Re: [PATCH 1/2] Bluetooth: call sock_hold earlier in sco_conn_del

[Desmond Cheong Zhi Xi]

Hi Marcel,

On 10/9/21 3:36 am, Marcel Holtmann wrote:
> Hi Desmond,
>
> > In sco_conn_del, conn->sk is read while holding on to the
> > sco_conn.lock to avoid races with a socket that could be released
> > concurrently.
> >
> > However, in between unlocking sco_conn.lock and calling sock_hold,
> > it's possible for the socket to be freed, which would cause a
> > use-after-free write when sock_hold is finally called.
> >
> > To fix this, the reference count of the socket should be increased
> > while the sco_conn.lock is still held.
> >
> > Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@xxxxxxxxx>
> > ---
> > net/bluetooth/sco.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> > index b62c91c627e2..4a057f99b60a 100644
> > --- a/net/bluetooth/sco.c
> > +++ b/net/bluetooth/sco.c
> > @@ -187,10 +187,11 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> > 	/* Kill socket */
> > 	sco_conn_lock(conn);
> > 	sk = conn->sk;
>
> please add a comment here on why we are doing it.

So sorry for the very delayed response. I was looking through old email 
threads to check if my recently resent patch was still necessary, and 
just realized I missed this email.

This patch was merged into the bluetooth-next tree before your feedback 
came in. Would you still like me to write a separate patch to add the 
requested comment?

Best wishes,
Desmond

> > +	if (sk)
> > +		sock_hold(sk);
> > 	sco_conn_unlock(conn);
> >
> > 	if (sk) {
> > -		sock_hold(sk);
> > 		lock_sock(sk);
> > 		sco_sock_clear_timer(sk);
> > 		sco_chan_del(sk, err);
>
> Regards
>
> Marcel