Received: by 2002:a89:413:0:b0:1fd:dba5:e537 with SMTP id m19csp1163688lqs; Fri, 14 Jun 2024 18:51:18 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWaolF2id3KKI6ZNfg/P8eeL4akAkkjAny2p1N5fA8o4ca656/pJhn+UWych82zBfD5ZMeed0keUkZ7kCfYnVK4a/jxfMG7oUscxnJXfA== X-Google-Smtp-Source: AGHT+IFGw5WW2+1kxlk2M57rTgIbsDS0O20A07+9rUm1cU5kRrGLIEtdvawigGcGveqBwYblGD7+ X-Received: by 2002:a05:6512:ad0:b0:52c:8210:13bc with SMTP id 2adb3069b0e04-52ca6e98fe1mr2946333e87.64.1718416278575; Fri, 14 Jun 2024 18:51:18 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718416278; cv=pass; d=google.com; s=arc-20160816; b=ac4toN+cZPzujIHYJ4EWm5tR36mvCgt+snZkdFj5XJDrfSaowayDt/wKBhezFY0Auh UgNMm5lIO9zkG0Ti8sS++ylJWLp3Wsg5ZFgZuucnqSM/NACUDrhc9CF36HqN5BggQx6e 1XDSUoc0qXgR/nyUx+JWgl5SEaqiiY7bthM+aC/3X0EzCXVe3HyPIvrqBdviX5lChU72 kBLCuZ+KDAOdB3TRWwn0vmEDJc1llvX8ZvhQzIS/JR9Oiy6fal+EiwJo2R3NdfPlxdsF /b9UGOercdbNP4dR4B/6evfzaz+iKSJh2K8EakdUYLaSqpNO//+O0MYQNL5VREE1ZGLN Fjvg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:date :subject:cc:to:from:message-id:dkim-signature; bh=BliPspMfZpsfUZHQ6OIFoJYpdtijvhqaem6dtHKkTHo=; fh=puj6k6Y7HyzcNywjYH70Vr16wajvyz3L4sJhk6A6E4M=; b=phwCeLpnkUGvQTM1zaMAg/l+jP675XTdXAhqY7WvQ214dhYbbxnI0lIM1mVvNBZR+a C2o6q8/jTT1YTxq/RU+cSSNFDdlUlb3aPRiN0CMbg0+oT3o0Ds1MrMmcX4jCc3+dFFQb KllMpuLzkHrhl0fVZVrMSOHTvC302G/Cq6DLjzZuwTyImHKkNQJwpfve2tCO+fpV0dj3 oAbpI06huvGF3TkEe+oWMdWQqbC9lGVkyE6WiqIZ/3lr07MvWmg76vApOz4mRrDFtiLZ PTytOAwqNyy4m0eE1jsXqSD5nERB+IvcuXtSIi1h59PCbTejglyKrJFvgvopK0RlhjNA s+wg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=EQxEAqsH; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-bluetooth+bounces-5328-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-5328-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id a640c23a62f3a-a6f56d21468si232404866b.155.2024.06.14.18.51.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 14 Jun 2024 18:51:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-5328-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=EQxEAqsH; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-bluetooth+bounces-5328-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-5328-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 47CC51F238EA for ; Sat, 15 Jun 2024 01:51:18 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6C6094437; Sat, 15 Jun 2024 01:51:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="EQxEAqsH" X-Original-To: linux-bluetooth@vger.kernel.org Received: from out162-62-58-211.mail.qq.com (out162-62-58-211.mail.qq.com [162.62.58.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 60DB0173; Sat, 15 Jun 2024 01:51:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.58.211 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718416269; cv=none; b=JV+Hv46eLsdWdPHYLA/hj4K82G8JPPYPUJnzlGj4nhyOuhRvOsH35pIKAi4s9gMi8jT8ChVnyenz3Lfup7U5BVscR+vGM4L/bBNgLPRssosr8YClGyIuoLppHNe3FxyOginTMpv16c5vB9TS93jf4WaGIf5TsLQ+FioMsVP6kUc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718416269; c=relaxed/simple; bh=I0OxXa9DgS8CNov9zFCmY334i6ViZ/0pIgrmqKDoC8U=; h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References: MIME-Version; b=Q/aKEuC3ixLQMyLPUtGXzu3rPIcspBa1n5gC+RWw0xbqu1TnLbm8tHRwlJYCX7UJr3phrzvrUHrYzFiAtPy4NyjTXedttjDjTMhVdCRPmw/ylLKd8S8+ZWutbp6XjLmznewbxc2imKq4nQL+4SUlAzsSmf19nFzf925AfvrOceA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=EQxEAqsH; arc=none smtp.client-ip=162.62.58.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1718415956; bh=BliPspMfZpsfUZHQ6OIFoJYpdtijvhqaem6dtHKkTHo=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=EQxEAqsHEWDO7UuMl7QhInY9w6SY2ej5GrRZgrRyCo9O/uyRjjUPSUyt/nKYChfXq sZdSit6cXe898DPnBhwh/cMVe3pe9X0G/tvhavOy6dMifr9x0NLgAsMlkbQjvVNi5I DEiBSJeWIALmlMLGP6PIIDX3khTi2lX+vWmem0EU= Received: from pek-lxu-l1.wrs.com ([111.198.228.103]) by newxmesmtplogicsvrszb16-1.qq.com (NewEsmtp) with SMTP id B758D0B6; Sat, 15 Jun 2024 09:45:53 +0800 X-QQ-mid: xmsmtpt1718415953thiu5vney Message-ID: X-QQ-XMAILINFO: Mg/0DM1Zd+nHD5TKWnIAKflqlS7gH06+79ZA7FoSIoEVqm0uA2J5eHDrzeu02z rYfWTkIWkhNmVlXQnHNR9kqqtCvPzcTK5I8hjyPziqr+Ntcz2sr5GXeQzv+QaotA0l6ZVm8TG2Kv Qt8gT02EltLJS+nsJEZv6xEzKlungZN0wOef5+ybT8YCMqs8guF68VxWEOyciDsjWc+kNJ9MFexM K7ceoxcilNTAXzZXxTsdpnNTJX8hSYzzPULx6boHRJQ9M+hWfmQv47yMzD1zzq1y7bekNTCtLiBx ClxSOESbX97WEiU6yeD1QpKbt/jAg1RzfyJxkeTnqVr7omFBqxcn5gTJUm5Y8ZjFMw+swPSDSAv6 FhkHr/xyqbYG1xOEDo6H+voOr0QpZPdxmVmghdornb/D9B7vO4LJV1LNsH4guTG8JaltSXBIl2hT xbNAOLnFQFurxsQ81togNoUaulpLujRr3xo0dZUQ5eKR2Y7wMVNwtiWsbitJdn/lshF0bZIYwFJ7 QpgU0afxZScpOanDJK8TdTngMHomKR0AP+itZU4p3/C5Ts6Wb/oTa9qA0TPM0Joa5JCVt3+skguU 4T8+t5AlkmKmvoqFYXV8cdIayU6GK8IRmND4Ddaksz0WCiMxJPHf8U4sJXJczCKa9gyf/G9c5Us1 g+trQnCE0KCQMJZ/hKbxwgQ+QSpN3MFoUDNCaRDSew5sg6jkrU98TS7a8yr/fbt/Y8TMVkbCgY4/ 5ghhFCaGRX/Ud/ZM2pSHzoVqDb83NpgORtF8alj5OF0/x38Sf3GnBye83aX88SUiFsU5JOz0i7t1 Sz6C7r2/yAX0FxaE8xJMtLepkVWyIU01xjUu1n/w4yNXDqlNG3SpUyAkJ2+wRIlnmvDhgBAhxCvs KMhzdqv1DEs/yRzc5GGYmSqPiszynh58J+J+Yd25lU5q1ty5d8c/T2fUcqRtq/U8IdGdo3fYmqDh 01UtpJwNZoGsuLHALCXw== X-QQ-XMRINFO: NS+P29fieYNw95Bth2bWPxk= From: Edward Adam Davis To: luiz.dentz@gmail.com Cc: eadavis@qq.com, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, syzbot+b7f6f8c9303466e16c8a@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com Subject: [PATCH v2] bluetooth/l2cap: sync sock recv cb and release Date: Sat, 15 Jun 2024 09:45:54 +0800 X-OQ-MSGID: <20240615014553.3405535-2-eadavis@qq.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The problem occurs between the system call to close the sock and hci_rx_work, where the former releases the sock and the latter accesses it without lock protection. CPU0 CPU1 ---- ---- sock_close hci_rx_work l2cap_sock_release hci_acldata_packet l2cap_sock_kill l2cap_recv_frame sk_free l2cap_conless_channel l2cap_sock_recv_cb If hci_rx_work processes the data that needs to be received before the sock is closed, then everything is normal; Otherwise, the work thread may access the released sock when receiving data. Add a chan mutex in the rx callback of the sock to achieve synchronization between the sock release and recv cb. Sock is dead, so set chan data to NULL, avoid others use invalid sock pointer. Reported-and-tested-by: syzbot+b7f6f8c9303466e16c8a@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis --- net/bluetooth/l2cap_sock.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 6db60946c627..f45cdf9bc985 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1239,6 +1239,10 @@ static void l2cap_sock_kill(struct sock *sk) BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state)); + /* Sock is dead, so set chan data to NULL, avoid other task use invalid + * sock pointer. + */ + l2cap_pi(sk)->chan->data = NULL; /* Kill poor orphan */ l2cap_chan_put(l2cap_pi(sk)->chan); @@ -1481,12 +1485,25 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) { - struct sock *sk = chan->data; - struct l2cap_pinfo *pi = l2cap_pi(sk); + struct sock *sk; + struct l2cap_pinfo *pi; int err; - lock_sock(sk); + /* To avoid race with sock_release, a chan lock needs to be added here + * to synchronize the sock. + */ + l2cap_chan_hold(chan); + l2cap_chan_lock(chan); + sk = chan->data; + if (!sk) { + l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + return -ENXIO; + } + + pi = l2cap_pi(sk); + lock_sock(sk); if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) { err = -ENOMEM; goto done; @@ -1535,6 +1552,8 @@ static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) done: release_sock(sk); + l2cap_chan_unlock(chan); + l2cap_chan_put(chan); return err; } -- 2.43.0