tmp_suning_uos_patched/net/bluetooth
Jukka Taimisto 8a96f3cd22 Bluetooth: Fix L2CAP deadlock
-[0x01 Introduction

We have found a programming error causing a deadlock in Bluetooth subsystem
of Linux kernel. The problem is caused by missing release_sock() call when
L2CAP connection creation fails due full accept queue.

The issue can be reproduced with 3.15-rc5 kernel and is also present in
earlier kernels.

-[0x02 Details

The problem occurs when multiple L2CAP connections are created to a PSM which
contains listening socket (like SDP) and left pending, for example,
configuration (the underlying ACL link is not disconnected between
connections).

When L2CAP connection request is received and listening socket is found the
l2cap_sock_new_connection_cb() function (net/bluetooth/l2cap_sock.c) is called.
This function locks the 'parent' socket and then checks if the accept queue
is full.

1178         lock_sock(parent);
1179
1180         /* Check for backlog size */
1181         if (sk_acceptq_is_full(parent)) {
1182                 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1183                 return NULL;
1184         }

If case the accept queue is full NULL is returned, but the 'parent' socket
is not released. Thus when next L2CAP connection request is received the code
blocks on lock_sock() since the parent is still locked.

Also note that for connections already established and waiting for
configuration to complete a timeout will occur and l2cap_chan_timeout()
(net/bluetooth/l2cap_core.c) will be called. All threads calling this
function will also be blocked waiting for the channel mutex since the thread
which is waiting on lock_sock() alread holds the channel mutex.

We were able to reproduce this by sending continuously L2CAP connection
request followed by disconnection request containing invalid CID. This left
the created connections pending configuration.

After the deadlock occurs it is impossible to kill bluetoothd, btmon will not
get any more data etc. requiring reboot to recover.

-[0x03 Fix

Releasing the 'parent' socket when l2cap_sock_new_connection_cb() returns NULL
seems to fix the issue.

Signed-off-by: Jukka Taimisto <jtt@codenomicon.com>
Reported-by: Tommi Mäkilä <tmakila@codenomicon.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Cc: stable@vger.kernel.org
2014-06-02 13:38:19 +03:00
..
bnep net/*: Fix FSF address in file headers 2013-12-06 12:37:57 -05:00
cmtp Bluetooth: Access CMTP session addresses through L2CAP channel 2013-10-13 20:00:30 +03:00
hidp Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem 2013-11-04 14:51:28 -05:00
rfcomm Bluetooth: Convert RFCOMM spinlocks into mutexes 2014-05-05 19:25:06 -07:00
6lowpan.c Bluetooth: 6LoWPAN: Fix MAC address universal/local bit handling 2014-05-30 21:28:21 -07:00
6lowpan.h Bluetooth: make bluetooth 6lowpan as an option 2014-03-11 07:54:55 -07:00
a2mp.c Bluetooth: Convert uses of __constant_<foo> to <foo> 2014-03-12 11:10:17 -07:00
a2mp.h Bluetooth: Move a2mp.h header file into net/bluetooth/ 2013-10-11 00:10:05 +02:00
af_bluetooth.c Bluetooth: Increase minor version of core module 2014-02-21 06:21:55 +02:00
amp.c Bluetooth: Remove l2cap_conn->dst usage from AMP manager 2013-10-13 17:43:32 +03:00
amp.h Bluetooth: Move amp.h header file into net/bluetooth/ 2013-10-11 00:10:03 +02:00
hci_conn.c Bluetooth: Make SMP context private to smp.c 2014-05-20 08:44:11 -07:00
hci_core.c Bluetooth: Make SMP context private to smp.c 2014-05-20 08:44:11 -07:00
hci_event.c Bluetooth: Fix missing check for FIPS security level 2014-06-02 00:34:36 -07:00
hci_sock.c Bluetooth: Return EOPNOTSUPP for HCISETRAW ioctl command 2014-04-24 11:55:25 -03:00
hci_sysfs.c Bluetooth: Convert to use ATTRIBUTE_GROUPS macro 2014-02-13 09:51:34 +02:00
Kconfig Bluetooth: make sure 6LOWPAN_IPHC is built-in if needed 2014-03-13 07:05:10 -07:00
l2cap_core.c Bluetooth: l2cap: Set more channel defaults 2014-05-30 21:38:37 -07:00
l2cap_sock.c Bluetooth: Fix L2CAP deadlock 2014-06-02 13:38:19 +03:00
lib.c Bluetooth: Add error mapping for Directed Advertising Timeout 2014-03-26 09:31:36 -07:00
Makefile Bluetooth: make bluetooth 6lowpan as an option 2014-03-11 07:54:55 -07:00
mgmt.c Bluetooth: Fix properly ignoring LTKs of unknown types 2014-05-30 21:23:29 -07:00
sco.c Bluetooth: Convert uses of __constant_<foo> to <foo> 2014-03-12 11:10:17 -07:00
smp.c Bluetooth: Fix requiring SMP MITM for outgoing connections 2014-05-31 23:51:12 -07:00
smp.h Bluetooth: Make SMP context private to smp.c 2014-05-20 08:44:11 -07:00