Commit d49a78a0 authored by Thadeu Lima de Souza Cascardo's avatar Thadeu Lima de Souza Cascardo Committed by Yang Yingliang
Browse files

Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails 



mainline inclusion
from mainline-v5.14-rc1
commit 3cfdf8fc
category: bugfix
bugzilla: NA
CVE: CVE-2021-34981

-------------------------------------------------

When cmtp_attach_device fails, cmtp_add_connection returns the error value
which leads to the caller to doing fput through sockfd_put. But
cmtp_session kthread, which is stopped in this path will also call fput,
leading to a potential refcount underflow or a use-after-free.

Add a refcount before we signal the kthread to stop. The kthread will try
to grab the cmtp_session_sem mutex before doing the fput, which is held
when get_file is called, so there should be no races there.

Reported-by: Ryota Shiga
Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
Reviewed-by: default avatarweiyang wang <wangweiyang2@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parent a54cfa2d
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment