Bluetooth: Fix race condition in hci_release_sock()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Syzbot managed to trigger a use after free "KASAN: use-after-free Write
in hci_sock_bind". I have reviewed the code manually and one possibly
cause I have found is that we are not holding lock_sock(sk) when we do
the hci_dev_put(hdev) in hci_sock_release(). My theory is that the bind
and the release are racing against each other which results in this use
after free.

Reported-by: syzbot+eba992608adf3d796bcc@syzkaller.appspotmail.com
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>

authored by

Dan Carpenter and committed by

Johan Hedberg 6 years ago 11eb85ec 18f81241

1 changed file

expand all

net

bluetooth

hci_sock.c

net/bluetooth/hci_sock.c

··· 839 839 if (!sk) 840 840 return 0; 841 841 842 + lock_sock(sk); 843 + 842 844 switch (hci_pi(sk)->channel) { 843 845 case HCI_CHANNEL_MONITOR: 844 846 atomic_dec(&monitor_promisc); ··· 888 886 skb_queue_purge(&sk->sk_receive_queue); 889 887 skb_queue_purge(&sk->sk_write_queue); 890 888 889 + release_sock(sk); 891 890 sock_put(sk); 892 891 return 0; 893 892 }