Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp452903rwb; Wed, 18 Jan 2023 20:52:03 -0800 (PST) X-Google-Smtp-Source: AMrXdXtCiqNDr7vqDBCQarUmXmOXeM5nKFI5M/aiOlw5JyHvjmBBzIHRQemRs+JDLY7Ox1xwxTE9 X-Received: by 2002:a17:906:2ed1:b0:877:7113:71f3 with SMTP id s17-20020a1709062ed100b00877711371f3mr1364193eji.25.1674103923325; Wed, 18 Jan 2023 20:52:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674103923; cv=none; d=google.com; s=arc-20160816; b=V7jJlfiFQQlvx9ahZlN4NtK7839QT8N+7E3oPoZAZ9k6LqBvEgL/p+qjP3s4fTXx/n V/VwjQEcocxE3anuAvD92rNuqyQRSy/0EpP7kJ26jG775FAq9jDpe0yXnwHSOeWvKdBW +W3FlTz2AQb7pepDo7J0CFtLuQ3o+ZvsCh2OB/FqmjAoniUc2C4eYwm9A3h3vf74JpoL DAMWRp1Rk5Auzc9Bfgk8jWV9VEM2Uo0lSjI8BAfoPW5QMAOSoD7UxXonvyy+EOwbBT6C iQ4uue2KP2pa7aFTXvEUGGqftlj7aGG712uKgetdICvQYRhFDY6AJLE+lCiOPt0ytz1e 3OKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=gYdaFetUPf0E0ye7Z3ZJlSmRWJOtaHOZWbhbExkiyx8=; b=XO68m6akqhc33s0LIeaN16B7uxinqHRUODeuwPb6I7YDEqmAR12U6KlkMIIEDYxBgw T/kDUUtxutAch/TMLlVA9r6klPCuaWH4NNmtnx8pUshQphVl9uKahyExIYOi4A3nNUc/ RDH4fWrjcOAyRIRUskaaIShc5kJLq8Mo6FXFrHRG3TBAiDqqI3qAG7Kv4AiZDa7y2xAG 5WekdPuqg8LXIEZfSFDw3bKgDcnvSHXmleQS2un2QHCfBhVTA5ahIQ2qkLqXOd3TObOX GivF/xBIu23kZ9uIYxWhowP9kx1JRD0XxkdLF55AdGL3YTjo6QcyuRr4LUQR+BO2zkZi WqsQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=oD5uLA0y; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f17-20020a056402355100b0049db9ebb057si18815384edd.571.2023.01.18.20.51.31; Wed, 18 Jan 2023 20:52:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=oD5uLA0y; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230341AbjASElS (ORCPT + 99 others); Wed, 18 Jan 2023 23:41:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58148 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230326AbjASEkf (ORCPT ); Wed, 18 Jan 2023 23:40:35 -0500 Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F9CD6C558 for ; Wed, 18 Jan 2023 20:38:53 -0800 (PST) Received: by mail-yb1-xb2d.google.com with SMTP id 66so1107137yba.4 for ; Wed, 18 Jan 2023 20:38:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gYdaFetUPf0E0ye7Z3ZJlSmRWJOtaHOZWbhbExkiyx8=; b=oD5uLA0y/00qtaZD98y+906UbmyKCQ91Umx0p1OmhRh1HjdSOThxXCzmSIAMlnkLsz QmK4AMU5cifY6S/eqpC3BrBqPm8ZjbimNTFWEFOTw1h4KrXN+yCwGIG7ptzsQ4qBWA07 k44GyPHq9OxtUpubkZW3Pr+sVRph8cLT8kM+BybuBNZyINZ1qrnQHWW13+UflMUYSr0l iMPa7DklAsIJ0k/92neTiXESaKe2EBJcShKGhVvQVKWVR/Jjhh5FPH6HjQYGVlgtG4m+ JQPMTAjNovYZQXsxSNppricUSA6IWDHK/5gTYgSqzOrlLUrGyn7EVPbPgR4jIlbj8GAP 8KQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gYdaFetUPf0E0ye7Z3ZJlSmRWJOtaHOZWbhbExkiyx8=; b=J1VE3cDcSQOhDzdDCaIRY5lwRJ+c3lLcjIRqDdFsLsdtX1aQ21KLS6pJW7jw75Ta++ KpLc19/vmAMmcyq82lruppeKpkEcsIHzTLPb5+IfCR8BTMUxuwupQ+pbxmy5VBgl6W4E 74q4sPnMalYY/sql5pA+M0D2WEMkmq5y4+udr65HbZEl68S0go9Zlyo1r01MRoAmalc2 qAENW6uZaZ+gUy5MhReWe57f4xwgba7KxudfQUDBq2Chs6FibotKmeqHK16ZGaVjgQFO z4SMvEP9YSvJq0qlFn8UNgltX5EWMAv6i1nI8Ycai/Kg7Wgz0CkPhKfy+rdaWwZ1NtsJ wOOQ== X-Gm-Message-State: AFqh2kp3AmF5a7oPy5PpwEsSzyuW/9f3OI1VZu4gIXlru2oJ1utrp6K7 Q6k0prA9uJcdBbAGtxSbdWYtdFAoQE5DIyAI6SV7/pCILeiYjrCj X-Received: by 2002:a81:351:0:b0:36c:aaa6:e571 with SMTP id 78-20020a810351000000b0036caaa6e571mr859614ywd.467.1674101784903; Wed, 18 Jan 2023 20:16:24 -0800 (PST) MIME-Version: 1.0 References: <20230119013405.3870506-1-iam@sung-woo.kim> In-Reply-To: <20230119013405.3870506-1-iam@sung-woo.kim> From: Eric Dumazet Date: Thu, 19 Jan 2023 05:16:13 +0100 Message-ID: Subject: Re: [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb To: Sungwoo Kim Cc: daveti@purdue.edu, wuruoyu@me.com, benquike@gmail.com, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , Jakub Kicinski , Paolo Abeni , "open list:BLUETOOTH SUBSYSTEM" , "open list:NETWORKING [GENERAL]" , open list Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org On Thu, Jan 19, 2023 at 2:35 AM Sungwoo Kim wrote: > > The L2CAP socket shutdown invokes l2cap_sock_destruct without a lock > on conn->chan_lock, assigning NULL to chan->data *just before* > the l2cap_disconnect_req thread that accesses to chan->data. This is racy then ? > This patch prevent it by adding a null check for a workaround, instead > of fixing a lock. This would at least require some barriers I think. What about other _cb helpers also reading/using chan->data ? > > This bug is found by FuzzBT, a modified Syzkaller by Sungwoo Kim(me). > Ruoyu Wu(wuruoyu@me.com) and Hui Peng(benquike@gmail.com) has helped > the FuzzBT project. > > Signed-off-by: Sungwoo Kim I would also add Fixes: 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()") > --- > net/bluetooth/l2cap_sock.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c > index ca8f07f35..350c7afdf 100644 > --- a/net/bluetooth/l2cap_sock.c > +++ b/net/bluetooth/l2cap_sock.c > @@ -1681,9 +1681,11 @@ static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan) > { > struct sock *sk = chan->data; > Other similar fixes simply do: if (!sk) return; I would chose to use the same coding style in net/bluetooth/l2cap_sock.c > - lock_sock(sk); > - sk->sk_shutdown = SHUTDOWN_MASK; > - release_sock(sk); > + if (!sk) { > + lock_sock(sk); > + sk->sk_shutdown = SHUTDOWN_MASK; > + release_sock(sk); > + } > } > > static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) > -- > 2.25.1 >