| Message ID | 20220326070853.v2.1.I67f8ad854ac2f48701902bfb34d6e2070011b779@changeid |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2] Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout | expand |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=626497 ---Test result--- Test Summary: CheckPatch PASS 1.55 seconds GitLint PASS 0.99 seconds SubjectPrefix PASS 0.83 seconds BuildKernel PASS 29.67 seconds BuildKernel32 PASS 26.55 seconds Incremental Build with patchesPASS 36.25 seconds TestRunner: Setup PASS 466.04 seconds TestRunner: l2cap-tester PASS 15.40 seconds TestRunner: bnep-tester PASS 6.09 seconds TestRunner: mgmt-tester PASS 99.78 seconds TestRunner: rfcomm-tester PASS 7.81 seconds TestRunner: sco-tester PASS 7.58 seconds TestRunner: smp-tester PASS 7.54 seconds TestRunner: userchan-tester PASS 6.33 seconds --- Regards, Linux Bluetooth
Hello: This patch was applied to bluetooth/bluetooth-next.git (master) by Marcel Holtmann <marcel@holtmann.org>: On Sat, 26 Mar 2022 07:09:28 +0000 you wrote: > Connecting the same socket twice consecutively in sco_sock_connect() > could lead to a race condition where two sco_conn objects are created > but only one is associated with the socket. If the socket is closed > before the SCO connection is established, the timer associated with the > dangling sco_conn object won't be canceled. As the sock object is being > freed, the use-after-free problem happens when the timer callback > function sco_sock_timeout() accesses the socket. Here's the call trace: > > [...] Here is the summary with links: - [v2] Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout https://git.kernel.org/bluetooth/bluetooth-next/c/300cf0bfb43e You are awesome, thank you!
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 8eabf41b2993..380c63194736 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -574,19 +574,24 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen addr->sa_family != AF_BLUETOOTH) return -EINVAL; - if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) - return -EBADFD; + lock_sock(sk); + if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { + err = -EBADFD; + goto done; + } - if (sk->sk_type != SOCK_SEQPACKET) - return -EINVAL; + if (sk->sk_type != SOCK_SEQPACKET) { + err = -EINVAL; + goto done; + } hdev = hci_get_route(&sa->sco_bdaddr, &sco_pi(sk)->src, BDADDR_BREDR); - if (!hdev) - return -EHOSTUNREACH; + if (!hdev) { + err = -EHOSTUNREACH; + goto done; + } hci_dev_lock(hdev); - lock_sock(sk); - /* Set destination address and psm */ bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr);
Connecting the same socket twice consecutively in sco_sock_connect() could lead to a race condition where two sco_conn objects are created but only one is associated with the socket. If the socket is closed before the SCO connection is established, the timer associated with the dangling sco_conn object won't be canceled. As the sock object is being freed, the use-after-free problem happens when the timer callback function sco_sock_timeout() accesses the socket. Here's the call trace: dump_stack+0x107/0x163 ? refcount_inc+0x1c/ print_address_description.constprop.0+0x1c/0x47e ? refcount_inc+0x1c/0x7b kasan_report+0x13a/0x173 ? refcount_inc+0x1c/0x7b check_memory_region+0x132/0x139 refcount_inc+0x1c/0x7b sco_sock_timeout+0xb2/0x1ba process_one_work+0x739/0xbd1 ? cancel_delayed_work+0x13f/0x13f ? __raw_spin_lock_init+0xf0/0xf0 ? to_kthread+0x59/0x85 worker_thread+0x593/0x70e kthread+0x346/0x35a ? drain_workqueue+0x31a/0x31a ? kthread_bind+0x4b/0x4b ret_from_fork+0x1f/0x30 Link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b Reported-by: syzbot+2bef95d3ab4daa10155b@syzkaller.appspotmail.com Fixes: e1dee2c1de2b ("Bluetooth: fix repeated calls to sco_sock_kill") Signed-off-by: Ying Hsu <yinghsu@chromium.org> Reviewed-by: Joseph Hwang <josephsih@chromium.org> --- Tested this commit using a C reproducer on qemu-x86_64 for 8 hours. Changes in v2: - Adding Link, Reported-by, and Fixes tags in comment. net/bluetooth/sco.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-)