Patch "Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt" has been added to the 6.2-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt

to the 6.2-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-sco-fix-possible-circular-locking-dependen.patch
and it can be found in the queue-6.2 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 84491013e7f9617b31d31dd872d57d28f0bfd23c
Author: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Date:   Thu Mar 30 14:45:03 2023 -0700

    Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt
    
    [ Upstream commit 975abc0c90fc485ff9b4a6afa475c3b1398d5d47 ]
    
    This attempts to fix the following trace:
    
    ======================================================
    WARNING: possible circular locking dependency detected
    6.3.0-rc2-g68fcb3a7bf97 #4706 Not tainted
    ------------------------------------------------------
    sco-tester/31 is trying to acquire lock:
    ffff8880025b8070 (&hdev->lock){+.+.}-{3:3}, at:
    sco_sock_getsockopt+0x1fc/0xa90
    
    but task is already holding lock:
    ffff888001eeb130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at:
    sco_sock_getsockopt+0x104/0xa90
    
    which lock already depends on the new lock.
    
    the existing dependency chain (in reverse order) is:
    
    -> #2 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
           lock_sock_nested+0x32/0x80
           sco_connect_cfm+0x118/0x4a0
           hci_sync_conn_complete_evt+0x1e6/0x3d0
           hci_event_packet+0x55c/0x7c0
           hci_rx_work+0x34c/0xa00
           process_one_work+0x575/0x910
           worker_thread+0x89/0x6f0
           kthread+0x14e/0x180
           ret_from_fork+0x2b/0x50
    
    -> #1 (hci_cb_list_lock){+.+.}-{3:3}:
           __mutex_lock+0x13b/0xcc0
           hci_sync_conn_complete_evt+0x1ad/0x3d0
           hci_event_packet+0x55c/0x7c0
           hci_rx_work+0x34c/0xa00
           process_one_work+0x575/0x910
           worker_thread+0x89/0x6f0
           kthread+0x14e/0x180
           ret_from_fork+0x2b/0x50
    
    -> #0 (&hdev->lock){+.+.}-{3:3}:
           __lock_acquire+0x18cc/0x3740
           lock_acquire+0x151/0x3a0
           __mutex_lock+0x13b/0xcc0
           sco_sock_getsockopt+0x1fc/0xa90
           __sys_getsockopt+0xe9/0x190
           __x64_sys_getsockopt+0x5b/0x70
           do_syscall_64+0x42/0x90
           entry_SYSCALL_64_after_hwframe+0x70/0xda
    
    other info that might help us debug this:
    
    Chain exists of:
      &hdev->lock --> hci_cb_list_lock --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO
    
     Possible unsafe locking scenario:
    
           CPU0                    CPU1
           ----                    ----
      lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
                                   lock(hci_cb_list_lock);
                                   lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
      lock(&hdev->lock);
    
     *** DEADLOCK ***
    
    1 lock held by sco-tester/31:
     #0: ffff888001eeb130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0},
     at: sco_sock_getsockopt+0x104/0xa90
    
    Fixes: 248733e87d50 ("Bluetooth: Allow querying of supported offload codecs over SCO socket")
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 1111da4e2f2bd..1755f91a66f6a 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -1129,6 +1129,8 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
 			break;
 		}
 
+		release_sock(sk);
+
 		/* find total buffer size required to copy codec + caps */
 		hci_dev_lock(hdev);
 		list_for_each_entry(c, &hdev->local_codecs, list) {
@@ -1146,15 +1148,13 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
 		buf_len += sizeof(struct bt_codecs);
 		if (buf_len > len) {
 			hci_dev_put(hdev);
-			err = -ENOBUFS;
-			break;
+			return -ENOBUFS;
 		}
 		ptr = optval;
 
 		if (put_user(num_codecs, ptr)) {
 			hci_dev_put(hdev);
-			err = -EFAULT;
-			break;
+			return -EFAULT;
 		}
 		ptr += sizeof(num_codecs);
 
@@ -1194,12 +1194,14 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
 			ptr += len;
 		}
 
-		if (!err && put_user(buf_len, optlen))
-			err = -EFAULT;
-
 		hci_dev_unlock(hdev);
 		hci_dev_put(hdev);
 
+		lock_sock(sk);
+
+		if (!err && put_user(buf_len, optlen))
+			err = -EFAULT;
+
 		break;
 
 	default:



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux