Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp1225015pxb;
        Fri, 10 Sep 2021 00:37:11 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyWLGhqkSYaTCy6P+xQ1sCn5n51aV8cJsNx471JeLfqS8sESRRP9C4Orv1qL0OoImxMlEtl
X-Received: by 2002:a05:6e02:f91:: with SMTP id v17mr5772290ilo.0.1631259431493;
        Fri, 10 Sep 2021 00:37:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631259431; cv=none;
        d=google.com; s=arc-20160816;
        b=U08RuljTWOgONOff/jlrol1dVIv1vuOvlS75E67f+1KoUmNPPFXZHLh9C+l8EmOPSB
         a3CsGkd/sV+H+l/qR6G6grU7wAdzQfGWM6/nDoJT3kFuC28vxhtBrb/hppQglvocVXp8
         UR8tivd1yyQvjVNLaBPjZnwgh9tH3GimZieAW0a+iKvy5oub/fnpeyp9UcJwL/yRgAAy
         3C+0ncw8JHOCjNJc4acogbsf9l6cfxk0tYNXobT0h+o8VsMgKUtcux94apzPLyuC6+qg
         oUgn+KpCvsGyFrzU2NDn31Y2Dz9tdSSefiE7K5S5Z+mdlc+9X38mJiwRw6C5aGgx4jjP
         Hf/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version;
        bh=DqYphArc7FqEC1UQIUawIHqV8LTLmZKFVI/fYUtN8Mk=;
        b=wKu8H4glOoKIaZjaYKQm3YhgEEwOJnogZIoEn83+dbN2G+ndsIsf2SA4UFSv1pD+97
         kt3EC3arHu6TZcAjWC1dqE+omln/c2v0LHHlhKKW0qCRgcCX4/h2O7Hdv1nSrTTB6xBp
         fAwjMnJTkMlR5LNoet3AYdIXiX6J57luo32c+asF0pgV/XMhzZHi8RaUJLYampiq7ym7
         dhmjrsNKur0rCvnVEZZcfU4QQsBytk2qR2jvHa2PXkz16tvNFMZK2Zv0Ay19PsSDhbic
         VMN8BYMkvNa5ZouCPWOF/GQ6GCDyZ6RyBjf7EuiAxTla8Fn9N1rCiyB3jEwAoSHtGQxb
         4IZg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j4si4274421jaa.83.2021.09.10.00.36.58;
        Fri, 10 Sep 2021 00:37:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231445AbhIJHhj convert rfc822-to-8bit (ORCPT
        <rfc822;marc.dalmau@gmail.com> + 99 others);
        Fri, 10 Sep 2021 03:37:39 -0400
Received: from coyote.holtmann.net ([212.227.132.17]:44475 "EHLO
        mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231290AbhIJHhi (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 10 Sep 2021 03:37:38 -0400
Received: from smtpclient.apple (p5b3d2185.dip0.t-ipconnect.de [91.61.33.133])
        by mail.holtmann.org (Postfix) with ESMTPSA id 989BDCED3D;
        Fri, 10 Sep 2021 09:36:25 +0200 (CEST)
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Subject: Re: [PATCH 1/2] Bluetooth: call sock_hold earlier in sco_conn_del
From:   Marcel Holtmann <marcel@holtmann.org>
In-Reply-To: <20210903031306.78292-2-desmondcheongzx@gmail.com>
Date:   Fri, 10 Sep 2021 09:36:25 +0200
Cc:     Johan Hedberg <johan.hedberg@gmail.com>,
        Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
        "David S. Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>,
        linux-bluetooth <linux-bluetooth@vger.kernel.org>,
        "open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
        open list <linux-kernel@vger.kernel.org>,
        eric.dumazet@gmail.com
Content-Transfer-Encoding: 8BIT
Message-Id: <7AEB2618-111A-45F4-8C00-CF40FCBE92EC@holtmann.org>
References: <20210903031306.78292-1-desmondcheongzx@gmail.com>
 <20210903031306.78292-2-desmondcheongzx@gmail.com>
To:     Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi Desmond,

> In sco_conn_del, conn->sk is read while holding on to the
> sco_conn.lock to avoid races with a socket that could be released
> concurrently.
> 
> However, in between unlocking sco_conn.lock and calling sock_hold,
> it's possible for the socket to be freed, which would cause a
> use-after-free write when sock_hold is finally called.
> 
> To fix this, the reference count of the socket should be increased
> while the sco_conn.lock is still held.
> 
> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
> ---
> net/bluetooth/sco.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> index b62c91c627e2..4a057f99b60a 100644
> --- a/net/bluetooth/sco.c
> +++ b/net/bluetooth/sco.c
> @@ -187,10 +187,11 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> 	/* Kill socket */
> 	sco_conn_lock(conn);
> 	sk = conn->sk;

please add a comment here on why we are doing it.

> +	if (sk)
> +		sock_hold(sk);
> 	sco_conn_unlock(conn);
> 
> 	if (sk) {
> -		sock_hold(sk);
> 		lock_sock(sk);
> 		sco_sock_clear_timer(sk);
> 		sco_chan_del(sk, err);

Regards

Marcel