git.ipfire.org Git - thirdparty/linux.git/commit

author	Pauli Virtanen <pav@iki.fi>
	Sat, 18 Apr 2026 15:41:12 +0000 (18:41 +0300)
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Wed, 6 May 2026 20:21:25 +0000 (16:21 -0400)
commit	4e37f6452d586b95c346a9abdd2fb80b67794f39
tree	132ad649148c0e11b69a5de91082f05f46244dcd	tree \| snapshot
parent	0a120d96166301d7a95be75b52f843837dbd1219	commit \| diff

Bluetooth: SCO: hold sk properly in sco_conn_ready

sk deref in sco_conn_ready must be done either under conn->lock, or
holding a refcount, to avoid concurrent close. conn->sk and parent sk is
currently accessed without either, and without checking parent->sk_state:

    [Task 1]            [Task 2]
                        sco_sock_release
    sco_conn_ready
      sk = conn->sk
                          lock_sock(sk)
                            conn->sk = NULL
      lock_sock(sk)
                          release_sock(sk)
                          sco_sock_kill(sk)
       UAF on sk deref

and similarly for access to sco_get_sock_listen() return value.

Fix possible UAF by holding sk refcount in sco_conn_ready() and making
sco_get_sock_listen() increase refcount. Also recheck after lock_sock
that the socket is still valid.  Adjust conn->sk locking so it's
protected also by lock_sock() of the associated socket if any.

Fixes: 27c24fda62b60 ("Bluetooth: switch to lock_sock in SCO")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>