--- /dev/null
+From 4e1a720d0312fd510699032c7694a362a010170f Mon Sep 17 00:00:00 2001
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Date: Sun, 15 Jul 2018 20:36:50 +0100
+Subject: Bluetooth: avoid killing an already killed socket
+
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+
+commit 4e1a720d0312fd510699032c7694a362a010170f upstream.
+
+slub debug reported:
+
+[ 440.648642] =============================================================================
+[ 440.648649] BUG kmalloc-1024 (Tainted: G BU O ): Poison overwritten
+[ 440.648651] -----------------------------------------------------------------------------
+
+[ 440.648655] INFO: 0xe70f4bec-0xe70f4bec. First byte 0x6a instead of 0x6b
+[ 440.648665] INFO: Allocated in sk_prot_alloc+0x6b/0xc6 age=33155 cpu=1 pid=1047
+[ 440.648671] ___slab_alloc.constprop.24+0x1fc/0x292
+[ 440.648675] __slab_alloc.isra.18.constprop.23+0x1c/0x25
+[ 440.648677] __kmalloc+0xb6/0x17f
+[ 440.648680] sk_prot_alloc+0x6b/0xc6
+[ 440.648683] sk_alloc+0x1e/0xa1
+[ 440.648700] sco_sock_alloc.constprop.6+0x26/0xaf [bluetooth]
+[ 440.648716] sco_connect_cfm+0x166/0x281 [bluetooth]
+[ 440.648731] hci_conn_request_evt.isra.53+0x258/0x281 [bluetooth]
+[ 440.648746] hci_event_packet+0x28b/0x2326 [bluetooth]
+[ 440.648759] hci_rx_work+0x161/0x291 [bluetooth]
+[ 440.648764] process_one_work+0x163/0x2b2
+[ 440.648767] worker_thread+0x1a9/0x25c
+[ 440.648770] kthread+0xf8/0xfd
+[ 440.648774] ret_from_fork+0x2e/0x38
+[ 440.648779] INFO: Freed in __sk_destruct+0xd3/0xdf age=3815 cpu=1 pid=1047
+[ 440.648782] __slab_free+0x4b/0x27a
+[ 440.648784] kfree+0x12e/0x155
+[ 440.648787] __sk_destruct+0xd3/0xdf
+[ 440.648790] sk_destruct+0x27/0x29
+[ 440.648793] __sk_free+0x75/0x91
+[ 440.648795] sk_free+0x1c/0x1e
+[ 440.648810] sco_sock_kill+0x5a/0x5f [bluetooth]
+[ 440.648825] sco_conn_del+0x8e/0xba [bluetooth]
+[ 440.648840] sco_disconn_cfm+0x3a/0x41 [bluetooth]
+[ 440.648855] hci_event_packet+0x45e/0x2326 [bluetooth]
+[ 440.648868] hci_rx_work+0x161/0x291 [bluetooth]
+[ 440.648872] process_one_work+0x163/0x2b2
+[ 440.648875] worker_thread+0x1a9/0x25c
+[ 440.648877] kthread+0xf8/0xfd
+[ 440.648880] ret_from_fork+0x2e/0x38
+[ 440.648884] INFO: Slab 0xf4718580 objects=27 used=27 fp=0x (null) flags=0x40008100
+[ 440.648886] INFO: Object 0xe70f4b88 @offset=19336 fp=0xe70f54f8
+
+When KASAN was enabled, it reported:
+
+[ 210.096613] ==================================================================
+[ 210.096634] BUG: KASAN: use-after-free in ex_handler_refcount+0x5b/0x127
+[ 210.096641] Write of size 4 at addr ffff880107e17160 by task kworker/u9:1/2040
+
+[ 210.096651] CPU: 1 PID: 2040 Comm: kworker/u9:1 Tainted: G U O 4.14.47-20180606+ #2
+[ 210.096654] Hardware name: , BIOS 2017.01-00087-g43e04de 08/30/2017
+[ 210.096693] Workqueue: hci0 hci_rx_work [bluetooth]
+[ 210.096698] Call Trace:
+[ 210.096711] dump_stack+0x46/0x59
+[ 210.096722] print_address_description+0x6b/0x23b
+[ 210.096729] ? ex_handler_refcount+0x5b/0x127
+[ 210.096736] kasan_report+0x220/0x246
+[ 210.096744] ex_handler_refcount+0x5b/0x127
+[ 210.096751] ? ex_handler_clear_fs+0x85/0x85
+[ 210.096757] fixup_exception+0x8c/0x96
+[ 210.096766] do_trap+0x66/0x2c1
+[ 210.096773] do_error_trap+0x152/0x180
+[ 210.096781] ? fixup_bug+0x78/0x78
+[ 210.096817] ? hci_debugfs_create_conn+0x244/0x26a [bluetooth]
+[ 210.096824] ? __schedule+0x113b/0x1453
+[ 210.096830] ? sysctl_net_exit+0xe/0xe
+[ 210.096837] ? __wake_up_common+0x343/0x343
+[ 210.096843] ? insert_work+0x107/0x163
+[ 210.096850] invalid_op+0x1b/0x40
+[ 210.096888] RIP: 0010:hci_debugfs_create_conn+0x244/0x26a [bluetooth]
+[ 210.096892] RSP: 0018:ffff880094a0f970 EFLAGS: 00010296
+[ 210.096898] RAX: 0000000000000000 RBX: ffff880107e170e8 RCX: ffff880107e17160
+[ 210.096902] RDX: 000000000000002f RSI: ffff88013b80ed40 RDI: ffffffffa058b940
+[ 210.096906] RBP: ffff88011b2b0578 R08: 00000000852f0ec9 R09: ffffffff81cfcf9b
+[ 210.096909] R10: 00000000d21bdad7 R11: 0000000000000001 R12: ffff8800967b0488
+[ 210.096913] R13: ffff880107e17168 R14: 0000000000000068 R15: ffff8800949c0008
+[ 210.096920] ? __sk_destruct+0x2c6/0x2d4
+[ 210.096959] hci_event_packet+0xff5/0x7de2 [bluetooth]
+[ 210.096969] ? __local_bh_enable_ip+0x43/0x5b
+[ 210.097004] ? l2cap_sock_recv_cb+0x158/0x166 [bluetooth]
+[ 210.097039] ? hci_le_meta_evt+0x2bb3/0x2bb3 [bluetooth]
+[ 210.097075] ? l2cap_ertm_init+0x94e/0x94e [bluetooth]
+[ 210.097093] ? xhci_urb_enqueue+0xbd8/0xcf5 [xhci_hcd]
+[ 210.097102] ? __accumulate_pelt_segments+0x24/0x33
+[ 210.097109] ? __accumulate_pelt_segments+0x24/0x33
+[ 210.097115] ? __update_load_avg_se.isra.2+0x217/0x3a4
+[ 210.097122] ? set_next_entity+0x7c3/0x12cd
+[ 210.097128] ? pick_next_entity+0x25e/0x26c
+[ 210.097135] ? pick_next_task_fair+0x2ca/0xc1a
+[ 210.097141] ? switch_mm_irqs_off+0x346/0xb4f
+[ 210.097147] ? __switch_to+0x769/0xbc4
+[ 210.097153] ? compat_start_thread+0x66/0x66
+[ 210.097188] ? hci_conn_check_link_mode+0x1cd/0x1cd [bluetooth]
+[ 210.097195] ? finish_task_switch+0x392/0x431
+[ 210.097228] ? hci_rx_work+0x154/0x487 [bluetooth]
+[ 210.097260] hci_rx_work+0x154/0x487 [bluetooth]
+[ 210.097269] process_one_work+0x579/0x9e9
+[ 210.097277] worker_thread+0x68f/0x804
+[ 210.097285] kthread+0x31c/0x32b
+[ 210.097292] ? rescuer_thread+0x70c/0x70c
+[ 210.097299] ? kthread_create_on_node+0xa3/0xa3
+[ 210.097306] ret_from_fork+0x35/0x40
+
+[ 210.097314] Allocated by task 2040:
+[ 210.097323] kasan_kmalloc.part.1+0x51/0xc7
+[ 210.097328] __kmalloc+0x17f/0x1b6
+[ 210.097335] sk_prot_alloc+0xf2/0x1a3
+[ 210.097340] sk_alloc+0x22/0x297
+[ 210.097375] sco_sock_alloc.constprop.7+0x23/0x202 [bluetooth]
+[ 210.097410] sco_connect_cfm+0x2d0/0x566 [bluetooth]
+[ 210.097443] hci_conn_request_evt.isra.53+0x6d3/0x762 [bluetooth]
+[ 210.097476] hci_event_packet+0x85e/0x7de2 [bluetooth]
+[ 210.097507] hci_rx_work+0x154/0x487 [bluetooth]
+[ 210.097512] process_one_work+0x579/0x9e9
+[ 210.097517] worker_thread+0x68f/0x804
+[ 210.097523] kthread+0x31c/0x32b
+[ 210.097529] ret_from_fork+0x35/0x40
+
+[ 210.097533] Freed by task 2040:
+[ 210.097539] kasan_slab_free+0xb3/0x15e
+[ 210.097544] kfree+0x103/0x1a9
+[ 210.097549] __sk_destruct+0x2c6/0x2d4
+[ 210.097584] sco_conn_del.isra.1+0xba/0x10e [bluetooth]
+[ 210.097617] hci_event_packet+0xff5/0x7de2 [bluetooth]
+[ 210.097648] hci_rx_work+0x154/0x487 [bluetooth]
+[ 210.097653] process_one_work+0x579/0x9e9
+[ 210.097658] worker_thread+0x68f/0x804
+[ 210.097663] kthread+0x31c/0x32b
+[ 210.097670] ret_from_fork+0x35/0x40
+
+[ 210.097676] The buggy address belongs to the object at ffff880107e170e8
+ which belongs to the cache kmalloc-1024 of size 1024
+[ 210.097681] The buggy address is located 120 bytes inside of
+ 1024-byte region [ffff880107e170e8, ffff880107e174e8)
+[ 210.097683] The buggy address belongs to the page:
+[ 210.097689] page:ffffea00041f8400 count:1 mapcount:0 mapping: (null) index:0xffff880107e15b68 compound_mapcount: 0
+[ 210.110194] flags: 0x8000000000008100(slab|head)
+[ 210.115441] raw: 8000000000008100 0000000000000000 ffff880107e15b68 0000000100170016
+[ 210.115448] raw: ffffea0004a47620 ffffea0004b48e20 ffff88013b80ed40 0000000000000000
+[ 210.115451] page dumped because: kasan: bad access detected
+
+[ 210.115454] Memory state around the buggy address:
+[ 210.115460] ffff880107e17000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 210.115465] ffff880107e17080: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb
+[ 210.115469] >ffff880107e17100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 210.115472] ^
+[ 210.115477] ffff880107e17180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 210.115481] ffff880107e17200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 210.115483] ==================================================================
+
+And finally when BT_DBG() and ftrace was enabled it showed:
+
+ <...>-14979 [001] .... 186.104191: sco_sock_kill <-sco_sock_close
+ <...>-14979 [001] .... 186.104191: sco_sock_kill <-sco_sock_release
+ <...>-14979 [001] .... 186.104192: sco_sock_kill: sk ef0497a0 state 9
+ <...>-14979 [001] .... 186.104193: bt_sock_unlink <-sco_sock_kill
+kworker/u9:2-792 [001] .... 186.104246: sco_sock_kill <-sco_conn_del
+kworker/u9:2-792 [001] .... 186.104248: sco_sock_kill: sk ef0497a0 state 9
+kworker/u9:2-792 [001] .... 186.104249: bt_sock_unlink <-sco_sock_kill
+kworker/u9:2-792 [001] .... 186.104250: sco_sock_destruct <-__sk_destruct
+kworker/u9:2-792 [001] .... 186.104250: sco_sock_destruct: sk ef0497a0
+kworker/u9:2-792 [001] .... 186.104860: hci_conn_del <-hci_event_packet
+kworker/u9:2-792 [001] .... 186.104864: hci_conn_del: hci0 hcon ef0484c0 handle 266
+
+Only in the failed case, sco_sock_kill() gets called with the same sock
+pointer two times. Add a check for SOCK_DEAD to avoid continue killing
+a socket which has already been killed.
+
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/sco.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -393,7 +393,8 @@ static void sco_sock_cleanup_listen(stru
+ */
+ static void sco_sock_kill(struct sock *sk)
+ {
+- if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
++ if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket ||
++ sock_flag(sk, SOCK_DEAD))
+ return;
+
+ BT_DBG("sk %p state %d", sk, sk->sk_state);
projects / thirdparty / kernel / stable-queue.git / commitdiff
