Bluetooth: SCO: fix ABBA deadlock in sco_connect_cfm

Commit Message

Jeongjun Park Feb. 22, 2025, 11:48 a.m. UTC

Caused by previous commit 405280887f8f causes ABBA deadlock. So we need to 
change the lock order to prevent deadlock.

Fixes: 405280887f8f ("Bluetooth: Reduce critical section in sco_conn_ready")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 net/bluetooth/sco.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--

Comments

Pauli Virtanen Feb. 22, 2025, 12:21 p.m. UTC | #1

Hi,

la, 2025-02-22 kello 20:48 +0900, Jeongjun Park kirjoitti:
> Caused by previous commit 405280887f8f causes ABBA deadlock. So we need to 
> change the lock order to prevent deadlock.

The lock ordering eg. in sco_conn_del() or sco_sock_close() is

	hdev_lock > lock_sock > sco_conn_lock

IIRC this is the lock ordering assumed elsewhere in this file, except
the part touched by 405280887f8f (however, it's locking the parent
socket there so not clear if this causes deadlock, can you clarify if
you have observation/proof of deadlock).

In this patch you have

	sco_conn_lock > lock_sock

Does that also cause a deadlock?

> 
> Fixes: 405280887f8f ("Bluetooth: Reduce critical section in sco_conn_ready")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> ---
>  net/bluetooth/sco.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> index aa7bfe26cb40..8f1377f4a27c 100644
> --- a/net/bluetooth/sco.c
> +++ b/net/bluetooth/sco.c
> @@ -289,13 +289,11 @@ static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
>  {
>  	int err = 0;
>  
> -	sco_conn_lock(conn);
>  	if (conn->sk)
>  		err = -EBUSY;
>  	else
>  		__sco_chan_add(conn, sk, parent);
>  
> -	sco_conn_unlock(conn);
>  	return err;
>  }
>  
> @@ -343,11 +341,13 @@ static int sco_connect(struct sock *sk)
>  		goto unlock;
>  	}
>  
> +	sco_conn_lock(conn);
>  	lock_sock(sk);
>  
>  	err = sco_chan_add(conn, sk, NULL);
>  	if (err) {
>  		release_sock(sk);
> +		sco_conn_unlock(conn);
>  		goto unlock;
>  	}
>  
> @@ -363,6 +363,7 @@ static int sco_connect(struct sock *sk)
>  	}
>  
>  	release_sock(sk);
> +	sco_conn_unlock(conn);
>  
>  unlock:
>  	hci_dev_unlock(hdev);
> --

bluez.test.bot@gmail.com Feb. 22, 2025, 12:39 p.m. UTC | #2

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=936701

---Test result---

Test Summary:
CheckPatch                    PENDING   0.25 seconds
GitLint                       PENDING   0.19 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      24.54 seconds
CheckAllWarning               PASS      27.09 seconds
CheckSparse                   WARNING   30.47 seconds
BuildKernel32                 PASS      24.45 seconds
TestRunnerSetup               PASS      431.91 seconds
TestRunner_l2cap-tester       PASS      20.76 seconds
TestRunner_iso-tester         PASS      33.53 seconds
TestRunner_bnep-tester        PASS      4.81 seconds
TestRunner_mgmt-tester        FAIL      121.54 seconds
TestRunner_rfcomm-tester      PASS      7.92 seconds
TestRunner_sco-tester         FAIL      9.40 seconds
TestRunner_ioctl-tester       PASS      8.37 seconds
TestRunner_mesh-tester        PASS      5.97 seconds
TestRunner_smp-tester         PASS      8.37 seconds
TestRunner_userchan-tester    PASS      5.12 seconds
IncrementalBuild              PENDING   0.69 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:147:35: warning: array of flexible structures
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 490, Passed: 485 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
LL Privacy - Add Device 3 (AL is full)               Failed       0.201 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
BUG: sleeping function called from invalid context at net/core/sock.c:3648
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3648
BUG: sleeping function called from invalid context at net/core/sock.c:3648
Total: 15, Passed: 14 (93.3%), Failed: 0, Not Run: 1
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Patch

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index aa7bfe26cb40..8f1377f4a27c 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -289,13 +289,11 @@  static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
 {
 	int err = 0;
 
-	sco_conn_lock(conn);
 	if (conn->sk)
 		err = -EBUSY;
 	else
 		__sco_chan_add(conn, sk, parent);
 
-	sco_conn_unlock(conn);
 	return err;
 }
 
@@ -343,11 +341,13 @@  static int sco_connect(struct sock *sk)
 		goto unlock;
 	}
 
+	sco_conn_lock(conn);
 	lock_sock(sk);
 
 	err = sco_chan_add(conn, sk, NULL);
 	if (err) {
 		release_sock(sk);
+		sco_conn_unlock(conn);
 		goto unlock;
 	}
 
@@ -363,6 +363,7 @@  static int sco_connect(struct sock *sk)
 	}
 
 	release_sock(sk);
+	sco_conn_unlock(conn);
 
 unlock:
 	hci_dev_unlock(hdev);