[RFC,5/5] Bluetooth: ISO: fix locking in iso_conn_ready

Message ID	b0eab0121b79c3cb5c1abae958cafd102440897b.1687525956.git.pav@iki.fi (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-bluetooth-owner@vger.kernel.org> sender: pav) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4QnkVK0RyXz49QK5; Fri, 23 Jun 2023 20:18:49 +0300 (EEST) From: Pauli Virtanen <pav@iki.fi> To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen <pav@iki.fi> Subject: [PATCH RFC 5/5] Bluetooth: ISO: fix locking in iso_conn_ready Date: Fri, 23 Jun 2023 20:18:42 +0300 Message-ID: <b0eab0121b79c3cb5c1abae958cafd102440897b.1687525956.git.pav@iki.fi> In-Reply-To: <cover.1687525956.git.pav@iki.fi> References: <cover.1687525956.git.pav@iki.fi> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	hci_conn and ISO concurrency fixes \| expand [RFC,0/5] hci_conn and ISO concurrency fixes [RFC,1/5] Bluetooth: hci_conn: add hci_conn_is_alive [RFC,2/5] Bluetooth: hci_sync: iterate conn_hash safely in hci_disconnect_all_sync [RFC,3/5] Bluetooth: hci_conn: hold ref while hci_connect_le_sync is pending [RFC,4/5] Bluetooth: ISO: fix use-after-free in __iso_sock_close [RFC,5/5] Bluetooth: ISO: fix locking in iso_conn_ready

Message ID

b0eab0121b79c3cb5c1abae958cafd102440897b.1687525956.git.pav@iki.fi (mailing list archive)

State

New, archived

Headers

From: Pauli Virtanen <pav@iki.fi>
To: linux-bluetooth@vger.kernel.org
Cc: Pauli Virtanen <pav@iki.fi>
Subject: [PATCH RFC 5/5] Bluetooth: ISO: fix locking in iso_conn_ready
Date: Fri, 23 Jun 2023 20:18:42 +0300
Message-ID: 
 <b0eab0121b79c3cb5c1abae958cafd102440897b.1687525956.git.pav@iki.fi>
In-Reply-To: <cover.1687525956.git.pav@iki.fi>
References: <cover.1687525956.git.pav@iki.fi>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

hci_conn and ISO concurrency fixes | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	success	CheckPatch PASS
tedd_an/GitLint	success	Gitlint PASS
tedd_an/SubjectPrefix	success	Gitlint PASS
tedd_an/IncrementalBuild	success	Incremental Build PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

success

CheckPatch PASS

tedd_an/GitLint

success

Gitlint PASS

tedd_an/SubjectPrefix

success

Gitlint PASS

tedd_an/IncrementalBuild

success

Incremental Build PASS

Commit Message

Pauli Virtanen June 23, 2023, 5:18 p.m. UTC

Getting conn->sk must sock_hold, otherwise the socket may be freed
concurrently.  Access to conn->hcon is safe when holding hdev->lock.

Fix the locking in iso_conn_ready to obey this.

Signed-off-by: Pauli Virtanen <pav@iki.fi>
---
 net/bluetooth/iso.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index ea0209fb9872..c2045adbd7b6 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -179,6 +179,7 @@  static void iso_chan_del(struct sock *sk, int err)
 	sock_set_flag(sk, SOCK_ZAPPED);
 }
 
+/* Must hold hdev->lock */
 static void iso_conn_del(struct hci_conn *hcon, int err)
 {
 	struct iso_conn *conn = hcon->iso_data;
@@ -1547,19 +1548,23 @@  static bool iso_match_big(struct sock *sk, void *data)
 static void iso_conn_ready(struct iso_conn *conn)
 {
 	struct sock *parent;
-	struct sock *sk = conn->sk;
+	struct sock *sk;
 	struct hci_ev_le_big_sync_estabilished *ev;
 	struct hci_conn *hcon;
 
 	BT_DBG("conn %p", conn);
 
-	if (sk) {
-		iso_sock_ready(conn->sk);
-	} else {
-		hcon = conn->hcon;
-		if (!hcon)
-			return;
+	iso_conn_lock(conn);
+	hcon = conn->hcon;
+	sk = conn->sk;
+	if (sk)
+		sock_hold(sk);
+	iso_conn_unlock(conn);
 
+	if (sk) {
+		iso_sock_ready(sk);
+		sock_put(sk);
+	} else if (hcon) {
 		ev = hci_recv_event_data(hcon->hdev,
 					 HCI_EVT_LE_BIG_SYNC_ESTABILISHED);
 		if (ev)