Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3965094img; Mon, 25 Mar 2019 23:41:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqzJW/Tm8Shf8qcWoYiEuyOImpE4I1bAprxSURi+zT0fTYqJVZxtLkj0JgFt4ZwOyKtciGef X-Received: by 2002:aa7:9090:: with SMTP id i16mr27217059pfa.85.1553582472476; Mon, 25 Mar 2019 23:41:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553582472; cv=none; d=google.com; s=arc-20160816; b=FUYld0Sj20yTKi5M4E0h2fbIhFRuO/YsO96cPkkXHnimLmbPUwcKTIpOEsPY/qiS9K gmTBhjduLL44hBWjeByVV7P8vZ6sb8DRTT8vbdagzoir91j8HLZJVFCA49+SAYLyo7uY wUntsqM3HNctBctAIqmfdUctJl2TCk4Hh8cE7FQHdS+/TDUdsQX7C/L6pc9n7KdGXwYO URuFkSIG2DJzAo6/rA7+ipJm51/iSrrWEEI4GCeiT/sC5a7J65DQm5p8J7RNxZn9mDZg HlgbJaDSFop7r2RFqzPQx/AQDWf03KIthfFY/WCCHGYAGq9TIBwbaKFdbrL3GHxPOXDp kb9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZEgkaWkjG/aQ9kGgwh0adnR6dTGFr1mUSBihyWhHqkU=; b=SiJhBTpg40cH5pfRSXK0P+DXSDoYYCa0D2cLEdqvGLhF+6rctS83xmVrnJk9qQAnwo 0Zo2PqpgAVTJMgfX4TKENY/J9So5O0o1dP4fzmIgjGpMUoKYtLlGNQSTZfAle6hg5DQc O8MR/XtkiWCgiH5l1J+l2a0UvdtGKQiIsE+AaSK3RXFyWwWuilLixEvOP28cbDV4iDSd 3G/yWUoZVSHY0qbZxrg5j1OeSj83ruZelA2ZW1ypW6F1opKKt8euUNdcwNs/ZIM97JQZ 7NlPdlO/cXtJI7V064QPksZ909DQdFP/o1KNBh9EguiQVK0W5aJ8C3cDcF9ur6d4CRoV 2biw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pqbjHcVR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 138si14498275pfa.199.2019.03.25.23.40.57; Mon, 25 Mar 2019 23:41:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pqbjHcVR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732852AbfCZGkO (ORCPT + 99 others); Tue, 26 Mar 2019 02:40:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:56260 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732511AbfCZGkJ (ORCPT ); Tue, 26 Mar 2019 02:40:09 -0400 Received: from localhost (unknown [104.132.152.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 078A620863; Tue, 26 Mar 2019 06:40:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553582408; bh=oBFfcoV94JSRlkO6f3np2gnAYWwVhbe/UgXLtPU1jiE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pqbjHcVRRsyq8UIHJV9wqiAu7HfkxdgaThhz6sej6SH3m0DGTe/+e0CHOGx7qYznq iuq8lgqnEQQ7I+lgjMiuXCPMcpHKj+f9h8mjkqZ2lPK7eR1Cvi59M7fM26MlmTeEvv uEMyalFydDpRg4xp72LnmAKyu6FhPn/WMtr6d3Zc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+fdc00003f4efff43bc5b@syzkaller.appspotmail.com, Myungho Jung , Marcel Holtmann Subject: [PATCH 5.0 38/52] Bluetooth: Fix decrementing reference count twice in releasing socket Date: Tue, 26 Mar 2019 15:30:25 +0900 Message-Id: <20190326042703.004623834@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190326042700.963224437@linuxfoundation.org> References: <20190326042700.963224437@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 5.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Myungho Jung commit e20a2e9c42c9e4002d9e338d74e7819e88d77162 upstream. When releasing socket, it is possible to enter hci_sock_release() and hci_sock_dev_event(HCI_DEV_UNREG) at the same time in different thread. The reference count of hdev should be decremented only once from one of them but if storing hdev to local variable in hci_sock_release() before detached from socket and setting to NULL in hci_sock_dev_event(), hci_dev_put(hdev) is unexpectedly called twice. This is resolved by referencing hdev from socket after bt_sock_unlink() in hci_sock_release(). Reported-by: syzbot+fdc00003f4efff43bc5b@syzkaller.appspotmail.com Signed-off-by: Myungho Jung Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_sock.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -831,8 +831,6 @@ static int hci_sock_release(struct socke if (!sk) return 0; - hdev = hci_pi(sk)->hdev; - switch (hci_pi(sk)->channel) { case HCI_CHANNEL_MONITOR: atomic_dec(&monitor_promisc); @@ -854,6 +852,7 @@ static int hci_sock_release(struct socke bt_sock_unlink(&hci_sk_list, sk); + hdev = hci_pi(sk)->hdev; if (hdev) { if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { /* When releasing a user channel exclusive access,