Skip to content

Commit 241f519

Browse files
VudentzVudentz
committed
Bluetooth: ISO: Avoid circular locking dependency
This attempts to avoid circular locking dependency between sock_lock and hdev_lock: WARNING: possible circular locking dependency detected 6.0.0-rc7-03728-g18dd8ab0a783 #3 Not tainted ------------------------------------------------------ kworker/u3:2/53 is trying to acquire lock: ffff888000254130 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}, at: iso_conn_del+0xbd/0x1d0 but task is already holding lock: ffffffff9f39a080 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_le_cis_estabilished_evt+0x1b5/0x500 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (hci_cb_list_lock){+.+.}-{3:3}: __mutex_lock+0x10e/0xfe0 hci_le_remote_feat_complete_evt+0x17f/0x320 hci_event_packet+0x39c/0x7d0 hci_rx_work+0x2bf/0x950 process_one_work+0x569/0x980 worker_thread+0x2a3/0x6f0 kthread+0x153/0x180 ret_from_fork+0x22/0x30 -> #1 (&hdev->lock){+.+.}-{3:3}: __mutex_lock+0x10e/0xfe0 iso_connect_cis+0x6f/0x5a0 iso_sock_connect+0x1af/0x710 __sys_connect+0x17e/0x1b0 __x64_sys_connect+0x37/0x50 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x62/0xcc -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: __lock_acquire+0x1b51/0x33d0 lock_acquire+0x16f/0x3b0 lock_sock_nested+0x32/0x80 iso_conn_del+0xbd/0x1d0 iso_connect_cfm+0x226/0x680 hci_le_cis_estabilished_evt+0x1ed/0x500 hci_event_packet+0x39c/0x7d0 hci_rx_work+0x2bf/0x950 process_one_work+0x569/0x980 worker_thread+0x2a3/0x6f0 kthread+0x153/0x180 ret_from_fork+0x22/0x30 other info that might help us debug this: Chain exists of: sk_lock-AF_BLUETOOTH-BTPROTO_ISO --> &hdev->lock --> hci_cb_list_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(hci_cb_list_lock); lock(&hdev->lock); lock(hci_cb_list_lock); lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO); *** DEADLOCK *** 4 locks held by kworker/u3:2/53: #0: ffff8880021d9130 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x4ad/0x980 #1: ffff888002387de0 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x4ad/0x980 #2: ffff888001ac0070 (&hdev->lock){+.+.}-{3:3}, at: hci_le_cis_estabilished_evt+0xc3/0x500 #3: ffffffff9f39a080 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_le_cis_estabilished_evt+0x1b5/0x500 Signed-off-by: Luiz Augusto von Dentz <[email protected]>
1 parent 0ba1896 commit 241f519

File tree

1 file changed

+38
-23
lines changed

1 file changed

+38
-23
lines changed

net/bluetooth/iso.c

Lines changed: 38 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -261,13 +261,13 @@ static int iso_connect_bis(struct sock *sk)
261261

262262
if (!bis_capable(hdev)) {
263263
err = -EOPNOTSUPP;
264-
goto done;
264+
goto unlock;
265265
}
266266

267267
/* Fail if out PHYs are marked as disabled */
268268
if (!iso_pi(sk)->qos.out.phy) {
269269
err = -EINVAL;
270-
goto done;
270+
goto unlock;
271271
}
272272

273273
hcon = hci_connect_bis(hdev, &iso_pi(sk)->dst,
@@ -276,22 +276,27 @@ static int iso_connect_bis(struct sock *sk)
276276
iso_pi(sk)->base);
277277
if (IS_ERR(hcon)) {
278278
err = PTR_ERR(hcon);
279-
goto done;
279+
goto unlock;
280280
}
281281

282282
conn = iso_conn_add(hcon);
283283
if (!conn) {
284284
hci_conn_drop(hcon);
285285
err = -ENOMEM;
286-
goto done;
286+
goto unlock;
287287
}
288288

289+
hci_dev_unlock(hdev);
290+
hci_dev_put(hdev);
291+
292+
lock_sock(sk);
293+
289294
/* Update source addr of the socket */
290295
bacpy(&iso_pi(sk)->src, &hcon->src);
291296

292297
err = iso_chan_add(conn, sk, NULL);
293298
if (err)
294-
goto done;
299+
goto release;
295300

296301
if (hcon->state == BT_CONNECTED) {
297302
iso_sock_clear_timer(sk);
@@ -301,7 +306,11 @@ static int iso_connect_bis(struct sock *sk)
301306
iso_sock_set_timer(sk, sk->sk_sndtimeo);
302307
}
303308

304-
done:
309+
release:
310+
release_sock(sk);
311+
return err;
312+
313+
unlock:
305314
hci_dev_unlock(hdev);
306315
hci_dev_put(hdev);
307316
return err;
@@ -325,13 +334,13 @@ static int iso_connect_cis(struct sock *sk)
325334

326335
if (!cis_central_capable(hdev)) {
327336
err = -EOPNOTSUPP;
328-
goto done;
337+
goto unlock;
329338
}
330339

331340
/* Fail if either PHYs are marked as disabled */
332341
if (!iso_pi(sk)->qos.in.phy && !iso_pi(sk)->qos.out.phy) {
333342
err = -EINVAL;
334-
goto done;
343+
goto unlock;
335344
}
336345

337346
/* Just bind if DEFER_SETUP has been set */
@@ -341,31 +350,36 @@ static int iso_connect_cis(struct sock *sk)
341350
&iso_pi(sk)->qos);
342351
if (IS_ERR(hcon)) {
343352
err = PTR_ERR(hcon);
344-
goto done;
353+
goto unlock;
345354
}
346355
} else {
347356
hcon = hci_connect_cis(hdev, &iso_pi(sk)->dst,
348357
le_addr_type(iso_pi(sk)->dst_type),
349358
&iso_pi(sk)->qos);
350359
if (IS_ERR(hcon)) {
351360
err = PTR_ERR(hcon);
352-
goto done;
361+
goto unlock;
353362
}
354363
}
355364

356365
conn = iso_conn_add(hcon);
357366
if (!conn) {
358367
hci_conn_drop(hcon);
359368
err = -ENOMEM;
360-
goto done;
369+
goto unlock;
361370
}
362371

372+
hci_dev_unlock(hdev);
373+
hci_dev_put(hdev);
374+
375+
lock_sock(sk);
376+
363377
/* Update source addr of the socket */
364378
bacpy(&iso_pi(sk)->src, &hcon->src);
365379

366380
err = iso_chan_add(conn, sk, NULL);
367381
if (err)
368-
goto done;
382+
goto release;
369383

370384
if (hcon->state == BT_CONNECTED) {
371385
iso_sock_clear_timer(sk);
@@ -378,7 +392,11 @@ static int iso_connect_cis(struct sock *sk)
378392
iso_sock_set_timer(sk, sk->sk_sndtimeo);
379393
}
380394

381-
done:
395+
release:
396+
release_sock(sk);
397+
return err;
398+
399+
unlock:
382400
hci_dev_unlock(hdev);
383401
hci_dev_put(hdev);
384402
return err;
@@ -832,20 +850,23 @@ static int iso_sock_connect(struct socket *sock, struct sockaddr *addr,
832850
bacpy(&iso_pi(sk)->dst, &sa->iso_bdaddr);
833851
iso_pi(sk)->dst_type = sa->iso_bdaddr_type;
834852

853+
release_sock(sk);
854+
835855
if (bacmp(&iso_pi(sk)->dst, BDADDR_ANY))
836856
err = iso_connect_cis(sk);
837857
else
838858
err = iso_connect_bis(sk);
839859

840860
if (err)
841-
goto done;
861+
return err;
862+
863+
lock_sock(sk);
842864

843865
if (!test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
844866
err = bt_sock_wait_state(sk, BT_CONNECTED,
845867
sock_sndtimeo(sk, flags & O_NONBLOCK));
846868
}
847869

848-
done:
849870
release_sock(sk);
850871
return err;
851872
}
@@ -1101,28 +1122,22 @@ static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
11011122
{
11021123
struct sock *sk = sock->sk;
11031124
struct iso_pinfo *pi = iso_pi(sk);
1104-
int err;
11051125

11061126
BT_DBG("sk %p", sk);
11071127

1108-
lock_sock(sk);
1109-
11101128
if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
11111129
switch (sk->sk_state) {
11121130
case BT_CONNECT2:
1131+
lock_sock(sk);
11131132
iso_conn_defer_accept(pi->conn->hcon);
11141133
sk->sk_state = BT_CONFIG;
11151134
release_sock(sk);
11161135
return 0;
11171136
case BT_CONNECT:
1118-
err = iso_connect_cis(sk);
1119-
release_sock(sk);
1120-
return err;
1137+
return iso_connect_cis(sk);
11211138
}
11221139
}
11231140

1124-
release_sock(sk);
1125-
11261141
return bt_sock_recvmsg(sock, msg, len, flags);
11271142
}
11281143

0 commit comments

Comments
 (0)