From 1da5537eccd865b83fedbbb7ea704669f6d255fd Mon Sep 17 00:00:00 2001 From: Kuba Pawlak Date: Mon, 5 Oct 2015 18:44:17 +0200 Subject: Bluetooth: Fix locking issue during fast SCO reconnection. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When SCO connection is requested and disconnected fast, there is a change that sco_sock_shutdown is going to preempt thread started in sco_connect_cfm. When this happens struct sock sk may be removed but a pointer to it is still held in sco_conn_ready, where embedded spinlock is used. If it is used, but struct sock has been removed, it will crash. Block connection object, which will prevent struct sock from being removed and give connection process chance to finish. BUG: spinlock bad magic on CPU#0, kworker/u:2H/319 lock: 0xe3e99434, .magic: f3000000, .owner: (���/0, .owner_cpu: -203804160 Pid: 319, comm: kworker/u:2H Tainted: G O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1 Call Trace: [] ? do_raw_spin_lock+0x19/0xe9 [] ? sco_connect_cfm+0x92/0x236 [bluetooth] [] ? hci_sync_conn_complete_evt.clone.101+0x18b/0x1cb [bluetooth] [] ? hci_event_packet+0x1acd/0x21a6 [bluetooth] [] ? finish_task_switch+0x50/0x89 [] ? __schedule+0x638/0x6b8 [] ? hci_rx_work+0xb9/0x2b8 [bluetooth] [] ? queue_delayed_work_on+0x21/0x2a [] ? process_one_work+0x157/0x21b [] ? hci_cmd_work+0xef/0xef [bluetooth] [] ? worker_thread+0x16e/0x20a [] ? manage_workers+0x1cf/0x1cf [] ? kthread+0x8d/0x92 [] ? ret_from_kernel_thread+0x1b/0x28 [] ? __init_kthread_worker+0x24/0x24 BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) *pdpt = 00000000244e1001 *pde = 0000000000000000 Oops: 0010 [#1] PREEMPT SMP Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) cdc_acm btintel(O) bluetooth(O) arc4 uinput hid_multitouch usbhid hid iwlmvm(O)e Pid: 319, comm: kworker/u:2H Tainted: G O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1 EIP: 0060:[<00000000>] EFLAGS: 00010246 CPU: 0 EIP is at 0x0 EAX: e3e99400 EBX: e3e99400 ECX: 00000100 EDX: 00000000 ESI: e3e99434 EDI: fb763ce0 EBP: e49b9e44 ESP: e49b9e14 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 CR0: 8005003b CR2: 00000000 CR3: 24444000 CR4: 001007f0 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: ffff0ff0 DR7: 00000400 Process kworker/u:2H (pid: 319, ti=e49b8000 task=e4ab9030 task.ti=e49b8000) Stack: fb75355b 00000246 fb763900 22222222 22222222 22222222 e3f94460 e3ca7c0a e49b9e4c e3f34c00 e3ca7c0a fb763ce0 e49b9e6c fb731dbc 02000246 e4cec85c e4cec008 00000000 e3f34c00 e4cec000 e3c2ce00 0000002c e49b9ed0 fb734ee7 Call Trace: [] ? sco_connect_cfm+0x9e/0x236 [bluetooth] [] ? hci_sync_conn_complete_evt.clone.101+0x18b/0x1cb [bluetooth] [] ? hci_event_packet+0x1acd/0x21a6 [bluetooth] [] ? finish_task_switch+0x50/0x89 [] ? __schedule+0x638/0x6b8 [] ? hci_rx_work+0xb9/0x2b8 [bluetooth] [] ? queue_delayed_work_on+0x21/0x2a [] ? process_one_work+0x157/0x21b [] ? hci_cmd_work+0xef/0xef [bluetooth] [] ? worker_thread+0x16e/0x20a [] ? manage_workers+0x1cf/0x1cf [] ? kthread+0x8d/0x92 [] ? ret_from_kernel_thread+0x1b/0x28 [] ? __init_kthread_worker+0x24/0x24 Code: Bad EIP value. EIP: [<00000000>] 0x0 SS:ESP 0068:e49b9e14 CR2: 0000000000000000 ---[ end trace 942a6577c0abd725 ]--- Signed-off-by: Kuba Pawlak Signed-off-by: Marcel Holtmann --- net/bluetooth/sco.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'net/bluetooth/sco.c') diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 09051e4cbade..75f843d5423a 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -965,7 +965,9 @@ static int sco_sock_shutdown(struct socket *sock, int how) if (!sk) return 0; + sock_hold(sk); lock_sock(sk); + if (!sk->sk_shutdown) { sk->sk_shutdown = SHUTDOWN_MASK; sco_sock_clear_timer(sk); @@ -976,7 +978,10 @@ static int sco_sock_shutdown(struct socket *sock, int how) err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime); } + release_sock(sk); + sock_put(sk); + return err; } -- cgit v1.2.3