CVE-2021-47038
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/02/2024
Last modified:
06/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
Bluetooth: avoid deadlock between hci_dev->lock and socket lock<br />
<br />
Commit eab2404ba798 ("Bluetooth: Add BT_PHY socket option") added a<br />
dependency between socket lock and hci_dev->lock that could lead to<br />
deadlock.<br />
<br />
It turns out that hci_conn_get_phy() is not in any way relying on hdev<br />
being immutable during the runtime of this function, neither does it even<br />
look at any of the members of hdev, and as such there is no need to hold<br />
that lock.<br />
<br />
This fixes the lockdep splat below:<br />
<br />
======================================================<br />
WARNING: possible circular locking dependency detected<br />
5.12.0-rc1-00026-g73d464503354 #10 Not tainted<br />
------------------------------------------------------<br />
bluetoothd/1118 is trying to acquire lock:<br />
ffff8f078383c078 (&hdev->lock){+.+.}-{3:3}, at: hci_conn_get_phy+0x1c/0x150 [bluetooth]<br />
<br />
but task is already holding lock:<br />
ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610<br />
<br />
which lock already depends on the new lock.<br />
<br />
the existing dependency chain (in reverse order) is:<br />
<br />
-> #3 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}:<br />
lock_sock_nested+0x72/0xa0<br />
l2cap_sock_ready_cb+0x18/0x70 [bluetooth]<br />
l2cap_config_rsp+0x27a/0x520 [bluetooth]<br />
l2cap_sig_channel+0x658/0x1330 [bluetooth]<br />
l2cap_recv_frame+0x1ba/0x310 [bluetooth]<br />
hci_rx_work+0x1cc/0x640 [bluetooth]<br />
process_one_work+0x244/0x5f0<br />
worker_thread+0x3c/0x380<br />
kthread+0x13e/0x160<br />
ret_from_fork+0x22/0x30<br />
<br />
-> #2 (&chan->lock#2/1){+.+.}-{3:3}:<br />
__mutex_lock+0xa3/0xa10<br />
l2cap_chan_connect+0x33a/0x940 [bluetooth]<br />
l2cap_sock_connect+0x141/0x2a0 [bluetooth]<br />
__sys_connect+0x9b/0xc0<br />
__x64_sys_connect+0x16/0x20<br />
do_syscall_64+0x33/0x80<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
<br />
-> #1 (&conn->chan_lock){+.+.}-{3:3}:<br />
__mutex_lock+0xa3/0xa10<br />
l2cap_chan_connect+0x322/0x940 [bluetooth]<br />
l2cap_sock_connect+0x141/0x2a0 [bluetooth]<br />
__sys_connect+0x9b/0xc0<br />
__x64_sys_connect+0x16/0x20<br />
do_syscall_64+0x33/0x80<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
<br />
-> #0 (&hdev->lock){+.+.}-{3:3}:<br />
__lock_acquire+0x147a/0x1a50<br />
lock_acquire+0x277/0x3d0<br />
__mutex_lock+0xa3/0xa10<br />
hci_conn_get_phy+0x1c/0x150 [bluetooth]<br />
l2cap_sock_getsockopt+0x5a9/0x610 [bluetooth]<br />
__sys_getsockopt+0xcc/0x200<br />
__x64_sys_getsockopt+0x20/0x30<br />
do_syscall_64+0x33/0x80<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
<br />
other info that might help us debug this:<br />
<br />
Chain exists of:<br />
&hdev->lock --> &chan->lock#2/1 --> sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP<br />
<br />
Possible unsafe locking scenario:<br />
<br />
CPU0 CPU1<br />
---- ----<br />
lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);<br />
lock(&chan->lock#2/1);<br />
lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);<br />
lock(&hdev->lock);<br />
<br />
*** DEADLOCK ***<br />
<br />
1 lock held by bluetoothd/1118:<br />
#0: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 [bluetooth]<br />
<br />
stack backtrace:<br />
CPU: 3 PID: 1118 Comm: bluetoothd Not tainted 5.12.0-rc1-00026-g73d464503354 #10<br />
Hardware name: LENOVO 20K5S22R00/20K5S22R00, BIOS R0IET38W (1.16 ) 05/31/2017<br />
Call Trace:<br />
dump_stack+0x7f/0xa1<br />
check_noncircular+0x105/0x120<br />
? __lock_acquire+0x147a/0x1a50<br />
__lock_acquire+0x147a/0x1a50<br />
lock_acquire+0x277/0x3d0<br />
? hci_conn_get_phy+0x1c/0x150 [bluetooth]<br />
? __lock_acquire+0x2e1/0x1a50<br />
? lock_is_held_type+0xb4/0x120<br />
? hci_conn_get_phy+0x1c/0x150 [bluetooth]<br />
__mutex_lock+0xa3/0xa10<br />
? hci_conn_get_phy+0x1c/0x150 [bluetooth]<br />
? lock_acquire+0x277/0x3d0<br />
? mark_held_locks+0x49/0x70<br />
? mark_held_locks+0x49/0x70<br />
? hci_conn_get_phy+0x1c/0x150 [bluetooth]<br />
hci_conn_get_phy+0x<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.7 (including) | 5.10.37 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.11.21 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.12 (including) | 5.12.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/17486960d79b900c45e0bb8fbcac0262848582ba
- https://git.kernel.org/stable/c/332e69eb3bd90370f2d9f2c2ca7974ff523dea17
- https://git.kernel.org/stable/c/7cc0ba67883c6c8d3bddb283f56c167fc837a555
- https://git.kernel.org/stable/c/fee71f480bc1dec5f6ae3b0b185ff12a62bceabc
- https://git.kernel.org/stable/c/17486960d79b900c45e0bb8fbcac0262848582ba
- https://git.kernel.org/stable/c/332e69eb3bd90370f2d9f2c2ca7974ff523dea17
- https://git.kernel.org/stable/c/7cc0ba67883c6c8d3bddb283f56c167fc837a555
- https://git.kernel.org/stable/c/fee71f480bc1dec5f6ae3b0b185ff12a62bceabc