projects / platform / kernel / linux-starfive.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9a7c3be) | patch
Bluetooth: Fix possible deadlock in rfcomm_sk_state_change
authorYing Hsu <yinghsu@chromium.org>
Wed, 11 Jan 2023 03:16:14 +0000 (03:16 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 1 Feb 2023 07:34:22 +0000 (08:34 +0100)
commit17511bd84871f4a6106cb335616e086880313f3f
treefb8a529b89e60ac1bc25f558636958a3c9788197tree | snapshot
parent9a7c3befef406e7f2546467b0fb9f06f10253fdacommit | diff
Bluetooth: Fix possible deadlock in rfcomm_sk_state_change

[ Upstream commit 1d80d57ffcb55488f0ec0b77928d4f82d16b6a90 ]

syzbot reports a possible deadlock in rfcomm_sk_state_change [1].
While rfcomm_sock_connect acquires the sk lock and waits for
the rfcomm lock, rfcomm_sock_release could have the rfcomm
lock and hit a deadlock for acquiring the sk lock.
Here's a simplified flow:

rfcomm_sock_connect:
  lock_sock(sk)
  rfcomm_dlc_open:
    rfcomm_lock()

rfcomm_sock_release:
  rfcomm_sock_shutdown:
    rfcomm_lock()
    __rfcomm_dlc_close:
        rfcomm_k_state_change:
  lock_sock(sk)

This patch drops the sk lock before calling rfcomm_dlc_open to
avoid the possible deadlock and holds sk's reference count to
prevent use-after-free after rfcomm_dlc_open completes.

Reported-by: syzbot+d7ce59...@syzkaller.appspotmail.com
Fixes: 1804fdf6e494 ("Bluetooth: btintel: Combine setting up MSFT extension")
Link: https://syzkaller.appspot.com/bug?extid=d7ce59b06b3eb14fd218
Signed-off-by: Ying Hsu <yinghsu@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/bluetooth/rfcomm/sock.c diff | blob | history
Domain: System / Kernel;