Bluetooth: call sock_hold earlier in sco_conn_del - linux-dev - Linux kernel development work

diff options

author	Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>	2021-09-02 23:13:05 -0400
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2021-09-03 16:33:10 -0700
commit	f4712fa993f688d0a48e0c28728fcdeb88c1ea58 (patch)
tree	6f30a1ac4fa8340bf868fe7111dac0b876399087 /include/net/bluetooth/hci_core.h
parent	Bluetooth: btusb: Add support for IMC Networks Mediatek Chip(MT7921) (diff)
download	linux-dev-f4712fa993f688d0a48e0c28728fcdeb88c1ea58.tar.xz linux-dev-f4712fa993f688d0a48e0c28728fcdeb88c1ea58.zip

Bluetooth: call sock_hold earlier in sco_conn_del

In sco_conn_del, conn->sk is read while holding on to the sco_conn.lock to avoid races with a socket that could be released concurrently. However, in between unlocking sco_conn.lock and calling sock_hold, it's possible for the socket to be freed, which would cause a use-after-free write when sock_hold is finally called. To fix this, the reference count of the socket should be increased while the sco_conn.lock is still held. Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Diffstat (limited to 'include/net/bluetooth/hci_core.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: