aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorUlisses Furquim <ulisses@profusion.mobi>2011-12-21 17:02:36 -0500
committerGustavo F. Padovan <padovan@profusion.mobi>2011-12-22 11:15:09 -0500
commit371fd83563252f550ce59476a7366d0b5171d316 (patch)
treef9ac14482819a4ddc3205d96f214875d7442cea4
parent686ebf283ba19f82abd8aaec023cd124749be9ec (diff)
Bluetooth: Fix deadlocks with sock lock and L2CAP timers locks
When cancelling a delayed work (timer) in L2CAP we can not sleep holding the sock mutex otherwise we might deadlock with an L2CAP timer handler. This is possible because RX/TX and L2CAP timers run in different workqueues. The scenario below illustrates the problem. Thus we are now avoiding to sleep on the timers locks. ====================================================== [ INFO: possible circular locking dependency detected ] 3.1.0-05270-ga978dc7-dirty #239 ------------------------------------------------------- kworker/1:1/873 is trying to acquire lock: (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+...}, at: [<ffffffffa002ceac>] l2cap_chan_timeout+0x3c/0xe0 [bluetooth] but task is already holding lock: ((&(&chan->chan_timer)->work)){+.+...}, at: [<ffffffff81051a86>] process_one_work+0x126/0x450 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 ((&(&chan->chan_timer)->work)){+.+...}: [<ffffffff8106b276>] check_prevs_add+0xf6/0x170 [<ffffffff8106b903>] validate_chain+0x613/0x790 [<ffffffff8106dfee>] __lock_acquire+0x4be/0xac0 [<ffffffff8106ec2d>] lock_acquire+0x8d/0xb0 [<ffffffff81052a6f>] wait_on_work+0x4f/0x160 [<ffffffff81052ca3>] __cancel_work_timer+0x73/0x80 [<ffffffff81052cbd>] cancel_delayed_work_sync+0xd/0x10 [<ffffffffa002f2ed>] l2cap_chan_connect+0x22d/0x470 [bluetooth] [<ffffffffa002fb51>] l2cap_sock_connect+0xb1/0x140 [bluetooth] [<ffffffff8130811b>] kernel_connect+0xb/0x10 [<ffffffffa00cf98a>] rfcomm_session_create+0x12a/0x1c0 [rfcomm] [<ffffffffa00cfbe7>] __rfcomm_dlc_open+0x1c7/0x240 [rfcomm] [<ffffffffa00d07c2>] rfcomm_dlc_open+0x42/0x70 [rfcomm] [<ffffffffa00d3b03>] rfcomm_sock_connect+0x103/0x150 [rfcomm] [<ffffffff8130bd7e>] sys_connect+0xae/0xc0 [<ffffffff813368d2>] compat_sys_socketcall+0xb2/0x220 [<ffffffff813b2089>] sysenter_dispatch+0x7/0x30 -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+...}: [<ffffffff8106b16d>] check_prev_add+0x6cd/0x6e0 [<ffffffff8106b276>] check_prevs_add+0xf6/0x170 [<ffffffff8106b903>] validate_chain+0x613/0x790 [<ffffffff8106dfee>] __lock_acquire+0x4be/0xac0 [<ffffffff8106ec2d>] lock_acquire+0x8d/0xb0 [<ffffffff8130d91a>] lock_sock_nested+0x8a/0xa0 [<ffffffffa002ceac>] l2cap_chan_timeout+0x3c/0xe0 [bluetooth] [<ffffffff81051ae4>] process_one_work+0x184/0x450 [<ffffffff8105276e>] worker_thread+0x15e/0x340 [<ffffffff81057bb6>] kthread+0x96/0xa0 [<ffffffff813b1ef4>] kernel_thread_helper+0x4/0x10 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock((&(&chan->chan_timer)->work)); lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP); lock((&(&chan->chan_timer)->work)); lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP); *** DEADLOCK *** 2 locks held by kworker/1:1/873: #0: (events){.+.+.+}, at: [<ffffffff81051a86>] process_one_work+0x126/0x450 #1: ((&(&chan->chan_timer)->work)){+.+...}, at: [<ffffffff81051a86>] process_one_work+0x126/0x450 stack backtrace: Pid: 873, comm: kworker/1:1 Not tainted 3.1.0-05270-ga978dc7-dirty #239 Call Trace: [<ffffffff813a0f6e>] print_circular_bug+0xd2/0xe3 [<ffffffff8106b16d>] check_prev_add+0x6cd/0x6e0 [<ffffffff8106b276>] check_prevs_add+0xf6/0x170 [<ffffffff8106b903>] validate_chain+0x613/0x790 [<ffffffff8106dfee>] __lock_acquire+0x4be/0xac0 [<ffffffff8130d8f6>] ? lock_sock_nested+0x66/0xa0 [<ffffffff8106ea30>] ? lock_release_nested+0x100/0x110 [<ffffffff8130d8f6>] ? lock_sock_nested+0x66/0xa0 [<ffffffff8106ec2d>] lock_acquire+0x8d/0xb0 [<ffffffffa002ceac>] ? l2cap_chan_timeout+0x3c/0xe0 [bluetooth] [<ffffffff8130d91a>] lock_sock_nested+0x8a/0xa0 [<ffffffffa002ceac>] ? l2cap_chan_timeout+0x3c/0xe0 [bluetooth] [<ffffffff81051a86>] ? process_one_work+0x126/0x450 [<ffffffffa002ceac>] l2cap_chan_timeout+0x3c/0xe0 [bluetooth] [<ffffffff81051ae4>] process_one_work+0x184/0x450 [<ffffffff81051a86>] ? process_one_work+0x126/0x450 [<ffffffffa002ce70>] ? l2cap_security_cfm+0x4e0/0x4e0 [bluetooth] [<ffffffff8105276e>] worker_thread+0x15e/0x340 [<ffffffff81052610>] ? manage_workers+0x110/0x110 [<ffffffff81057bb6>] kthread+0x96/0xa0 [<ffffffff813b1ef4>] kernel_thread_helper+0x4/0x10 [<ffffffff813af69d>] ? retint_restore_args+0xe/0xe [<ffffffff81057b20>] ? __init_kthread_worker+0x70/0x70 [<ffffffff813b1ef0>] ? gs_change+0xb/0xb Signed-off-by: Ulisses Furquim <ulisses@profusion.mobi> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
-rw-r--r--include/net/bluetooth/l2cap.h29
-rw-r--r--net/bluetooth/l2cap_core.c29
2 files changed, 30 insertions, 28 deletions
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index f141fbecfa40..9572cbd12a7a 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -595,32 +595,45 @@ enum {
595 FLAG_EFS_ENABLE, 595 FLAG_EFS_ENABLE,
596}; 596};
597 597
598static inline void l2cap_chan_hold(struct l2cap_chan *c)
599{
600 atomic_inc(&c->refcnt);
601}
602
603static inline void l2cap_chan_put(struct l2cap_chan *c)
604{
605 if (atomic_dec_and_test(&c->refcnt))
606 kfree(c);
607}
608
598static inline void l2cap_set_timer(struct l2cap_chan *chan, 609static inline void l2cap_set_timer(struct l2cap_chan *chan,
599 struct delayed_work *work, long timeout) 610 struct delayed_work *work, long timeout)
600{ 611{
601 BT_DBG("chan %p state %d timeout %ld", chan, chan->state, timeout); 612 BT_DBG("chan %p state %d timeout %ld", chan, chan->state, timeout);
602 613
603 cancel_delayed_work_sync(work); 614 if (!__cancel_delayed_work(work))
604 615 l2cap_chan_hold(chan);
605 schedule_delayed_work(work, timeout); 616 schedule_delayed_work(work, timeout);
606} 617}
607 618
608static inline void l2cap_clear_timer(struct delayed_work *work) 619static inline void l2cap_clear_timer(struct l2cap_chan *chan,
620 struct delayed_work *work)
609{ 621{
610 cancel_delayed_work_sync(work); 622 if (__cancel_delayed_work(work))
623 l2cap_chan_put(chan);
611} 624}
612 625
613#define __set_chan_timer(c, t) l2cap_set_timer(c, &c->chan_timer, (t)) 626#define __set_chan_timer(c, t) l2cap_set_timer(c, &c->chan_timer, (t))
614#define __clear_chan_timer(c) l2cap_clear_timer(&c->chan_timer) 627#define __clear_chan_timer(c) l2cap_clear_timer(c, &c->chan_timer)
615#define __set_retrans_timer(c) l2cap_set_timer(c, &c->retrans_timer, \ 628#define __set_retrans_timer(c) l2cap_set_timer(c, &c->retrans_timer, \
616 L2CAP_DEFAULT_RETRANS_TO); 629 L2CAP_DEFAULT_RETRANS_TO);
617#define __clear_retrans_timer(c) l2cap_clear_timer(&c->retrans_timer) 630#define __clear_retrans_timer(c) l2cap_clear_timer(c, &c->retrans_timer)
618#define __set_monitor_timer(c) l2cap_set_timer(c, &c->monitor_timer, \ 631#define __set_monitor_timer(c) l2cap_set_timer(c, &c->monitor_timer, \
619 L2CAP_DEFAULT_MONITOR_TO); 632 L2CAP_DEFAULT_MONITOR_TO);
620#define __clear_monitor_timer(c) l2cap_clear_timer(&c->monitor_timer) 633#define __clear_monitor_timer(c) l2cap_clear_timer(c, &c->monitor_timer)
621#define __set_ack_timer(c) l2cap_set_timer(c, &chan->ack_timer, \ 634#define __set_ack_timer(c) l2cap_set_timer(c, &chan->ack_timer, \
622 L2CAP_DEFAULT_ACK_TO); 635 L2CAP_DEFAULT_ACK_TO);
623#define __clear_ack_timer(c) l2cap_clear_timer(&c->ack_timer) 636#define __clear_ack_timer(c) l2cap_clear_timer(c, &c->ack_timer)
624 637
625static inline int __seq_offset(struct l2cap_chan *chan, __u16 seq1, __u16 seq2) 638static inline int __seq_offset(struct l2cap_chan *chan, __u16 seq1, __u16 seq2)
626{ 639{
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 173218345a10..944c18913ca0 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -77,17 +77,6 @@ static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77 77
78/* ---- L2CAP channels ---- */ 78/* ---- L2CAP channels ---- */
79 79
80static inline void chan_hold(struct l2cap_chan *c)
81{
82 atomic_inc(&c->refcnt);
83}
84
85static inline void chan_put(struct l2cap_chan *c)
86{
87 if (atomic_dec_and_test(&c->refcnt))
88 kfree(c);
89}
90
91static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid) 80static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
92{ 81{
93 struct l2cap_chan *c, *r = NULL; 82 struct l2cap_chan *c, *r = NULL;
@@ -287,7 +276,7 @@ static void l2cap_chan_timeout(struct work_struct *work)
287 release_sock(sk); 276 release_sock(sk);
288 277
289 chan->ops->close(chan->data); 278 chan->ops->close(chan->data);
290 chan_put(chan); 279 l2cap_chan_put(chan);
291} 280}
292 281
293struct l2cap_chan *l2cap_chan_create(struct sock *sk) 282struct l2cap_chan *l2cap_chan_create(struct sock *sk)
@@ -321,7 +310,7 @@ void l2cap_chan_destroy(struct l2cap_chan *chan)
321 list_del(&chan->global_l); 310 list_del(&chan->global_l);
322 write_unlock_bh(&chan_list_lock); 311 write_unlock_bh(&chan_list_lock);
323 312
324 chan_put(chan); 313 l2cap_chan_put(chan);
325} 314}
326 315
327static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 316static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
@@ -363,7 +352,7 @@ static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
363 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT; 352 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
364 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO; 353 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
365 354
366 chan_hold(chan); 355 l2cap_chan_hold(chan);
367 356
368 list_add_rcu(&chan->list, &conn->chan_l); 357 list_add_rcu(&chan->list, &conn->chan_l);
369} 358}
@@ -385,7 +374,7 @@ static void l2cap_chan_del(struct l2cap_chan *chan, int err)
385 list_del_rcu(&chan->list); 374 list_del_rcu(&chan->list);
386 synchronize_rcu(); 375 synchronize_rcu();
387 376
388 chan_put(chan); 377 l2cap_chan_put(chan);
389 378
390 chan->conn = NULL; 379 chan->conn = NULL;
391 hci_conn_put(conn->hcon); 380 hci_conn_put(conn->hcon);
@@ -1029,10 +1018,10 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1029 hci_chan_del(conn->hchan); 1018 hci_chan_del(conn->hchan);
1030 1019
1031 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1020 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1032 cancel_delayed_work_sync(&conn->info_timer); 1021 __cancel_delayed_work(&conn->info_timer);
1033 1022
1034 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) { 1023 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
1035 cancel_delayed_work_sync(&conn->security_timer); 1024 __cancel_delayed_work(&conn->security_timer);
1036 smp_chan_destroy(conn); 1025 smp_chan_destroy(conn);
1037 } 1026 }
1038 1027
@@ -2583,7 +2572,7 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hd
2583 2572
2584 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) && 2573 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2585 cmd->ident == conn->info_ident) { 2574 cmd->ident == conn->info_ident) {
2586 cancel_delayed_work_sync(&conn->info_timer); 2575 __cancel_delayed_work(&conn->info_timer);
2587 2576
2588 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 2577 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2589 conn->info_ident = 0; 2578 conn->info_ident = 0;
@@ -3129,7 +3118,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
3129 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) 3118 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3130 return 0; 3119 return 0;
3131 3120
3132 cancel_delayed_work_sync(&conn->info_timer); 3121 __cancel_delayed_work(&conn->info_timer);
3133 3122
3134 if (result != L2CAP_IR_SUCCESS) { 3123 if (result != L2CAP_IR_SUCCESS) {
3135 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 3124 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
@@ -4508,7 +4497,7 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4508 4497
4509 if (hcon->type == LE_LINK) { 4498 if (hcon->type == LE_LINK) {
4510 smp_distribute_keys(conn, 0); 4499 smp_distribute_keys(conn, 0);
4511 cancel_delayed_work_sync(&conn->security_timer); 4500 __cancel_delayed_work(&conn->security_timer);
4512 } 4501 }
4513 4502
4514 rcu_read_lock(); 4503 rcu_read_lock();