Bluetooth: call sock_hold earlier in sco_conn_del

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In sco_conn_del, conn->sk is read while holding on to the
sco_conn.lock to avoid races with a socket that could be released
concurrently.

However, in between unlocking sco_conn.lock and calling sock_hold,
it's possible for the socket to be freed, which would cause a
use-after-free write when sock_hold is finally called.

To fix this, the reference count of the socket should be increased
while the sco_conn.lock is still held.

Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

authored by

Desmond Cheong Zhi Xi and committed by

Luiz Augusto von Dentz 4 years ago f4712fa9 15957cab

+2 -1

1 changed file

expand all

net

bluetooth

sco.c

+2 -1

net/bluetooth/sco.c

··· 187 187 /* Kill socket */ 188 188 sco_conn_lock(conn); 189 189 sk = conn->sk; 190 + if (sk) 191 + sock_hold(sk); 190 192 sco_conn_unlock(conn); 191 193 192 194 if (sk) { 193 - sock_hold(sk); 194 195 lock_sock(sk); 195 196 sco_sock_clear_timer(sk); 196 197 sco_chan_del(sk, err);