CVE-2024-54191

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: iso: Fix circular lock in isoconnbig_sync

This fixes the circular locking dependency warning below, by reworking isosockrecvmsg, to ensure that the socket lock is always released before calling a function that locks hdev.

[ 561.670344] ====================================================== [ 561.670346] WARNING: possible circular locking dependency detected [ 561.670349] 6.12.0-rc6+ #26 Not tainted [ 561.670351] ------------------------------------------------------ [ 561.670353] iso-tester/3289 is trying to acquire lock: [ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3}, at: isoconnbigsync+0x73/0x260 [bluetooth] [ 561.670405] but task is already holding lock: [ 561.670407] ffff88815af58258 (sklock-AFBLUETOOTH){+.+.}-{0:0}, at: isosock_recvmsg+0xbf/0x500 [bluetooth] [ 561.670450] which lock already depends on the new lock.

[ 561.670452] the existing dependency chain (in reverse order) is: [ 561.670453] -> #2 (sklock-AFBLUETOOTH){+.+.}-{0:0}: [ 561.670458] lockacquire+0x7c/0xc0 [ 561.670463] locksocknested+0x3b/0xf0 [ 561.670467] btacceptdequeue+0x1a5/0x4d0 [bluetooth] [ 561.670510] isosockaccept+0x271/0x830 [bluetooth] [ 561.670547] doaccept+0x3dd/0x610 [ 561.670550] __sys_accept4+0xd8/0x170 [ 561.670553] __x64sysaccept+0x74/0xc0 [ 561.670556] x64syscall+0x17d6/0x25f0 [ 561.670559] dosyscall64+0x87/0x150 [ 561.670563] entrySYSCALL64afterhwframe+0x76/0x7e [ 561.670567] -> #1 (sklock-AFBLUETOOTH-BTPROTOISO){+.+.}-{0:0}: [ 561.670571] lockacquire+0x7c/0xc0 [ 561.670574] locksocknested+0x3b/0xf0 [ 561.670577] isosocklisten+0x2de/0xf30 [bluetooth] [ 561.670617] __syslistensocket+0xef/0x130 [ 561.670620] __x64syslisten+0xe1/0x190 [ 561.670623] x64syscall+0x2517/0x25f0 [ 561.670626] dosyscall64+0x87/0x150 [ 561.670629] entrySYSCALL64afterhwframe+0x76/0x7e [ 561.670632] -> #0 (&hdev->lock){+.+.}-{3:3}: [ 561.670636] __lockacquire+0x32ad/0x6ab0 [ 561.670639] lockacquire.part.0+0x118/0x360 [ 561.670642] lock_acquire+0x7c/0xc0 [ 561.670644] __mutexlock+0x18d/0x12f0 [ 561.670647] mutexlocknested+0x1b/0x30 [ 561.670651] isoconnbigsync+0x73/0x260 [bluetooth] [ 561.670687] isosockrecvmsg+0x3e9/0x500 [bluetooth] [ 561.670722] sockrecvmsg+0x1d5/0x240 [ 561.670725] sockreaditer+0x27d/0x470 [ 561.670727] vfsread+0x9a0/0xd30 [ 561.670731] ksys_read+0x1a8/0x250 [ 561.670733] __x64sysread+0x72/0xc0 [ 561.670736] x64syscall+0x1b12/0x25f0 [ 561.670738] dosyscall64+0x87/0x150 [ 561.670741] entrySYSCALL64afterhwframe+0x76/0x7e [ 561.670744] other info that might help us debug this:

[ 561.670745] Chain exists of: &hdev->lock --> sklock-AFBLUETOOTH-BTPROTOISO --> sklock-AF_BLUETOOTH

[ 561.670751] Possible unsafe locking scenario:

[ 561.670753] CPU0 CPU1 [ 561.670754] ---- ---- [ 561.670756] lock(sklock-AFBLUETOOTH); [ 561.670758] lock(sklock AFBLUETOOTH-BTPROTOISO); [ 561.670761] lock(sklock-AF_BLUETOOTH); [ 561.670764] lock(&hdev->lock); [ 561.670767] *** DEADLOCK ***