Linux 4.9.166

[thirdparty/kernel/stable-queue.git] / queue-4.14 / bluetooth-fix-decrementing-reference-count-twice-in-releasing-socket.patch

From e20a2e9c42c9e4002d9e338d74e7819e88d77162 Mon Sep 17 00:00:00 2001
From: Myungho Jung <mhjungk@gmail.com>
Date: Sat, 2 Feb 2019 16:56:36 -0800
Subject: Bluetooth: Fix decrementing reference count twice in releasing socket

From: Myungho Jung <mhjungk@gmail.com>

commit e20a2e9c42c9e4002d9e338d74e7819e88d77162 upstream.

When releasing socket, it is possible to enter hci_sock_release() and
hci_sock_dev_event(HCI_DEV_UNREG) at the same time in different thread.
The reference count of hdev should be decremented only once from one of
them but if storing hdev to local variable in hci_sock_release() before
detached from socket and setting to NULL in hci_sock_dev_event(),
hci_dev_put(hdev) is unexpectedly called twice. This is resolved by
referencing hdev from socket after bt_sock_unlink() in
hci_sock_release().

Reported-by: syzbot+fdc00003f4efff43bc5b@syzkaller.appspotmail.com
Signed-off-by: Myungho Jung <mhjungk@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bluetooth/hci_sock.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -826,8 +826,6 @@ static int hci_sock_release(struct socke
        if (!sk)
                return 0;
 
-       hdev = hci_pi(sk)->hdev;
-
        switch (hci_pi(sk)->channel) {
        case HCI_CHANNEL_MONITOR:
                atomic_dec(&monitor_promisc);
@@ -849,6 +847,7 @@ static int hci_sock_release(struct socke
 
        bt_sock_unlink(&hci_sk_list, sk);
 
+       hdev = hci_pi(sk)->hdev;
        if (hdev) {
                if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
                        /* When releasing a user channel exclusive access,