From: Johan Hovold <jhovold@gmail.com>
To: Marcel Holtmann <marcel@holtmann.org>
Cc: "Gustavo F. Padovan" <padovan@profusion.mobi>,
"David S. Miller" <davem@davemloft.net>,
linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, stable <stable@vger.kernel.org>
Subject: Re: [PATCH 2/2] bluetooth: hci_core: fix NULL-pointer dereference at unregister
Date: Thu, 8 Mar 2012 12:56:47 +0100 [thread overview]
Message-ID: <20120308115647.GA4497@localhost> (raw)
In-Reply-To: <1331148560.3392.189.camel@aeonflux>
Hi Marcel,
On Wed, Mar 07, 2012 at 11:29:20AM -0800, Marcel Holtmann wrote:
> Hi Johan,
>
> > Make sure hci_dev_open returns immediately if hci_dev_unregister has
> > been called.
> >
> > This fixes a race between hci_dev_open and hci_dev_unregister which can
> > lead to a NULL-pointer dereference.
[...]
> what version of the kernel is this patch against? Since we cleaned up
> the flags in bluetooth-next tree. Also in addition you can not just add
> flags here.
As this to be fixed in 3.3 it is against 3.3-rc6.
> > /*
> > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > index 5aeb624..3937ce3 100644
> > --- a/net/bluetooth/hci_core.c
> > +++ b/net/bluetooth/hci_core.c
> > @@ -525,6 +525,11 @@ int hci_dev_open(__u16 dev)
> >
> > hci_req_lock(hdev);
> >
> > + if (test_bit(HCI_UNREGISTER, &hdev->flags)) {
> > + ret = -ENODEV;
> > + goto done;
> > + }
> > +
> > if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
> > ret = -ERFKILL;
> > goto done;
> > @@ -1577,6 +1582,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
> >
> > BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
> >
> > + set_bit(HCI_UNREGISTER, &hdev->flags);
> > +
> > write_lock(&hci_dev_list_lock);
> > list_del(&hdev->list);
> > write_unlock(&hci_dev_list_lock);
>
> Is this really enough to protect this race condition?
1. first hci_dev_open grabs req lock
2. second hci_dev_open sleeps on req lock
3. hci_dev_unregister sleep on req lock (in do_close)
4. first hci_dev_open times out and releases req lock
Now either a) the second open grabs the lock or b) close does.
a) The second open will time out eventually as well and setting a flag
at unregister will only speed things up (at least when the first
patch in my series is applied -- otherwise this leads to a
NULL-pointer exception as well).
b) If close grabs the lock while we have open sleeping on it things go
really bad and this is the case this patch intends to fix.
As far as I can see, a flag set at unregister (before acquiring the lock)
will suffice to fix this race, but perhaps I'm missing something?
Where should such an internal flag be added as hdev->flags can not be
used? hdev->dev_flags?
Thanks,
Johan
next prev parent reply other threads:[~2012-03-08 11:56 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-07 16:01 [PATCH 0/2] bluetooth: fix NULL-pointer dereferences Johan Hovold
2012-03-07 16:01 ` [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Johan Hovold
2012-03-07 19:33 ` Marcel Holtmann
2012-03-08 11:57 ` Johan Hovold
2012-03-08 17:45 ` Marcel Holtmann
2012-03-09 13:04 ` Johan Hovold
2012-03-09 13:52 ` David Herrmann
2012-03-09 14:40 ` Johan Hovold
2012-03-09 15:02 ` David Herrmann
[not found] ` <CANq1E4TcUKKXetitjWJZgP9550gnB43rncnAcwwdz_6HpZf_Ug-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-03-09 15:08 ` Johan Hovold
2012-03-09 13:44 ` David Herrmann
2012-03-09 14:29 ` Johan Hovold
2012-03-09 14:35 ` David Herrmann
2012-03-09 15:15 ` Johan Hovold
2012-03-07 16:02 ` [PATCH 2/2] bluetooth: hci_core: fix NULL-pointer dereference at unregister Johan Hovold
[not found] ` <1331136120-27075-3-git-send-email-jhovold-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-03-07 19:29 ` Marcel Holtmann
2012-03-08 11:56 ` Johan Hovold [this message]
2012-03-08 17:43 ` Marcel Holtmann
2012-03-09 12:53 ` [PATCH 2/2 v2] " Johan Hovold
2012-03-09 14:04 ` David Herrmann
[not found] ` <CANq1E4Rt0ctZ5cpXipJE--YmkR4OjKBXLBQkeTKWP3+Q-q37Yw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-03-09 14:48 ` Johan Hovold
-- strict thread matches above, loose matches on Subject: below --
2012-03-15 13:47 bluetooth: bug fixes for bluetooth-next Johan Hovold
2012-03-15 13:48 ` [PATCH 1/2] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Johan Hovold
[not found] ` <1331819321-13018-1-git-send-email-jhovold-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-03-15 13:48 ` [PATCH 2/2] bluetooth: hci_core: fix NULL-pointer dereference at unregister Johan Hovold
2012-03-15 15:23 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120308115647.GA4497@localhost \
--to=jhovold@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=padovan@profusion.mobi \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).