| Message ID | 20210413162103.435467-1-cascardo@canonical.com (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | net: bluetooth: cmtp: fix file refcount when cmtp_attach_device fails | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/subject_prefix | warning | Target tree name not specified in the subject |
| netdev/cc_maintainers | success | CCed 9 of 9 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | fail | ERROR: Unrecognized email address: 'Ryota Shiga' |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | Link |
Hi Thadeu, > When cmtp_attach_device fails, cmtp_add_connection returns the error value > which leads to the caller to doing fput through sockfd_put. But > cmtp_session kthread, which is stopped in this path will also call fput, > leading to a potential refcount underflow or a use-after-free. > > Add a refcount before we signal the kthread to stop. The kthread will try > to grab the cmtp_session_sem mutex before doing the fput, which is held > when get_file is called, so there should be no races there. > > Reported-by: Ryota Shiga > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > net/bluetooth/cmtp/core.c | 5 +++++ > 1 file changed, 5 insertions(+) Patch has been applied to bluetooth-next tree. Regards Marcel
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c index 07cfa3249f83..0a2d78e811cf 100644 --- a/net/bluetooth/cmtp/core.c +++ b/net/bluetooth/cmtp/core.c @@ -392,6 +392,11 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock) if (!(session->flags & BIT(CMTP_LOOPBACK))) { err = cmtp_attach_device(session); if (err < 0) { + /* Caller will call fput in case of failure, and so + * will cmtp_session kthread. + */ + get_file(session->sock->file); + atomic_inc(&session->terminate); wake_up_interruptible(sk_sleep(session->sock->sk)); up_write(&cmtp_session_sem);
When cmtp_attach_device fails, cmtp_add_connection returns the error value which leads to the caller to doing fput through sockfd_put. But cmtp_session kthread, which is stopped in this path will also call fput, leading to a potential refcount underflow or a use-after-free. Add a refcount before we signal the kthread to stop. The kthread will try to grab the cmtp_session_sem mutex before doing the fput, which is held when get_file is called, so there should be no races there. Reported-by: Ryota Shiga Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> --- net/bluetooth/cmtp/core.c | 5 +++++ 1 file changed, 5 insertions(+)