e04480920d
syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to calling lock_sock() with rw spinlock held [1]. It seems that history of this locking problem is a trial and error. Commit b40df5743ee8 ("[PATCH] bluetooth: fix socket locking in hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to lock_sock() as an attempt to fix lockdep warning. Then, commit 4ce61d1c7a8e ("[BLUETOOTH]: Fix locking in hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the sleep in atomic context warning. Then, commit 4b5dd696f81b ("Bluetooth: Remove local_bh_disable() from hci_sock.c") in 3.3-rc1 removed local_bh_disable(). Then, commit e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to lock_sock() as an attempt to fix CVE-2021-3573. This difficulty comes from current implementation that hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all references from sockets because hci_unregister_dev() immediately reclaims resources as soon as returning from hci_sock_dev_event(HCI_DEV_UNREG). But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not doing what it should do. Therefore, instead of trying to detach sockets from device, let's accept not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG), by moving actual cleanup of resources from hci_unregister_dev() to hci_cleanup_dev() which is called by bt_host_release() when all references to this unregistered device (which is a kobject) are gone. Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets hci_pi(sk)->hdev, we need to check whether this device was unregistered and return an error based on HCI_UNREGISTER flag. There might be subtle behavioral difference in "monitor the hdev" functionality; please report if you found something went wrong due to this patch. Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1] Reported-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Fixes: e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object") Acked-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
120 lines
2.2 KiB
C
120 lines
2.2 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/* Bluetooth HCI driver model support. */
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <net/bluetooth/bluetooth.h>
|
|
#include <net/bluetooth/hci_core.h>
|
|
|
|
static struct class *bt_class;
|
|
|
|
static void bt_link_release(struct device *dev)
|
|
{
|
|
struct hci_conn *conn = to_hci_conn(dev);
|
|
kfree(conn);
|
|
}
|
|
|
|
static const struct device_type bt_link = {
|
|
.name = "link",
|
|
.release = bt_link_release,
|
|
};
|
|
|
|
/*
|
|
* The rfcomm tty device will possibly retain even when conn
|
|
* is down, and sysfs doesn't support move zombie device,
|
|
* so we should move the device before conn device is destroyed.
|
|
*/
|
|
static int __match_tty(struct device *dev, void *data)
|
|
{
|
|
return !strncmp(dev_name(dev), "rfcomm", 6);
|
|
}
|
|
|
|
void hci_conn_init_sysfs(struct hci_conn *conn)
|
|
{
|
|
struct hci_dev *hdev = conn->hdev;
|
|
|
|
BT_DBG("conn %p", conn);
|
|
|
|
conn->dev.type = &bt_link;
|
|
conn->dev.class = bt_class;
|
|
conn->dev.parent = &hdev->dev;
|
|
|
|
device_initialize(&conn->dev);
|
|
}
|
|
|
|
void hci_conn_add_sysfs(struct hci_conn *conn)
|
|
{
|
|
struct hci_dev *hdev = conn->hdev;
|
|
|
|
BT_DBG("conn %p", conn);
|
|
|
|
dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
|
|
|
|
if (device_add(&conn->dev) < 0) {
|
|
bt_dev_err(hdev, "failed to register connection device");
|
|
return;
|
|
}
|
|
|
|
hci_dev_hold(hdev);
|
|
}
|
|
|
|
void hci_conn_del_sysfs(struct hci_conn *conn)
|
|
{
|
|
struct hci_dev *hdev = conn->hdev;
|
|
|
|
if (!device_is_registered(&conn->dev))
|
|
return;
|
|
|
|
while (1) {
|
|
struct device *dev;
|
|
|
|
dev = device_find_child(&conn->dev, NULL, __match_tty);
|
|
if (!dev)
|
|
break;
|
|
device_move(dev, NULL, DPM_ORDER_DEV_LAST);
|
|
put_device(dev);
|
|
}
|
|
|
|
device_del(&conn->dev);
|
|
|
|
hci_dev_put(hdev);
|
|
}
|
|
|
|
static void bt_host_release(struct device *dev)
|
|
{
|
|
struct hci_dev *hdev = to_hci_dev(dev);
|
|
|
|
if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
|
|
hci_cleanup_dev(hdev);
|
|
kfree(hdev);
|
|
module_put(THIS_MODULE);
|
|
}
|
|
|
|
static const struct device_type bt_host = {
|
|
.name = "host",
|
|
.release = bt_host_release,
|
|
};
|
|
|
|
void hci_init_sysfs(struct hci_dev *hdev)
|
|
{
|
|
struct device *dev = &hdev->dev;
|
|
|
|
dev->type = &bt_host;
|
|
dev->class = bt_class;
|
|
|
|
__module_get(THIS_MODULE);
|
|
device_initialize(dev);
|
|
}
|
|
|
|
int __init bt_sysfs_init(void)
|
|
{
|
|
bt_class = class_create(THIS_MODULE, "bluetooth");
|
|
|
|
return PTR_ERR_OR_ZERO(bt_class);
|
|
}
|
|
|
|
void bt_sysfs_cleanup(void)
|
|
{
|
|
class_destroy(bt_class);
|
|
}
|