Re: [PATCH v2] Bluetooth: protect remote oob data in build_pairing_cmd's callsites

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/13/22 19:39, Niels Dossche wrote:
> Accesses to hci_dev->remote_oob_data are protected by the hdev lock,
> except for the access in build_pairing_cmd via hci_find_remote_oob_data.
> Adding the lock around the access in build_pairing_cmd would cause a
> lock ordering problem: the l2cap_chan_lock is taken in the caller
> smp_conn_security, while the hdev lock should be taken before the chan
> lock.
> The solution is to add the hdev lock to the callsites of
> build_pairing_cmd.
> 
> Fixes: 02b05bd8b0a6 ("Bluetooth: Set SMP OOB flag if OOB data is available")
> Signed-off-by: Niels Dossche <dossche.niels@xxxxxxxxx>
> ---
> 
> Note:
> I am currently working on a static analyser to detect missing locks
> using type-based static analysis, which reported the missing lock on
> v6.0-rc5. I manually verified the report by looking at the code,
> so that I do not send wrong information or patches.
> After concluding that this seems to be a true positive, I created
> this patch. I have only managed to compile-test this patch on x86_64.
> After applying the patch, my analyser no longer reports the potential
> bug.
> 
>  net/bluetooth/smp.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
> index 11f853d0500f..6611a789b6c1 100644
> --- a/net/bluetooth/smp.c
> +++ b/net/bluetooth/smp.c
> @@ -1803,7 +1803,9 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
>  		return 0;
>  	}
>  
> +	hci_dev_lock(hdev);
>  	build_pairing_cmd(conn, req, &rsp, auth);
> +	hci_dev_unlock(hdev);
>  
>  	if (rsp.auth_req & SMP_AUTH_SC) {
>  		set_bit(SMP_FLAG_SC, &smp->flags);
> @@ -2335,7 +2337,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
>  	skb_pull(skb, sizeof(*rp));
>  
>  	memset(&cp, 0, sizeof(cp));
> +	hci_dev_lock(hdev);
>  	build_pairing_cmd(conn, &cp, NULL, auth);
> +	hci_dev_unlock(hdev);
>  
>  	smp->preq[0] = SMP_CMD_PAIRING_REQ;
>  	memcpy(&smp->preq[1], &cp, sizeof(cp));
> @@ -2380,6 +2384,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
>  		return 1;
>  	}
>  
> +	hci_dev_lock(hcon->hdev);
>  	l2cap_chan_lock(chan);
>  
>  	/* If SMP is already in progress ignore this request */
> @@ -2435,6 +2440,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
>  
>  unlock:
>  	l2cap_chan_unlock(chan);
> +	hci_dev_unlock(hcon->hdev);
>  	return ret;
>  }
>  

Please disregard this patch as this can cause a deadlock as I now tested this with the CI runner locally.
Sorry for the inconvenience.

First, the lock in smp_cmd_security_req is not needed. Second, there is still a lock ordering problem with the other two callsites.
smp_sig_chan can call both smp_cmd_pairing_req and smp_cmd_security_req, at which point the hdev lock is not taken and the race is possible as far as I know, so the lock would be necessary.
The problem is however that taking the lock inside smp_cmd_pairing_req and smp_cmd_security_req around build_pairing_cmd will cause a lock ordering problem as that means hdev lock is taken after the chan->lock.
I don't know how to approach this from here on.
Thanks



[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux