On 9/13/22 19:39, Niels Dossche wrote:
> Accesses to hci_dev->remote_oob_data are protected by the hdev lock,
> except for the access in build_pairing_cmd via hci_find_remote_oob_data.
> Adding the lock around the access in build_pairing_cmd would cause a
> lock ordering problem: the l2cap_chan_lock is taken in the caller
> smp_conn_security, while the hdev lock should be taken before the chan
> lock.
> The solution is to add the hdev lock to the callsites of
> build_pairing_cmd.
>
> Fixes: 02b05bd8b0a6 ("Bluetooth: Set SMP OOB flag if OOB data is available")
> Signed-off-by: Niels Dossche <dossche.niels@xxxxxxxxx>
> ---
>
> Note:
> I am currently working on a static analyser to detect missing locks
> using type-based static analysis, which reported the missing lock on
> v6.0-rc5. I manually verified the report by looking at the code,
> so that I do not send wrong information or patches.
> After concluding that this seems to be a true positive, I created
> this patch. I have only managed to compile-test this patch on x86_64.
> After applying the patch, my analyser no longer reports the potential
> bug.
>
> net/bluetooth/smp.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
> index 11f853d0500f..6611a789b6c1 100644
> --- a/net/bluetooth/smp.c
> +++ b/net/bluetooth/smp.c
> @@ -1803,7 +1803,9 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
> return 0;
> }
>
> + hci_dev_lock(hdev);
> build_pairing_cmd(conn, req, &rsp, auth);
> + hci_dev_unlock(hdev);
>
> if (rsp.auth_req & SMP_AUTH_SC) {
> set_bit(SMP_FLAG_SC, &smp->flags);
> @@ -2335,7 +2337,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
> skb_pull(skb, sizeof(*rp));
>
> memset(&cp, 0, sizeof(cp));
> + hci_dev_lock(hdev);
> build_pairing_cmd(conn, &cp, NULL, auth);
> + hci_dev_unlock(hdev);
>
> smp->preq[0] = SMP_CMD_PAIRING_REQ;
> memcpy(&smp->preq[1], &cp, sizeof(cp));
> @@ -2380,6 +2384,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
> return 1;
> }
>
> + hci_dev_lock(hcon->hdev);
> l2cap_chan_lock(chan);
>
> /* If SMP is already in progress ignore this request */
> @@ -2435,6 +2440,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
>
> unlock:
> l2cap_chan_unlock(chan);
> + hci_dev_unlock(hcon->hdev);
> return ret;
> }
>
Please disregard this patch as this can cause a deadlock as I now tested this with the CI runner locally.
Sorry for the inconvenience.
First, the lock in smp_cmd_security_req is not needed. Second, there is still a lock ordering problem with the other two callsites.
smp_sig_chan can call both smp_cmd_pairing_req and smp_cmd_security_req, at which point the hdev lock is not taken and the race is possible as far as I know, so the lock would be necessary.
The problem is however that taking the lock inside smp_cmd_pairing_req and smp_cmd_security_req around build_pairing_cmd will cause a lock ordering problem as that means hdev lock is taken after the chan->lock.
I don't know how to approach this from here on.
Thanks
