Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp2328192rwr; Fri, 28 Apr 2023 08:58:17 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5efgLn3I/cPEUGvTZmk3WjV6ex4rLwR/nfeF8RDL/67bYEdIn18XUdUBw9r9baZ4Ld36SF X-Received: by 2002:a05:6a21:32a2:b0:f0:5d68:e977 with SMTP id yt34-20020a056a2132a200b000f05d68e977mr12460033pzb.9.1682697497033; Fri, 28 Apr 2023 08:58:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682697497; cv=none; d=google.com; s=arc-20160816; b=V+JSK4S/AO7Kym/5LGBETVwuE8fZFEflCH35MmNlsKgxJU+a48VQ6QEz0VZHgsXxZc piV2tuvDi2u4YhxuVS9ciJ6b6fsiiT9uDDjhCeFoE998TTupBDQH0lS43pAd0JTHUok5 ArYREb8/rfY34GvUpf2h8xkxU4FpKHXfB9SIuaNeUE5EN+L38W+TNnY3FIig6hqKm8qZ wFAIRHOP1/cF1qqRGM55TQIr3ABo2QdffZBgdL6pSxB9dbUTp+vkEWYASOhxb8f7A7Cm bqLufJ2BrVgUZGDSPknwvkAas16mE9JOb1tx582LbAriRXeysJCFR5MksvHh35jocWqO h6vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:subject:cc:to:from:date:dkim-signature; bh=m/pWtwRMSdHzOAQdzPOnWM9pGji63oojSzj+h5zQ7KM=; b=VKZKRvmM7DbTzcXkD5sLMG1VCW2Cu1kky+97fJX4RrjwLuR6aYIWBeZl42E1Mgm/wB wKrt4uibg/Ry+ZZJyDXU0SON9XODvoKjGhDLId8Wfr/Ig/dxqOwNqQlLWy+hlsSqnPQc YZ1etbyxRQqiiUXUIpT+8FHiPeeUpVi86NdJKX+QvezUtUr0hni6thMm/bz8wN7qayKJ 4L9NcQiLmJro9a6rqy74i5rjQnInL2VphpURyiqQuEmyTkFfIYQMy1sJeF3nPte2Ytje HP4XwAWzoYcq9NdIpyyRq50BdixDiYVNtyQ8fG4DmbbekIS51uf4W9YbNK1rBJLICbaq Q7og== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@networkplumber-org.20221208.gappssmtp.com header.s=20221208 header.b=j00cRuy+; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=networkplumber.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i64-20020a638743000000b005250aba0763si15300840pge.97.2023.04.28.08.57.52; Fri, 28 Apr 2023 08:58:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@networkplumber-org.20221208.gappssmtp.com header.s=20221208 header.b=j00cRuy+; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=networkplumber.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345967AbjD1Pwt (ORCPT + 99 others); Fri, 28 Apr 2023 11:52:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60136 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346032AbjD1Pwp (ORCPT ); Fri, 28 Apr 2023 11:52:45 -0400 Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A584A524A for ; Fri, 28 Apr 2023 08:52:42 -0700 (PDT) Received: by mail-pf1-x434.google.com with SMTP id d2e1a72fcca58-64115e652eeso13526306b3a.0 for ; Fri, 28 Apr 2023 08:52:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20221208.gappssmtp.com; s=20221208; t=1682697162; x=1685289162; h=content-transfer-encoding:mime-version:message-id:subject:cc:to :from:date:from:to:cc:subject:date:message-id:reply-to; bh=m/pWtwRMSdHzOAQdzPOnWM9pGji63oojSzj+h5zQ7KM=; b=j00cRuy+9qBn28OPvUs8xevjt8P4eFWA/dLtNlLwZXdwODZk+GdiCnYGAdn/6aNK1F qDqE0UZbVNtSqRXN3d9I/qJlX9DCke+Dmnh+95WIolOeqdWVtMC1qBCK8qKAoDvo5b38 iaBCOGfvWjCcJacYXQ7TUrOQr9l0Su9aQV4unS2KDbQquoVDxKUmZtABzfubRYiy87xN NMiAz3ovNo3rxGAmweH8OpZdobFfxb7wKbdOhGfeDiLWe0wmIRUzxPZrEqcm0Dtyz8KS TApbrci3NVEL/pG8tLSTXBPKdzC1pL0EaRQOcO4IghXMYTRCT9v4acYwfF5oMDocpDae I4UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682697162; x=1685289162; h=content-transfer-encoding:mime-version:message-id:subject:cc:to :from:date:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=m/pWtwRMSdHzOAQdzPOnWM9pGji63oojSzj+h5zQ7KM=; b=dcKoRAs2JuBlHAUvUAObI8kfGDZpYCSn9vaICOgGhl1cD/vauqClId/Ze2P/LYvNV/ 0/PxUtvNLi8sfI4y7IYRUA+jvCdyKcHnPInIBEZucHZ1z11unCrT0Mh9z6s/qsAiS60M njUjzeMm2fyc9RAt0sleIV8uUFnl7nRFTVvoB+EAD1Ttbrfbg/f4z5sDs3+Y13PpJCTB TOcw3DLHvAkaRBmYfbcyvdXFAP0YjRxCYG3PV9TWWB5HalaMBpOUOzeOsL2f+x1V0q2m C7rENlS97uHY7SNT51blKGJfgTLmAg9u5r5eRJMn7gTtYpP7BgUCvlyZtyJKBirrigJI wupw== X-Gm-Message-State: AC+VfDxUPN72/lYRHc4ur/uHfA5wilnaHvzc9HvZcy9FiICaz0DU3Rv9 bsrFJ4ECrEYROvq0J3Zne5oBp93HxzJNH+qq/3O3ZA== X-Received: by 2002:a05:6a20:3d03:b0:f4:c0d6:87c with SMTP id y3-20020a056a203d0300b000f4c0d6087cmr6980813pzi.14.1682697162162; Fri, 28 Apr 2023 08:52:42 -0700 (PDT) Received: from hermes.local (204-195-120-218.wavecable.com. [204.195.120.218]) by smtp.gmail.com with ESMTPSA id y1-20020a056a001c8100b005a8173829d5sm15228452pfw.66.2023.04.28.08.52.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Apr 2023 08:52:41 -0700 (PDT) Date: Fri, 28 Apr 2023 08:52:39 -0700 From: Stephen Hemminger To: marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org Subject: Fw: [Bug 217383] New: Bluetooth: L2CAP: possible data race in __sco_sock_close() Message-ID: <20230428085239.1cb74647@hermes.local> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Begin forwarded message: Date: Fri, 28 Apr 2023 10:22:28 +0000 From: bugzilla-daemon@kernel.org To: stephen@networkplumber.org Subject: [Bug 217383] New: Bluetooth: L2CAP: possible data race in __sco_sock_close() https://bugzilla.kernel.org/show_bug.cgi?id=217383 Bug ID: 217383 Summary: Bluetooth: L2CAP: possible data race in __sco_sock_close() Product: Networking Version: 2.5 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P3 Component: Other Assignee: stephen@networkplumber.org Reporter: islituo@gmail.com Regression: No Our static analysis tool finds a possible data race in the l2cap protocol in Linux 6.3.0-rc7: In most calling contexts, the variable sk->sk_socket is accessed with holding the lock sk->sk_callback_lock. Here is an example: l2cap_sock_accept() --> Line 346 in net/bluetooth/l2cap_sock.c bt_accept_dequeue() --> Line 368 in net/bluetooth/l2cap_sock.c sock_graft() --> Line 240 in net/bluetooth/af_bluetooth.c write_lock_bh(&sk->sk_callback_lock); --> Line 2081 in include/net/sock.h (Lock sk->sk_callback_lock) sk_set_socket() --> Line 2084 in include/net/sock.h sk->sk_socket = sock; --> Line 2054 in include/net/sock.h (Access sk->sk_socket) However, in the following calling context: sco_sock_shutdown() --> Line 1227 in net/bluetooth/sco.c __sco_sock_close() --> Line 1243 in net/bluetooth/sco.c BT_DBG(..., sk->sk_socket); --> Line 431 in net/bluetooth/sco.c (Access sk->sk_socket) the variable sk->sk_socket is accessed without holding the lock sk->sk_callback_lock, and thus a data race may occur. Reported-by: BassCheck -- You may reply to this email to add a comment. You are receiving this mail because: You are the assignee for the bug.