Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2998950pxb;
        Tue, 13 Apr 2021 16:01:36 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJx/+H7TFeO+R41oVSVR1/XqN9lWzM61GjMeq59o1aWZIRScVpU5Sa4b/P6q8ckW+4Sd3qBB
X-Received: by 2002:a17:902:7c8a:b029:e6:f010:a4f4 with SMTP id y10-20020a1709027c8ab02900e6f010a4f4mr34209317pll.17.1618354896090;
        Tue, 13 Apr 2021 16:01:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1618354896; cv=none;
        d=google.com; s=arc-20160816;
        b=qp9dq6nz+X7HbbXAukzIXOsk4La+6IMvrX4OV9R+sV0VjIaoD0KF+9qsUofMJ4M7rj
         ZVaBYGDcHYu2xGAdrk6Ev8kj/6aK8+afIBADHVQzAYQZ3KxlluXg5I3RGtmd3ZsoYl0U
         n+vlqawCrFU0d7LjFp+3f7u13Sgz+28Rf6RBb6aD6o83U3u4FddHmNTFbPZLW4gcRVZL
         Kq226TQ+u3R+tZzi8mxtRzG2hPMZ8VOn1kia1XNE1BhTd6KP3tR8Y6pl3AOHCYhqga5u
         1kfnn80jomezMB3Op+ezNjjPhFBUznkzIrl07eh/YklioRyBXBHG6PPaW400cCl5XKJ9
         2b2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version;
        bh=/RBRuxPTcwYoqeU9Iz+xHjKOjmlhiLvNKM5bgF3kq5g=;
        b=BzBqLqO01zaaSd4hoWjwynxSE7x2audTqK63FsS9B/ayBTDTjvxCSH8wawCPejhHRC
         KnD8auwSS3ArOaFm3f3Zdq16fguuwevyBCpR7VoEaTuI4UGt8bzYckmtE7y7eQDfkIFW
         U29FMscX3xgz0QHaoVFa9aI9zaTrwLWfImjq3mbBBJlupYafKMEJEuxLtJaxmKBc2BX0
         Y1diwuZgBeG1XR3HqCUiYnehfJC/rzkQXqU1YIu56nFG4FeFhJjCZ8ozinmhN4P9Ob6p
         OQQAeSDeoG3ZsPKScdbPm8LhT286IYOunx97n2WiUlTlEn3pOoj0QYr6n9ARYBwXmhMF
         g60w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id n3si653388pjo.2.2021.04.13.16.01.06;
        Tue, 13 Apr 2021 16:01:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229690AbhDMSlK (ORCPT <rfc822;mail2rakeshmkos@gmail.com>
        + 99 others); Tue, 13 Apr 2021 14:41:10 -0400
Received: from coyote.holtmann.net ([212.227.132.17]:56536 "EHLO
        mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229623AbhDMSlJ (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Tue, 13 Apr 2021 14:41:09 -0400
Received: from marcel-macbook.holtmann.net (p5b3d235a.dip0.t-ipconnect.de [91.61.35.90])
        by mail.holtmann.org (Postfix) with ESMTPSA id 20EA6CECCC;
        Tue, 13 Apr 2021 20:48:30 +0200 (CEST)
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Subject: Re: [PATCH] net: bluetooth: cmtp: fix file refcount when
 cmtp_attach_device fails
From:   Marcel Holtmann <marcel@holtmann.org>
In-Reply-To: <20210413162103.435467-1-cascardo@canonical.com>
Date:   Tue, 13 Apr 2021 20:40:45 +0200
Cc:     "open list:BLUETOOTH DRIVERS" <linux-bluetooth@vger.kernel.org>,
        netdev <netdev@vger.kernel.org>,
        Jakub Kicinski <kuba@kernel.org>,
        "David S. Miller" <davem@davemloft.net>, isdn@linux-pingi.de,
        Johan Hedberg <johan.hedberg@gmail.com>,
        Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Content-Transfer-Encoding: 7bit
Message-Id: <0E9D2620-A821-410F-9DED-4465568F6701@holtmann.org>
References: <20210413162103.435467-1-cascardo@canonical.com>
To:     Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi Thadeu,

> When cmtp_attach_device fails, cmtp_add_connection returns the error value
> which leads to the caller to doing fput through sockfd_put. But
> cmtp_session kthread, which is stopped in this path will also call fput,
> leading to a potential refcount underflow or a use-after-free.
> 
> Add a refcount before we signal the kthread to stop. The kthread will try
> to grab the cmtp_session_sem mutex before doing the fput, which is held
> when get_file is called, so there should be no races there.
> 
> Reported-by: Ryota Shiga
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
> net/bluetooth/cmtp/core.c | 5 +++++
> 1 file changed, 5 insertions(+)

Patch has been applied to bluetooth-next tree.

Regards

Marcel