| Message ID | 20210413162103.435467-1-cascardo@canonical.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | net: bluetooth: cmtp: fix file refcount when cmtp_attach_device fails | expand |
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=466489
---Test result---
##############################
Test: CheckPatch - FAIL
net: bluetooth: cmtp: fix file refcount when cmtp_attach_device fails
ERROR: Unrecognized email address: 'Ryota Shiga'
#16:
Reported-by: Ryota Shiga
total: 1 errors, 0 warnings, 0 checks, 11 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
"[PATCH] net: bluetooth: cmtp: fix file refcount when" has style problems, please review.
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: CheckGitLint - PASS
##############################
Test: CheckBuildK - PASS
##############################
Test: CheckTestRunner: Setup - PASS
##############################
Test: CheckTestRunner: l2cap-tester - PASS
Total: 40, Passed: 34 (85.0%), Failed: 0, Not Run: 6
##############################
Test: CheckTestRunner: bnep-tester - PASS
Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0
##############################
Test: CheckTestRunner: mgmt-tester - PASS
Total: 416, Passed: 402 (96.6%), Failed: 0, Not Run: 14
##############################
Test: CheckTestRunner: rfcomm-tester - PASS
Total: 9, Passed: 9 (100.0%), Failed: 0, Not Run: 0
##############################
Test: CheckTestRunner: sco-tester - PASS
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
##############################
Test: CheckTestRunner: smp-tester - PASS
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
##############################
Test: CheckTestRunner: userchan-tester - PASS
Total: 3, Passed: 3 (100.0%), Failed: 0, Not Run: 0
---
Regards,
Linux Bluetooth
Hi Thadeu, > When cmtp_attach_device fails, cmtp_add_connection returns the error value > which leads to the caller to doing fput through sockfd_put. But > cmtp_session kthread, which is stopped in this path will also call fput, > leading to a potential refcount underflow or a use-after-free. > > Add a refcount before we signal the kthread to stop. The kthread will try > to grab the cmtp_session_sem mutex before doing the fput, which is held > when get_file is called, so there should be no races there. > > Reported-by: Ryota Shiga > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > net/bluetooth/cmtp/core.c | 5 +++++ > 1 file changed, 5 insertions(+) Patch has been applied to bluetooth-next tree. Regards Marcel
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c index 07cfa3249f83..0a2d78e811cf 100644 --- a/net/bluetooth/cmtp/core.c +++ b/net/bluetooth/cmtp/core.c @@ -392,6 +392,11 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock) if (!(session->flags & BIT(CMTP_LOOPBACK))) { err = cmtp_attach_device(session); if (err < 0) { + /* Caller will call fput in case of failure, and so + * will cmtp_session kthread. + */ + get_file(session->sock->file); + atomic_inc(&session->terminate); wake_up_interruptible(sk_sleep(session->sock->sk)); up_write(&cmtp_session_sem);
When cmtp_attach_device fails, cmtp_add_connection returns the error value which leads to the caller to doing fput through sockfd_put. But cmtp_session kthread, which is stopped in this path will also call fput, leading to a potential refcount underflow or a use-after-free. Add a refcount before we signal the kthread to stop. The kthread will try to grab the cmtp_session_sem mutex before doing the fput, which is held when get_file is called, so there should be no races there. Reported-by: Ryota Shiga Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> --- net/bluetooth/cmtp/core.c | 5 +++++ 1 file changed, 5 insertions(+)