diff options
author | Luiz Augusto von Dentz | 2023-03-30 14:45:03 -0700 |
---|---|---|
committer | Greg Kroah-Hartman | 2023-04-20 12:35:09 +0200 |
commit | 2fcfd51add22a2df3d662a3e61ff2c251bf795e7 (patch) | |
tree | 48de3dbac9983c4a3e6fd045a252a929a74b61fa /net/bluetooth | |
parent | 99f1bc32ebcb403b02807e578dddbb0e9a3956f0 (diff) |
Bluetooth: SCO: Fix possible circular locking dependency sco_sock_getsockopt
[ Upstream commit 975abc0c90fc485ff9b4a6afa475c3b1398d5d47 ]
This attempts to fix the following trace:
======================================================
WARNING: possible circular locking dependency detected
6.3.0-rc2-g68fcb3a7bf97 #4706 Not tainted
------------------------------------------------------
sco-tester/31 is trying to acquire lock:
ffff8880025b8070 (&hdev->lock){+.+.}-{3:3}, at:
sco_sock_getsockopt+0x1fc/0xa90
but task is already holding lock:
ffff888001eeb130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at:
sco_sock_getsockopt+0x104/0xa90
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
lock_sock_nested+0x32/0x80
sco_connect_cfm+0x118/0x4a0
hci_sync_conn_complete_evt+0x1e6/0x3d0
hci_event_packet+0x55c/0x7c0
hci_rx_work+0x34c/0xa00
process_one_work+0x575/0x910
worker_thread+0x89/0x6f0
kthread+0x14e/0x180
ret_from_fork+0x2b/0x50
-> #1 (hci_cb_list_lock){+.+.}-{3:3}:
__mutex_lock+0x13b/0xcc0
hci_sync_conn_complete_evt+0x1ad/0x3d0
hci_event_packet+0x55c/0x7c0
hci_rx_work+0x34c/0xa00
process_one_work+0x575/0x910
worker_thread+0x89/0x6f0
kthread+0x14e/0x180
ret_from_fork+0x2b/0x50
-> #0 (&hdev->lock){+.+.}-{3:3}:
__lock_acquire+0x18cc/0x3740
lock_acquire+0x151/0x3a0
__mutex_lock+0x13b/0xcc0
sco_sock_getsockopt+0x1fc/0xa90
__sys_getsockopt+0xe9/0x190
__x64_sys_getsockopt+0x5b/0x70
do_syscall_64+0x42/0x90
entry_SYSCALL_64_after_hwframe+0x70/0xda
other info that might help us debug this:
Chain exists of:
&hdev->lock --> hci_cb_list_lock --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
lock(hci_cb_list_lock);
lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
lock(&hdev->lock);
*** DEADLOCK ***
1 lock held by sco-tester/31:
#0: ffff888001eeb130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0},
at: sco_sock_getsockopt+0x104/0xa90
Fixes: 248733e87d50 ("Bluetooth: Allow querying of supported offload codecs over SCO socket")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/bluetooth')
-rw-r--r-- | net/bluetooth/sco.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 1111da4e2f2b..1755f91a66f6 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -1129,6 +1129,8 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname, break; } + release_sock(sk); + /* find total buffer size required to copy codec + caps */ hci_dev_lock(hdev); list_for_each_entry(c, &hdev->local_codecs, list) { @@ -1146,15 +1148,13 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname, buf_len += sizeof(struct bt_codecs); if (buf_len > len) { hci_dev_put(hdev); - err = -ENOBUFS; - break; + return -ENOBUFS; } ptr = optval; if (put_user(num_codecs, ptr)) { hci_dev_put(hdev); - err = -EFAULT; - break; + return -EFAULT; } ptr += sizeof(num_codecs); @@ -1194,12 +1194,14 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname, ptr += len; } - if (!err && put_user(buf_len, optlen)) - err = -EFAULT; - hci_dev_unlock(hdev); hci_dev_put(hdev); + lock_sock(sk); + + if (!err && put_user(buf_len, optlen)) + err = -EFAULT; + break; default: |