From patchwork Tue Jun 30 15:36:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Denis Grigorev X-Patchwork-Id: 222973 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, UNPARSEABLE_RELAY, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0226C433E3 for ; Tue, 30 Jun 2020 15:42:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 98D4D2074F for ; Tue, 30 Jun 2020 15:42:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389638AbgF3Pmk (ORCPT ); Tue, 30 Jun 2020 11:42:40 -0400 Received: from mxout03.lancloud.ru ([89.108.73.187]:43326 "EHLO mxout03.lancloud.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389639AbgF3Pmj (ORCPT ); Tue, 30 Jun 2020 11:42:39 -0400 Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout03.lancloud.ru 06A7820A5394 Received: from LanCloud Received: from LanCloud Received: by spb1wst017.omp.ru (Postfix, from userid 10000) id 7B56CBA1D4A; Tue, 30 Jun 2020 18:36:41 +0300 (MSK) From: Denis Grigorev To: CC: Subject: [PATCH 3.16 03/10] Bluetooth: L2CAP ERTM shutdown protect sk and chan Date: Tue, 30 Jun 2020 18:36:34 +0300 Message-ID: <20200630153641.21004-4-d.grigorev@omprussia.ru> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200630153641.21004-1-d.grigorev@omprussia.ru> References: <20200630153641.21004-1-d.grigorev@omprussia.ru> MIME-Version: 1.0 X-Originating-IP: [81.3.167.34] X-ClientProxiedBy: LFEXT01.lancloud.ru (fd00:f066::141) To LFEX09.lancloud.ru (fd00:f066::59) Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Dean Jenkins During execution of l2cap_sock_shutdown() which might sleep, the sk and chan structures can be in an unlocked condition which potentially allows the structures to be freed by other running threads. Therefore, there is a possibility of a malfunction or memory reuse after being freed. Keep the sk and chan structures alive during the execution of l2cap_sock_shutdown() by using their respective hold and put functions. This allows the structures to be freeable at the end of l2cap_sock_shutdown(). Signed-off-by: Kautuk Consul Signed-off-by: Dean Jenkins Signed-off-by: Marcel Holtmann --- net/bluetooth/l2cap_sock.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 071d35c9f3b4..e56d34f027dd 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1092,7 +1092,12 @@ static int l2cap_sock_shutdown(struct socket *sock, int how) if (!sk) return 0; + /* prevent sk structure from being freed whilst unlocked */ + sock_hold(sk); + chan = l2cap_pi(sk)->chan; + /* prevent chan structure from being freed whilst unlocked */ + l2cap_chan_hold(chan); conn = chan->conn; if (conn) @@ -1126,6 +1131,9 @@ static int l2cap_sock_shutdown(struct socket *sock, int how) if (conn) mutex_unlock(&conn->chan_lock); + l2cap_chan_put(chan); + sock_put(sk); + return err; }