From 11d70c6aa3b8c779c47842afb20268002fe62d36 Mon Sep 17 00:00:00 2001
From: Jiri Slaby <jslaby@suse.cz>
Date: Apr 20 2023 11:00:30 +0000
Subject: Bluetooth: SCO: Fix possible circular locking dependency

sco_sock_getsockopt (bsc#1012628).

---

diff --git a/patches.kernel.org/6.2.12-058-Bluetooth-SCO-Fix-possible-circular-locking-de.patch b/patches.kernel.org/6.2.12-058-Bluetooth-SCO-Fix-possible-circular-locking-de.patch
new file mode 100644
index 0000000..cc085fc
--- /dev/null
+++ b/patches.kernel.org/6.2.12-058-Bluetooth-SCO-Fix-possible-circular-locking-de.patch
@@ -0,0 +1,139 @@
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 30 Mar 2023 14:45:03 -0700
+Subject: [PATCH] Bluetooth: SCO: Fix possible circular locking dependency
+ sco_sock_getsockopt
+References: bsc#1012628
+Patch-mainline: 6.2.12
+Git-commit: 975abc0c90fc485ff9b4a6afa475c3b1398d5d47
+
+[ Upstream commit 975abc0c90fc485ff9b4a6afa475c3b1398d5d47 ]
+
+This attempts to fix the following trace:
+
+======================================================
+WARNING: possible circular locking dependency detected
+6.3.0-rc2-g68fcb3a7bf97 #4706 Not tainted
+------------------------------------------------------
+sco-tester/31 is trying to acquire lock:
+ffff8880025b8070 (&hdev->lock){+.+.}-{3:3}, at:
+sco_sock_getsockopt+0x1fc/0xa90
+
+but task is already holding lock:
+ffff888001eeb130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at:
+sco_sock_getsockopt+0x104/0xa90
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #2 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
+       lock_sock_nested+0x32/0x80
+       sco_connect_cfm+0x118/0x4a0
+       hci_sync_conn_complete_evt+0x1e6/0x3d0
+       hci_event_packet+0x55c/0x7c0
+       hci_rx_work+0x34c/0xa00
+       process_one_work+0x575/0x910
+       worker_thread+0x89/0x6f0
+       kthread+0x14e/0x180
+       ret_from_fork+0x2b/0x50
+
+-> #1 (hci_cb_list_lock){+.+.}-{3:3}:
+       __mutex_lock+0x13b/0xcc0
+       hci_sync_conn_complete_evt+0x1ad/0x3d0
+       hci_event_packet+0x55c/0x7c0
+       hci_rx_work+0x34c/0xa00
+       process_one_work+0x575/0x910
+       worker_thread+0x89/0x6f0
+       kthread+0x14e/0x180
+       ret_from_fork+0x2b/0x50
+
+-> #0 (&hdev->lock){+.+.}-{3:3}:
+       __lock_acquire+0x18cc/0x3740
+       lock_acquire+0x151/0x3a0
+       __mutex_lock+0x13b/0xcc0
+       sco_sock_getsockopt+0x1fc/0xa90
+       __sys_getsockopt+0xe9/0x190
+       __x64_sys_getsockopt+0x5b/0x70
+       do_syscall_64+0x42/0x90
+       entry_SYSCALL_64_after_hwframe+0x70/0xda
+
+other info that might help us debug this:
+
+Chain exists of:
+  &hdev->lock --> hci_cb_list_lock --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO
+
+ Possible unsafe locking scenario:
+
+       CPU0                    CPU1
+       ----                    ----
+  lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
+                               lock(hci_cb_list_lock);
+                               lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
+  lock(&hdev->lock);
+
+ *** DEADLOCK ***
+
+1 lock held by sco-tester/31:
+ #0: ffff888001eeb130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0},
+ at: sco_sock_getsockopt+0x104/0xa90
+
+Fixes: 248733e87d50 ("Bluetooth: Allow querying of supported offload codecs over SCO socket")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/bluetooth/sco.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 1111da4e..1755f91a 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -1129,6 +1129,8 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
+ 			break;
+ 		}
+ 
++		release_sock(sk);
++
+ 		/* find total buffer size required to copy codec + caps */
+ 		hci_dev_lock(hdev);
+ 		list_for_each_entry(c, &hdev->local_codecs, list) {
+@@ -1146,15 +1148,13 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
+ 		buf_len += sizeof(struct bt_codecs);
+ 		if (buf_len > len) {
+ 			hci_dev_put(hdev);
+-			err = -ENOBUFS;
+-			break;
++			return -ENOBUFS;
+ 		}
+ 		ptr = optval;
+ 
+ 		if (put_user(num_codecs, ptr)) {
+ 			hci_dev_put(hdev);
+-			err = -EFAULT;
+-			break;
++			return -EFAULT;
+ 		}
+ 		ptr += sizeof(num_codecs);
+ 
+@@ -1194,12 +1194,14 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
+ 			ptr += len;
+ 		}
+ 
+-		if (!err && put_user(buf_len, optlen))
+-			err = -EFAULT;
+-
+ 		hci_dev_unlock(hdev);
+ 		hci_dev_put(hdev);
+ 
++		lock_sock(sk);
++
++		if (!err && put_user(buf_len, optlen))
++			err = -EFAULT;
++
+ 		break;
+ 
+ 	default:
+-- 
+2.35.3
+
diff --git a/series.conf b/series.conf
index 69a3821..dc8a340 100644
--- a/series.conf
+++ b/series.conf
@@ -2285,6 +2285,7 @@
 	patches.kernel.org/6.2.12-055-net-openvswitch-fix-race-on-port-output.patch
 	patches.kernel.org/6.2.12-056-Bluetooth-hci_conn-Fix-not-cleaning-up-on-LE-C.patch
 	patches.kernel.org/6.2.12-057-Bluetooth-Fix-printing-errors-if-LE-Connection.patch
+	patches.kernel.org/6.2.12-058-Bluetooth-SCO-Fix-possible-circular-locking-de.patch
 
 	########################################################
 	# Build fixes that apply to the vanilla kernel too.