Abhishek Pandit-Subedi
bab673eef8
Bluetooth: Only mark socket zapped after unlocking ...
[ Upstream commit 20ae4089d0afeb24e9ceb026b996bfa55c983cc2 ]
Since l2cap_sock_teardown_cb doesn't acquire the channel lock before
setting the socket as zapped, it could potentially race with
l2cap_sock_release which frees the socket. Thus, wait until the cleanup
is complete before marking the socket as zapped.
This race was reproduced on a JBL GO speaker after the remote device
rejected L2CAP connection due to resource unavailability.
Here is a dmesg log with debug logs from a repro of this bug:
[ 3465.424086] Bluetooth: hci_core.c:hci_acldata_packet() hci0 len 16 handle 0x0003 flags 0x0002
[ 3465.424090] Bluetooth: hci_conn.c:hci_conn_enter_active_mode() hcon 00000000cfedd07d mode 0
[ 3465.424094] Bluetooth: l2cap_core.c:l2cap_recv_acldata() conn 000000007eae8952 len 16 flags 0x2
[ 3465.424098] Bluetooth: l2cap_core.c:l2cap_recv_frame() len 12, cid 0x0001
[ 3465.424102] Bluetooth: l2cap_core.c:l2cap_raw_recv() conn 000000007eae8952
[ 3465.424175] Bluetooth: l2cap_core.c:l2cap_sig_channel() code 0x03 len 8 id 0x0c
[ 3465.424180] Bluetooth: l2cap_core.c:l2cap_connect_create_rsp() dcid 0x0045 scid 0x0000 result 0x02 status 0x00
[ 3465.424189] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 4
[ 3465.424196] Bluetooth: l2cap_core.c:l2cap_chan_del() chan 000000006acf9bff, conn 000000007eae8952, err 111, state BT_CONNECT
[ 3465.424203] Bluetooth: l2cap_sock.c:l2cap_sock_teardown_cb() chan 000000006acf9bff state BT_CONNECT
[ 3465.424221] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 3
[ 3465.424226] Bluetooth: hci_core.h:hci_conn_drop() hcon 00000000cfedd07d orig refcnt 6
[ 3465.424234] BUG: spinlock bad magic on CPU#2, kworker/u17:0/159
[ 3465.425626] Bluetooth: hci_sock.c:hci_sock_sendmsg() sock 000000002bb0cb64 sk 00000000a7964053
[ 3465.430330] lock: 0xffffff804410aac0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
[ 3465.430332] Causing a watchdog bite!
Signed-off-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Reported-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
Reviewed-by: Manish Mandlik <mmandlik@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-10-29 09:58:06 +01:00
2019-06-19 17:09:07 +02:00
2019-05-21 10:50:46 +02:00
2019-09-06 15:55:40 +02:00
2020-04-13 10:48:13 +02:00
2020-08-19 08:15:59 +02:00
2020-10-17 10:11:22 +02:00
2019-06-05 17:36:37 +02:00
2019-10-28 13:33:41 -07:00
2019-06-05 17:36:37 +02:00
2019-06-05 17:36:37 +02:00
2017-10-06 20:35:47 +02:00
2017-10-06 20:35:47 +02:00
2020-10-17 10:11:22 +02:00
2020-02-01 09:34:50 +00:00
2019-08-17 13:54:40 +03:00
2015-02-15 18:54:13 +02:00
2020-10-17 10:11:22 +02:00
2019-12-31 16:44:33 +01:00
2019-07-06 15:38:18 +02:00
2020-02-05 21:22:42 +00:00
2017-11-04 09:26:51 +09:00
2019-07-26 14:58:12 +10:00
2020-10-17 10:11:22 +02:00
2020-10-29 09:58:06 +01:00
2019-06-19 17:09:55 +02:00
2019-06-19 17:09:55 +02:00
2017-09-01 22:49:47 +02:00
2017-11-02 11:10:55 +01:00
2017-06-16 11:48:40 -04:00
2015-03-17 18:03:08 +01:00
2020-10-17 10:11:22 +02:00
2019-04-19 14:07:40 -07:00
2017-10-06 21:49:13 +03:00
2019-07-26 14:58:12 +10:00
2018-09-26 12:39:32 +03:00
bab673eef8