tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Bluetooth: SCO: fix race conditions in sco_sock_connect()

sco_sock_connect() checks sk_state and sk_type without holding
the socket lock. Two concurrent connect() syscalls on the same
socket can both pass the check and enter sco_connect(), leading
to use-after-free.

The buggy scenario involves three participants and was confirmed
with additional logging instrumentation:

Thread A (connect): HCI disconnect: Thread B (connect):

sco_sock_connect(sk) sco_sock_connect(sk)
sk_state==BT_OPEN sk_state==BT_OPEN
(pass, no lock) (pass, no lock)
sco_connect(sk): sco_connect(sk):
hci_dev_lock hci_dev_lock
hci_connect_sco <- blocked
-> hcon1
sco_conn_add->conn1
lock_sock(sk)
sco_chan_add:
conn1->sk = sk
sk->conn = conn1
sk_state=BT_CONNECT
release_sock
hci_dev_unlock
hci_dev_lock
sco_conn_del:
lock_sock(sk)
sco_chan_del:
sk->conn=NULL
conn1->sk=NULL
sk_state=
BT_CLOSED
SOCK_ZAPPED
release_sock
hci_dev_unlock
(unblocked)
hci_connect_sco
-> hcon2
sco_conn_add
-> conn2
lock_sock(sk)
sco_chan_add:
sk->conn=conn2
sk_state=
BT_CONNECT
// zombie sk!
release_sock
hci_dev_unlock

Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to
BT_CONNECT. Subsequent cleanup triggers double sock_put() and
use-after-free. Meanwhile conn1 is leaked as it was orphaned
when sco_conn_del() cleared the association.

Fix this by:
- Moving lock_sock() before the sk_state/sk_type checks in
sco_sock_connect() to serialize concurrent connect attempts
- Fixing the sk_type != SOCK_SEQPACKET check to actually
return the error instead of just assigning it
- Adding a state re-check in sco_connect() after lock_sock()
to catch state changes during the window between the locks
- Adding sco_pi(sk)->conn check in sco_chan_add() to prevent
double-attach of a socket to multiple connections
- Adding hci_conn_drop() on sco_chan_add failure to prevent
HCI connection leaks

Fixes: 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm")
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

authored by

Cen Zhang and committed by
Luiz Augusto von Dentz 8a5b0135 a834a0b6

+23 -7
+23 -7
net/bluetooth/sco.c
··· 298 298 int err = 0; 299 299 300 300 sco_conn_lock(conn); 301 - if (conn->sk) 301 + if (conn->sk || sco_pi(sk)->conn) 302 302 err = -EBUSY; 303 303 else 304 304 __sco_chan_add(conn, sk, parent); ··· 353 353 354 354 lock_sock(sk); 355 355 356 + /* Recheck state after reacquiring the socket lock, as another 357 + * thread may have changed it (e.g., closed the socket). 358 + */ 359 + if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { 360 + release_sock(sk); 361 + hci_conn_drop(hcon); 362 + err = -EBADFD; 363 + goto unlock; 364 + } 365 + 356 366 err = sco_chan_add(conn, sk, NULL); 357 367 if (err) { 358 368 release_sock(sk); 369 + hci_conn_drop(hcon); 359 370 goto unlock; 360 371 } 361 372 ··· 667 656 addr->sa_family != AF_BLUETOOTH) 668 657 return -EINVAL; 669 658 670 - if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) 671 - return -EBADFD; 672 - 673 - if (sk->sk_type != SOCK_SEQPACKET) 674 - err = -EINVAL; 675 - 676 659 lock_sock(sk); 660 + 661 + if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { 662 + release_sock(sk); 663 + return -EBADFD; 664 + } 665 + 666 + if (sk->sk_type != SOCK_SEQPACKET) { 667 + release_sock(sk); 668 + return -EINVAL; 669 + } 670 + 677 671 /* Set destination address and psm */ 678 672 bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr); 679 673 release_sock(sk);