Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-10-23 21:50:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
654e6f7700
linux/include
History
Tetsuo Handa 58ce6d5b27 Bluetooth: defer cleanup of resources in hci_unregister_dev() 
syzbot is hitting might_sleep() warning at hci_sock_dev_event()
due to calling lock_sock() with rw spinlock held [1].

It seems that history of this locking problem is a trial and error.

Commit b40df5743e ("[PATCH] bluetooth: fix socket locking in
hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to lock_sock()
as an attempt to fix lockdep warning.

Then, commit 4ce61d1c7a ("[BLUETOOTH]: Fix locking in
hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to
local_bh_disable() + bh_lock_sock_nested() as an attempt to fix
sleep in atomic context warning.

Then, commit 4b5dd696f8 ("Bluetooth: Remove local_bh_disable() from
hci_sock.c") in 3.3-rc1 removed local_bh_disable().

Then, commit e305509e67 ("Bluetooth: use correct lock to prevent UAF
of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to
lock_sock() as an attempt to fix CVE-2021-3573.

This difficulty comes from current implementation that
hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all
references from sockets because hci_unregister_dev() immediately reclaims
resources as soon as returning from hci_sock_dev_event(HCI_DEV_UNREG).
But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not
doing what it should do.

Therefore, instead of trying to detach sockets from device, let's accept
not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG),
by moving actual cleanup of resources from hci_unregister_dev() to
hci_release_dev() which is called by bt_host_release when all references
to this unregistered device (which is a kobject) are gone.

Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1]
Reported-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com>
Fixes: e305509e67 ("Bluetooth: use correct lock to prevent UAF of hdev object")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2021-07-28 15:42:21 -07:00
..
acpi IOMMU Updates for Linux v5.14 2021-07-02 13:22:47 -07:00
asm-generic This pull request contains the following changes for UML: 2021-07-09 10:19:13 -07:00
clocksource
crypto crypto: scatterwalk - Remove obsolete PageSlab check 2021-06-28 11:28:08 +08:00
drm drm/amd/display: Partition DPCD address space and break up transactions 2021-06-15 17:25:41 -04:00
dt-bindings ARM: Drivers for 5.14 2021-07-10 09:46:20 -07:00
keys
kunit linux-kselftest-kunit-fixes-5.14-rc1 2021-07-02 12:58:26 -07:00
kvm
linux net: bridge: move the switchdev object replay helpers to "push" mode 2021-07-22 00:26:23 -07:00
math-emu
media media: Fix Media Controller API config checks 2021-06-24 14:26:00 +02:00
memory
misc
net Bluetooth: defer cleanup of resources in hci_unregister_dev() 2021-07-28 15:42:21 -07:00
pcmcia
ras
rdma IB/core: Shuffle locks in ib_port_data to save memory 2021-06-21 20:49:32 -03:00
scsi SCSI misc on 20210702 2021-07-02 15:14:36 -07:00
soc ARM: Drivers for 5.14 2021-07-10 09:46:20 -07:00
sound ASoC: Updates for v5.14 2021-07-01 08:36:12 +02:00
target
trace Merge branch 'core-rcu-2021.07.04' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu 2021-07-04 12:58:33 -07:00
uapi ipv6: ioam: Support for IOAM injection with lwtunnels 2021-07-21 08:14:33 -07:00
vdso
video
xen xen: sync include/xen/interface/io/ring.h with Xen's newest version 2021-07-05 09:49:45 +02:00