Commit e1633762 authored by Dean Jenkins's avatar Dean Jenkins Committed by Marcel Holtmann

Bluetooth: Handle bt_accept_enqueue() socket atomically

There is a small risk that bt_accept_unlink() runs concurrently with
bt_accept_enqueue() on the same socket. This scenario could potentially
lead to a NULL pointer dereference of the socket's parent member because
the socket can be on the list but the socket's parent member is not yet
updated by bt_accept_enqueue().

Therefore, add socket locking inside bt_accept_enqueue() so that the
socket is added to the list AND the parent's socket address is set in the
socket's parent member. The socket locking ensures that the socket is on
the list with a valid non-NULL parent member.
Signed-off-by: default avatarDean Jenkins <Dean_Jenkins@mentor.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 45984856
...@@ -159,8 +159,10 @@ void bt_accept_enqueue(struct sock *parent, struct sock *sk) ...@@ -159,8 +159,10 @@ void bt_accept_enqueue(struct sock *parent, struct sock *sk)
BT_DBG("parent %p, sk %p", parent, sk); BT_DBG("parent %p, sk %p", parent, sk);
sock_hold(sk); sock_hold(sk);
lock_sock(sk);
list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q); list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
bt_sk(sk)->parent = parent; bt_sk(sk)->parent = parent;
release_sock(sk);
parent->sk_ack_backlog++; parent->sk_ack_backlog++;
} }
EXPORT_SYMBOL(bt_accept_enqueue); EXPORT_SYMBOL(bt_accept_enqueue);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment