* RE: Bluetooth: Fix deadlock in vhci_send_frame
2023-11-03 14:21 [PATCH] " Ying Hsu
@ 2023-11-03 15:06 ` bluez.test.bot
0 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2023-11-03 15:06 UTC (permalink / raw)
To: linux-bluetooth, yinghsu
[-- Attachment #1: Type: text/plain, Size: 1427 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=798639
---Test result---
Test Summary:
CheckPatch PASS 0.79 seconds
GitLint PASS 0.36 seconds
SubjectPrefix PASS 3.94 seconds
BuildKernel PASS 40.13 seconds
CheckAllWarning PASS 44.06 seconds
CheckSparse PASS 49.80 seconds
CheckSmatch PASS 136.54 seconds
BuildKernel32 PASS 39.18 seconds
TestRunnerSetup PASS 610.28 seconds
TestRunner_l2cap-tester PASS 35.23 seconds
TestRunner_iso-tester PASS 61.21 seconds
TestRunner_bnep-tester PASS 12.08 seconds
TestRunner_mgmt-tester PASS 252.64 seconds
TestRunner_rfcomm-tester PASS 19.00 seconds
TestRunner_sco-tester PASS 22.07 seconds
TestRunner_ioctl-tester PASS 21.47 seconds
TestRunner_mesh-tester PASS 15.95 seconds
TestRunner_smp-tester PASS 18.90 seconds
TestRunner_userchan-tester PASS 13.31 seconds
IncrementalBuild PASS 38.35 seconds
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 5.10/5.15 0/1] Bluetooth: Fix deadlock in vhci_send_frame
@ 2024-02-21 14:57 Daniil Dulov
2024-02-21 14:57 ` [PATCH 5.10/5.15 1/1] " Daniil Dulov
0 siblings, 1 reply; 4+ messages in thread
From: Daniil Dulov @ 2024-02-21 14:57 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: Daniil Dulov, Marcel Holtmann, Johan Hedberg,
Luiz Augusto von Dentz, Arkadiusz Bokowy, linux-bluetooth,
linux-kernel, lvc-project
Syzkaller reports a potential circular dependency leading to deadlock
in 5.10 and 5.15 stable releases since the commit
92d4abd66f70 ("Bluetooth: vhci: Fix race when opening vhci device")
that caused this crash was backported to these branches.
The problem has been fixed by the following upstream patch that was
adapted to 5.10 and 5.15. All of the changes made to the patch
in order to adapt it are described at the end of commit message.
This patch has already been backported to the following stable branches:
v6.6 - https://lore.kernel.org/stable/20231230115814.038261305@linuxfoundation.org/
v6.1 - https://lore.kernel.org/stable/20231230115807.749489379@linuxfoundation.org/
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 5.10/5.15 1/1] Bluetooth: Fix deadlock in vhci_send_frame
2024-02-21 14:57 [PATCH 5.10/5.15 0/1] Bluetooth: Fix deadlock in vhci_send_frame Daniil Dulov
@ 2024-02-21 14:57 ` Daniil Dulov
2024-02-21 15:13 ` bluez.test.bot
0 siblings, 1 reply; 4+ messages in thread
From: Daniil Dulov @ 2024-02-21 14:57 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: Daniil Dulov, Marcel Holtmann, Johan Hedberg,
Luiz Augusto von Dentz, Arkadiusz Bokowy, linux-bluetooth,
linux-kernel, lvc-project, Ying Hsu, Luiz Augusto von Dentz
From: Ying Hsu <yinghsu@chromium.org>
commit 769bf60e17ee1a56a81e7c031192c3928312c52e upstream.
syzbot found a potential circular dependency leading to a deadlock:
-> #3 (&hdev->req_lock){+.+.}-{3:3}:
__mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599
__mutex_lock kernel/locking/mutex.c:732 [inline]
mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784
hci_dev_do_close+0x3f/0x9f net/bluetooth/hci_core.c:551
hci_rfkill_set_block+0x130/0x1ac net/bluetooth/hci_core.c:935
rfkill_set_block+0x1e6/0x3b8 net/rfkill/core.c:345
rfkill_fop_write+0x2d8/0x672 net/rfkill/core.c:1274
vfs_write+0x277/0xcf5 fs/read_write.c:594
ksys_write+0x19b/0x2bd fs/read_write.c:650
do_syscall_x64 arch/x86/entry/common.c:55 [inline]
do_syscall_64+0x51/0xba arch/x86/entry/common.c:93
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #2 (rfkill_global_mutex){+.+.}-{3:3}:
__mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599
__mutex_lock kernel/locking/mutex.c:732 [inline]
mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784
rfkill_register+0x30/0x7e3 net/rfkill/core.c:1045
hci_register_dev+0x48f/0x96d net/bluetooth/hci_core.c:2622
__vhci_create_device drivers/bluetooth/hci_vhci.c:341 [inline]
vhci_create_device+0x3ad/0x68f drivers/bluetooth/hci_vhci.c:374
vhci_get_user drivers/bluetooth/hci_vhci.c:431 [inline]
vhci_write+0x37b/0x429 drivers/bluetooth/hci_vhci.c:511
call_write_iter include/linux/fs.h:2109 [inline]
new_sync_write fs/read_write.c:509 [inline]
vfs_write+0xaa8/0xcf5 fs/read_write.c:596
ksys_write+0x19b/0x2bd fs/read_write.c:650
do_syscall_x64 arch/x86/entry/common.c:55 [inline]
do_syscall_64+0x51/0xba arch/x86/entry/common.c:93
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #1 (&data->open_mutex){+.+.}-{3:3}:
__mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599
__mutex_lock kernel/locking/mutex.c:732 [inline]
mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784
vhci_send_frame+0x68/0x9c drivers/bluetooth/hci_vhci.c:75
hci_send_frame+0x1cc/0x2ff net/bluetooth/hci_core.c:2989
hci_sched_acl_pkt net/bluetooth/hci_core.c:3498 [inline]
hci_sched_acl net/bluetooth/hci_core.c:3583 [inline]
hci_tx_work+0xb94/0x1a60 net/bluetooth/hci_core.c:3654
process_one_work+0x901/0xfb8 kernel/workqueue.c:2310
worker_thread+0xa67/0x1003 kernel/workqueue.c:2457
kthread+0x36a/0x430 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
-> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3787 [inline]
__lock_acquire+0x2d32/0x77fa kernel/locking/lockdep.c:5011
lock_acquire+0x273/0x4d5 kernel/locking/lockdep.c:5622
__flush_work+0xee/0x19f kernel/workqueue.c:3090
hci_dev_close_sync+0x32f/0x1113 net/bluetooth/hci_sync.c:4352
hci_dev_do_close+0x47/0x9f net/bluetooth/hci_core.c:553
hci_rfkill_set_block+0x130/0x1ac net/bluetooth/hci_core.c:935
rfkill_set_block+0x1e6/0x3b8 net/rfkill/core.c:345
rfkill_fop_write+0x2d8/0x672 net/rfkill/core.c:1274
vfs_write+0x277/0xcf5 fs/read_write.c:594
ksys_write+0x19b/0x2bd fs/read_write.c:650
do_syscall_x64 arch/x86/entry/common.c:55 [inline]
do_syscall_64+0x51/0xba arch/x86/entry/common.c:93
entry_SYSCALL_64_after_hwframe+0x61/0xcb
This change removes the need for acquiring the open_mutex in
vhci_send_frame, thus eliminating the potential deadlock while
maintaining the required packet ordering.
Fixes: 92d4abd66f70 ("Bluetooth: vhci: Fix race when opening vhci device")
Signed-off-by: Ying Hsu <yinghsu@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[Daniil: In order to adapt this patch to branches 5.10 and 5.15
redundant fields of struct vhci_data were removed as these fields are
not used in 5.10 and 5.15.]
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
---
drivers/bluetooth/hci_vhci.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 31d70bad83d2..93773ec90795 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -11,6 +11,7 @@
#include <linux/module.h>
#include <asm/unaligned.h>
+#include <linux/atomic.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/slab.h>
@@ -37,6 +38,7 @@ struct vhci_data {
struct mutex open_mutex;
struct delayed_work open_timeout;
+ atomic_t initialized;
};
static int vhci_open_dev(struct hci_dev *hdev)
@@ -68,11 +70,10 @@ static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
- mutex_lock(&data->open_mutex);
skb_queue_tail(&data->readq, skb);
- mutex_unlock(&data->open_mutex);
- wake_up_interruptible(&data->read_wait);
+ if (atomic_read(&data->initialized))
+ wake_up_interruptible(&data->read_wait);
return 0;
}
@@ -139,7 +140,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
skb_put_u8(skb, 0xff);
skb_put_u8(skb, opcode);
put_unaligned_le16(hdev->id, skb_put(skb, 2));
- skb_queue_tail(&data->readq, skb);
+ skb_queue_head(&data->readq, skb);
+ atomic_inc(&data->initialized);
wake_up_interruptible(&data->read_wait);
return 0;
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: Bluetooth: Fix deadlock in vhci_send_frame
2024-02-21 14:57 ` [PATCH 5.10/5.15 1/1] " Daniil Dulov
@ 2024-02-21 15:13 ` bluez.test.bot
0 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2024-02-21 15:13 UTC (permalink / raw)
To: linux-bluetooth, d.dulov
[-- Attachment #1: Type: text/plain, Size: 557 bytes --]
This is an automated email and please do not reply to this email.
Dear Submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.
----- Output -----
error: patch failed: drivers/bluetooth/hci_vhci.c:11
error: drivers/bluetooth/hci_vhci.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch
Please resolve the issue and submit the patches again.
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-02-21 15:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-21 14:57 [PATCH 5.10/5.15 0/1] Bluetooth: Fix deadlock in vhci_send_frame Daniil Dulov
2024-02-21 14:57 ` [PATCH 5.10/5.15 1/1] " Daniil Dulov
2024-02-21 15:13 ` bluez.test.bot
-- strict thread matches above, loose matches on Subject: below --
2023-11-03 14:21 [PATCH] " Ying Hsu
2023-11-03 15:06 ` bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).