From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Ying Hsu <yinghsu@chromium.org>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 24/91] Bluetooth: Fix l2cap_disconnect_req deadlock
Date: Mon, 12 Jun 2023 12:26:13 +0200 [thread overview]
Message-ID: <20230612101703.101219410@linuxfoundation.org> (raw)
In-Reply-To: <20230612101702.085813286@linuxfoundation.org>
From: Ying Hsu <yinghsu@chromium.org>
[ Upstream commit 02c5ea5246a44d6ffde0fddebfc1d56188052976 ]
L2CAP assumes that the locks conn->chan_lock and chan->lock are
acquired in the order conn->chan_lock, chan->lock to avoid
potential deadlock.
For example, l2sock_shutdown acquires these locks in the order:
mutex_lock(&conn->chan_lock)
l2cap_chan_lock(chan)
However, l2cap_disconnect_req acquires chan->lock in
l2cap_get_chan_by_scid first and then acquires conn->chan_lock
before calling l2cap_chan_del. This means that these locks are
acquired in unexpected order, which leads to potential deadlock:
l2cap_chan_lock(c)
mutex_lock(&conn->chan_lock)
This patch releases chan->lock before acquiring the conn_chan_lock
to avoid the potential deadlock.
Fixes: a2a9339e1c9d ("Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}")
Signed-off-by: Ying Hsu <yinghsu@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index f01b77b037878..101a15256efe5 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4664,7 +4664,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
chan->ops->set_shutdown(chan);
+ l2cap_chan_unlock(chan);
mutex_lock(&conn->chan_lock);
+ l2cap_chan_lock(chan);
l2cap_chan_del(chan, ECONNRESET);
mutex_unlock(&conn->chan_lock);
@@ -4703,7 +4705,9 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
return 0;
}
+ l2cap_chan_unlock(chan);
mutex_lock(&conn->chan_lock);
+ l2cap_chan_lock(chan);
l2cap_chan_del(chan, 0);
mutex_unlock(&conn->chan_lock);
--
2.39.2
next prev parent reply other threads:[~2023-06-12 10:52 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-12 10:25 [PATCH 5.15 00/91] 5.15.117-rc1 review Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.15 01/91] ata: ahci: fix enum constants for gcc-13 Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.15 02/91] gcc-plugins: Reorganize gimple includes for GCC 13 Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.15 03/91] remove the sx8 block driver Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.15 04/91] sfc (gcc13): synchronize ef100_enqueue_skb()s return type Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.15 05/91] i40e: Remove string printing for i40e_status Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.15 06/91] i40e: use int " Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.15 07/91] i40e: fix build warning in ice_fltr_add_mac_to_list() Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.15 08/91] bonding (gcc13): synchronize bond_{a,t}lb_xmit() types Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.15 09/91] f2fs: fix iostat lock protection Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.15 10/91] blk-iocost: avoid 64-bit division in ioc_timer_fn Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 11/91] platform/surface: aggregator: Allow completion work-items to be executed in parallel Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 12/91] spi: qup: Request DMA before enabling clocks Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 13/91] afs: Fix setting of mtime when creating a file/dir/symlink Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 14/91] wifi: mt76: mt7615: fix possible race in mt7615_mac_sta_poll Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 15/91] neighbour: fix unaligned access to pneigh_entry Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 16/91] net: dsa: lan9303: allow vid != 0 in port_fdb_{add|del} methods Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 17/91] bpf: Fix UAF in task local storage Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 18/91] net/ipv6: fix bool/int mismatch for skip_notify_on_dev_down Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 19/91] net/smc: Avoid to access invalid RMBs MRs in SMCRv1 ADD LINK CONT Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 20/91] net: enetc: correct the statistics of rx bytes Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 21/91] net/sched: fq_pie: ensure reasonable TCA_FQ_PIE_QUANTUM values Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 22/91] drm/i915: Explain the magic numbers for AUX SYNC/precharge length Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 23/91] drm/i915: Use 18 fast wake AUX sync len Greg Kroah-Hartman
2023-06-12 10:26 ` Greg Kroah-Hartman [this message]
2023-06-12 10:26 ` [PATCH 5.15 25/91] Bluetooth: L2CAP: Add missing checks for invalid DCID Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 26/91] qed/qede: Fix scheduling while atomic Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 27/91] wifi: cfg80211: fix locking in sched scan stop work Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 28/91] wifi: cfg80211: fix locking in regulatory disconnect Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 29/91] selftests/bpf: Verify optval=NULL case Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 30/91] selftests/bpf: Fix sockopt_sk selftest Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 31/91] netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 32/91] netfilter: ipset: Add schedule point in call_ad() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 33/91] ipv6: rpl: Fix Route of Death Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 34/91] rfs: annotate lockless accesses to sk->sk_rxhash Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 35/91] rfs: annotate lockless accesses to RFS sock flow table Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 36/91] drm/i915/selftests: Increase timeout for live_parallel_switch Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 37/91] drm/i915/selftests: Stop using kthread_stop() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 38/91] drm/i915/selftests: Add some missing error propagation Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 39/91] net: sched: move rtm_tca_policy declaration to include file Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 40/91] net: sched: act_police: fix sparse errors in tcf_police_dump() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 41/91] net: sched: fix possible refcount leak in tc_chain_tmplt_add() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 42/91] bpf: Add extra path pointer check to d_path helper Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 43/91] lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 44/91] bnxt_en: Dont issue AP reset during ethtools reset operation Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 45/91] bnxt_en: Query default VLAN before VNIC setup on a VF Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 46/91] bnxt_en: Implement .set_port / .unset_port UDP tunnel callbacks Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 47/91] batman-adv: Broken sync while rescheduling delayed work Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 48/91] Input: xpad - delete a Razer DeathAdder mouse VID/PID entry Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 49/91] Input: psmouse - fix OOB access in Elantech protocol Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 50/91] Input: fix open count when closing inhibited device Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 51/91] ALSA: hda/realtek: Add quirk for Clevo NS50AU Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 52/91] ALSA: hda/realtek: Add a quirk for HP Slim Desktop S01 Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 53/91] ALSA: hda/realtek: Add Lenovo P3 Tower platform Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 54/91] drm/i915/gt: Use the correct error value when kernel_context() fails Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 55/91] drm/amd/pm: conditionally disable pcie lane switching for some sienna_cichlid SKUs Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 56/91] drm/amdgpu: fix xclk freq on CHIP_STONEY Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 57/91] drm/amd/pm: Fix power context allocation in SMU13 Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 58/91] can: j1939: j1939_sk_send_loop_abort(): improved error queue handling in J1939 Socket Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 59/91] can: j1939: change j1939_netdev_lock type to mutex Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 60/91] can: j1939: avoid possible use-after-free when j1939_can_rx_register fails Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 61/91] ceph: fix use-after-free bug for inodes when flushing capsnaps Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 62/91] s390/dasd: Use correct lock while counting channel queue length Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 63/91] Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 64/91] Bluetooth: hci_qca: fix debugfs registration Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 65/91] tee: amdtee: Add return_origin to struct tee_cmd_load_ta Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 66/91] rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 67/91] rbd: get snapshot context after exclusive lock is ensured to be held Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 68/91] pinctrl: meson-axg: add missing GPIOA_18 gpio group Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 69/91] usb: usbfs: Enforce page requirements for mmap Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.15 70/91] usb: usbfs: Use consistent mmap functions Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 71/91] ARM: dts: at91: sama7g5ek: fix debounce delay property for shdwc Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 72/91] ASoC: codecs: wsa881x: do not set can_multi_write flag Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 73/91] arm64: dts: qcom: sc7180-lite: Fix SDRAM freq for misidentified sc7180-lite boards Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 74/91] arm64: dts: imx8qm-mek: correct GPIOs for USDHC2 CD and WP signals Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 75/91] arm64: dts: imx8-ss-dma: assign default clock rate for lpuarts Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 76/91] ASoC: mediatek: mt8195-afe-pcm: Convert to platform remove callback returning void Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 77/91] ASoC: mediatek: mt8195: fix use-after-free in driver remove path Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 78/91] arm64: dts: imx8mn-beacon: Fix SPI CS pinmux Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 79/91] i2c: mv64xxx: Fix reading invalid status value in atomic mode Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 80/91] firmware: arm_ffa: Set handle field to zero in memory descriptor Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 81/91] i2c: sprd: Delete i2c adapter in .removes error path Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 82/91] eeprom: at24: also select REGMAP Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 83/91] riscv: fix kprobe __user string arg print fault issue Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 84/91] vduse: avoid empty string for dev name Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 85/91] vhost: support PACKED when setting-getting vring_base Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 86/91] vhost_vdpa: " Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 87/91] Revert "ext4: dont clear SB_RDONLY when remounting r/w until quota is re-enabled" Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 88/91] ext4: only check dquot_initialize_needed() when debugging Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 89/91] Revert "debugobject: Ensure pool refill (again)" Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 90/91] xfs: verify buffer contents when we skip log replay Greg Kroah-Hartman
2023-06-12 10:27 ` [PATCH 5.15 91/91] Revert "staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE" Greg Kroah-Hartman
2023-06-12 21:53 ` [PATCH 5.15 00/91] 5.15.117-rc1 review Chris Paterson
2023-06-13 0:48 ` Shuah Khan
2023-06-13 4:14 ` Bagas Sanjaya
2023-06-13 8:31 ` Naresh Kamboju
2023-06-13 8:38 ` Jon Hunter
2023-06-13 12:17 ` Harshit Mogalapalli
2023-06-13 12:19 ` Sudip Mukherjee (Codethink)
2023-06-13 17:01 ` Allen Pais
2023-06-13 23:10 ` Guenter Roeck
2023-06-14 5:01 ` Ron Economos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230612101703.101219410@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=luiz.von.dentz@intel.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=yinghsu@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).