* [PATCH] Bluetooth: Fix decrementing reference count twice in releasing socket
@ 2019-02-03 0:56 Myungho Jung
2019-02-04 14:53 ` Marcel Holtmann
0 siblings, 1 reply; 2+ messages in thread
From: Myungho Jung @ 2019-02-03 0:56 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, David S. Miller
Cc: linux-bluetooth, netdev, linux-kernel
When releasing socket, it is possible to enter hci_sock_release() and
hci_sock_dev_event(HCI_DEV_UNREG) at the same time in different thread.
The reference count of hdev should be decremented only once from one of
them but if storing hdev to local variable in hci_sock_release() before
detached from socket and setting to NULL in hci_sock_dev_event(),
hci_dev_put(hdev) is unexpectedly called twice. This is resolved by
referencing hdev from socket after bt_sock_unlink() in
hci_sock_release().
Reported-by: syzbot+fdc00003f4efff43bc5b@syzkaller.appspotmail.com
Signed-off-by: Myungho Jung <mhjungk@gmail.com>
---
net/bluetooth/hci_sock.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 1506e1632394..d4e2a166ae17 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -831,8 +831,6 @@ static int hci_sock_release(struct socket *sock)
if (!sk)
return 0;
- hdev = hci_pi(sk)->hdev;
-
switch (hci_pi(sk)->channel) {
case HCI_CHANNEL_MONITOR:
atomic_dec(&monitor_promisc);
@@ -854,6 +852,7 @@ static int hci_sock_release(struct socket *sock)
bt_sock_unlink(&hci_sk_list, sk);
+ hdev = hci_pi(sk)->hdev;
if (hdev) {
if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
/* When releasing a user channel exclusive access,
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] Bluetooth: Fix decrementing reference count twice in releasing socket
2019-02-03 0:56 [PATCH] Bluetooth: Fix decrementing reference count twice in releasing socket Myungho Jung
@ 2019-02-04 14:53 ` Marcel Holtmann
0 siblings, 0 replies; 2+ messages in thread
From: Marcel Holtmann @ 2019-02-04 14:53 UTC (permalink / raw)
To: Myungho Jung
Cc: Johan Hedberg, David S. Miller, linux-bluetooth, netdev, linux-kernel
Hi Myungho,
> When releasing socket, it is possible to enter hci_sock_release() and
> hci_sock_dev_event(HCI_DEV_UNREG) at the same time in different thread.
> The reference count of hdev should be decremented only once from one of
> them but if storing hdev to local variable in hci_sock_release() before
> detached from socket and setting to NULL in hci_sock_dev_event(),
> hci_dev_put(hdev) is unexpectedly called twice. This is resolved by
> referencing hdev from socket after bt_sock_unlink() in
> hci_sock_release().
>
> Reported-by: syzbot+fdc00003f4efff43bc5b@syzkaller.appspotmail.com
> Signed-off-by: Myungho Jung <mhjungk@gmail.com>
> ---
> net/bluetooth/hci_sock.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
patch has been applied to bluetooth-next tree.
Regards
Marcel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-02-04 14:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-03 0:56 [PATCH] Bluetooth: Fix decrementing reference count twice in releasing socket Myungho Jung
2019-02-04 14:53 ` Marcel Holtmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).