| Message ID | 20210903031306.78292-2-desmondcheongzx@gmail.com |
|---|---|
| State | Accepted |
| Commit | 79fa8db8e6d31d69ba0919f06ee2705a1abe8122 |
| Headers | show |
| Series | [1/2] Bluetooth: call sock_hold earlier in sco_conn_del | expand |
Hi Desmond, > In sco_conn_del, conn->sk is read while holding on to the > sco_conn.lock to avoid races with a socket that could be released > concurrently. > > However, in between unlocking sco_conn.lock and calling sock_hold, > it's possible for the socket to be freed, which would cause a > use-after-free write when sock_hold is finally called. > > To fix this, the reference count of the socket should be increased > while the sco_conn.lock is still held. > > Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> > --- > net/bluetooth/sco.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > index b62c91c627e2..4a057f99b60a 100644 > --- a/net/bluetooth/sco.c > +++ b/net/bluetooth/sco.c > @@ -187,10 +187,11 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > /* Kill socket */ > sco_conn_lock(conn); > sk = conn->sk; please add a comment here on why we are doing it. > + if (sk) > + sock_hold(sk); > sco_conn_unlock(conn); > > if (sk) { > - sock_hold(sk); > lock_sock(sk); > sco_sock_clear_timer(sk); > sco_chan_del(sk, err); Regards Marcel
Hi Marcel, On 10/9/21 3:36 am, Marcel Holtmann wrote: > Hi Desmond, > >> In sco_conn_del, conn->sk is read while holding on to the >> sco_conn.lock to avoid races with a socket that could be released >> concurrently. >> >> However, in between unlocking sco_conn.lock and calling sock_hold, >> it's possible for the socket to be freed, which would cause a >> use-after-free write when sock_hold is finally called. >> >> To fix this, the reference count of the socket should be increased >> while the sco_conn.lock is still held. >> >> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> >> --- >> net/bluetooth/sco.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c >> index b62c91c627e2..4a057f99b60a 100644 >> --- a/net/bluetooth/sco.c >> +++ b/net/bluetooth/sco.c >> @@ -187,10 +187,11 @@ static void sco_conn_del(struct hci_conn *hcon, int err) >> /* Kill socket */ >> sco_conn_lock(conn); >> sk = conn->sk; > > please add a comment here on why we are doing it. > So sorry for the very delayed response. I was looking through old email threads to check if my recently resent patch was still necessary, and just realized I missed this email. This patch was merged into the bluetooth-next tree before your feedback came in. Would you still like me to write a separate patch to add the requested comment? Best wishes, Desmond >> + if (sk) >> + sock_hold(sk); >> sco_conn_unlock(conn); >> >> if (sk) { >> - sock_hold(sk); >> lock_sock(sk); >> sco_sock_clear_timer(sk); >> sco_chan_del(sk, err); > > Regards > > Marcel >
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index b62c91c627e2..4a057f99b60a 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -187,10 +187,11 @@ static void sco_conn_del(struct hci_conn *hcon, int err) /* Kill socket */ sco_conn_lock(conn); sk = conn->sk; + if (sk) + sock_hold(sk); sco_conn_unlock(conn); if (sk) { - sock_hold(sk); lock_sock(sk); sco_sock_clear_timer(sk); sco_chan_del(sk, err);
In sco_conn_del, conn->sk is read while holding on to the sco_conn.lock to avoid races with a socket that could be released concurrently. However, in between unlocking sco_conn.lock and calling sock_hold, it's possible for the socket to be freed, which would cause a use-after-free write when sock_hold is finally called. To fix this, the reference count of the socket should be increased while the sco_conn.lock is still held. Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> --- net/bluetooth/sco.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)