* [PATCH] Bluetooth: SCO: hold sk properly in sco_conn_ready
@ 2026-04-18 15:41 Pauli Virtanen
2026-04-18 16:32 ` bluez.test.bot
2026-04-20 21:59 ` [PATCH] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Pauli Virtanen @ 2026-04-18 15:41 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
sk deref in sco_conn_ready must be done either under conn->lock, or
holding a refcount, to avoid concurrent close. conn->sk and parent sk is
currently accessed without either, and without checking parent->sk_state:
[Task 1] [Task 2]
sco_sock_release
sco_conn_ready
sk = conn->sk
lock_sock(sk)
conn->sk = NULL
lock_sock(sk)
release_sock(sk)
sco_sock_kill(sk)
UAF on sk deref
and similarly for access to sco_get_sock_listen() return value.
Fix possible UAF by holding sk refcount in sco_conn_ready() and making
sco_get_sock_listen() increase refcount. Also recheck after lock_sock
that the socket is still valid. Adjust conn->sk locking so it's
protected also by lock_sock() of the associated socket if any.
Fixes: 27c24fda62b60 ("Bluetooth: switch to lock_sock in SCO")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---
Notes:
There's still several known race conditions in sco.c, if you look at the
sco_conn_put/free and hcon->sco_data access. A redesign could make these
locking issues simpler:
https://lore.kernel.org/all/5ac8c40b96052cb320c4ee1083d37818ac5d90cc.1776025103.git.pav@iki.fi/
net/bluetooth/sco.c | 44 ++++++++++++++++++++++++++++++++------------
1 file changed, 32 insertions(+), 12 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 3a5479538e85..eba44525d41d 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -472,9 +472,13 @@ static struct sock *sco_get_sock_listen(bdaddr_t *src)
sk1 = sk;
}
+ sk = sk ? sk : sk1;
+ if (sk)
+ sock_hold(sk);
+
read_unlock(&sco_sk_list.lock);
- return sk ? sk : sk1;
+ return sk;
}
static void sco_sock_destruct(struct sock *sk)
@@ -515,11 +519,13 @@ static void sco_sock_kill(struct sock *sk)
BT_DBG("sk %p state %d", sk, sk->sk_state);
/* Sock is dead, so set conn->sk to NULL to avoid possible UAF */
+ lock_sock(sk);
if (sco_pi(sk)->conn) {
sco_conn_lock(sco_pi(sk)->conn);
sco_pi(sk)->conn->sk = NULL;
sco_conn_unlock(sco_pi(sk)->conn);
}
+ release_sock(sk);
/* Kill poor orphan */
bt_sock_unlink(&sco_sk_list, sk);
@@ -1365,17 +1371,28 @@ static int sco_sock_release(struct socket *sock)
static void sco_conn_ready(struct sco_conn *conn)
{
- struct sock *parent;
- struct sock *sk = conn->sk;
+ struct sock *parent, *sk;
+
+ sco_conn_lock(conn);
+ sk = sco_sock_hold(conn);
+ sco_conn_unlock(conn);
BT_DBG("conn %p", conn);
if (sk) {
lock_sock(sk);
- sco_sock_clear_timer(sk);
- sk->sk_state = BT_CONNECTED;
- sk->sk_state_change(sk);
+
+ /* conn->sk may have become NULL if racing with sk close, but
+ * due to held hdev->lock, it can't become different sk.
+ */
+ if (conn->sk) {
+ sco_sock_clear_timer(sk);
+ sk->sk_state = BT_CONNECTED;
+ sk->sk_state_change(sk);
+ }
+
release_sock(sk);
+ sock_put(sk);
} else {
if (!conn->hcon)
return;
@@ -1390,13 +1407,15 @@ static void sco_conn_ready(struct sco_conn *conn)
sco_conn_lock(conn);
+ /* hdev->lock guarantees conn->sk == NULL still here */
+
+ if (parent->sk_state != BT_LISTEN)
+ goto release;
+
sk = sco_sock_alloc(sock_net(parent), NULL,
BTPROTO_SCO, GFP_ATOMIC, 0);
- if (!sk) {
- sco_conn_unlock(conn);
- release_sock(parent);
- return;
- }
+ if (!sk)
+ goto release;
sco_sock_init(sk, parent);
@@ -1415,9 +1434,10 @@ static void sco_conn_ready(struct sco_conn *conn)
/* Wake up parent */
parent->sk_data_ready(parent);
+release:
sco_conn_unlock(conn);
-
release_sock(parent);
+ sock_put(parent);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: Bluetooth: SCO: hold sk properly in sco_conn_ready
2026-04-18 15:41 [PATCH] Bluetooth: SCO: hold sk properly in sco_conn_ready Pauli Virtanen
@ 2026-04-18 16:32 ` bluez.test.bot
2026-04-20 21:59 ` [PATCH] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-04-18 16:32 UTC (permalink / raw)
To: linux-bluetooth, pav
[-- Attachment #1: Type: text/plain, Size: 1620 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1082810
---Test result---
Test Summary:
CheckPatch PASS 1.09 seconds
GitLint FAIL 0.21 seconds
SubjectPrefix PASS 0.08 seconds
BuildKernel PASS 19.32 seconds
CheckAllWarning PASS 21.47 seconds
CheckSparse PASS 20.40 seconds
BuildKernel32 PASS 19.05 seconds
TestRunnerSetup PASS 407.53 seconds
TestRunner_sco-tester PASS 11.98 seconds
IncrementalBuild PASS 20.21 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: SCO: hold sk properly in sco_conn_ready
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
32: B2 Line has trailing whitespace: " "
33: B1 Line exceeds max length (99>80): " https://lore.kernel.org/all/5ac8c40b96052cb320c4ee1083d37818ac5d90cc.1776025103.git.pav@iki.fi/"
https://github.com/bluez/bluetooth-next/pull/103
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: SCO: hold sk properly in sco_conn_ready
2026-04-18 15:41 [PATCH] Bluetooth: SCO: hold sk properly in sco_conn_ready Pauli Virtanen
2026-04-18 16:32 ` bluez.test.bot
@ 2026-04-20 21:59 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-04-20 21:59 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Sat, 18 Apr 2026 18:41:12 +0300 you wrote:
> sk deref in sco_conn_ready must be done either under conn->lock, or
> holding a refcount, to avoid concurrent close. conn->sk and parent sk is
> currently accessed without either, and without checking parent->sk_state:
>
> [Task 1] [Task 2]
> sco_sock_release
> sco_conn_ready
> sk = conn->sk
> lock_sock(sk)
> conn->sk = NULL
> lock_sock(sk)
> release_sock(sk)
> sco_sock_kill(sk)
> UAF on sk deref
>
> [...]
Here is the summary with links:
- Bluetooth: SCO: hold sk properly in sco_conn_ready
https://git.kernel.org/bluetooth/bluetooth-next/c/fa7a2842af06
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-20 22:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-18 15:41 [PATCH] Bluetooth: SCO: hold sk properly in sco_conn_ready Pauli Virtanen
2026-04-18 16:32 ` bluez.test.bot
2026-04-20 21:59 ` [PATCH] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox