.constprop.0+0x1c/0x47e > > ? refcount_inc+0x1c/0x7b > > kasan_report+0x13a/0x173 > > ? refcount_inc+0x1c/0x7b > > check_memory_region+0x132/0x139 > > refcount_inc+0x1c/0x7b > > sco_sock_timeout+0xb2/0x1ba > > process_one_work+0x739/0xbd1 > > ? cancel_delayed_work+0x13f/0x13f > > ? __raw_spin_lock_init+0xf0/0xf0 > > ? to_kthread+0x59/0x85 > > worker_thread+0x593/0x70e > > kthread+0x346/0x35a > > ? drain_workqueue+0x31a/0x31a > > ? kthread_bind+0x4b/0x4b > > ret_from_fork+0x1f/0x30 > > > > Signed-off-by: Ying Hsu > > Reviewed-by: Joseph Hwang > > --- > > Tested this commit using a C reproducer on qemu-x86_64 for 8 hours. > > We should probably add a link or something to the reproducer then, was > it syzbot? It does have some instructions on how to link its issues. > > > net/bluetooth/sco.c | 21 +++++++++++++-------- > > 1 file changed, 13 insertions(+), 8 deletions(-) > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > index 8eabf41b2993..380c63194736 100644 > > --- a/net/bluetooth/sco.c > > +++ b/net/bluetooth/sco.c > > @@ -574,19 +574,24 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen > > addr->sa_family != AF_BLUETOOTH) > > return -EINVAL; > > > > - if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) > > - return -EBADFD; > > + lock_sock(sk); > > + if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { > > + err = -EBADFD; > > + goto done; > > + } > > > > - if (sk->sk_type != SOCK_SEQPACKET) > > - return -EINVAL; > > + if (sk->sk_type != SOCK_SEQPACKET) { > > + err = -EINVAL; > > + goto done; > > + } > > > > hdev = hci_get_route(&sa->sco_bdaddr, &sco_pi(sk)->src, BDADDR_BREDR); > > - if (!hdev) > > - return -EHOSTUNREACH; > > + if (!hdev) { > > + err = -EHOSTUNREACH; > > + goto done; > > + } > > hci_dev_lock(hdev); > > > > - lock_sock(sk); > > - > > Also are we sure we are not introducing a locking hierarchy problem > here? Previously we had hci_dev_lock then sock_lock now it is the > opposite, or perhaps we never want to have them at the same time? > > > /* Set destination address and psm */ > > bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr); > > > > -- > > 2.35.1.1021.g381101b075-goog > > > > > -- > Luiz Augusto von Dentz