This patch is intended to fix the race condition between two 'sco_connect()' calls, where two instances of 'struct sco_conn' are erroneously set up to share the pointer to the same 'struct sock'. When one of the connections goes away, it destroys an underlying socket as well, leaving dangling pointer to destroyed socket within another. Next, if the latter (alive) connection enters 'sco_sock_timeout()', an attempt to do 'lock_sock()' on a destroyed socket causes use-after-free write reported by KASAN at https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465. Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx> --- net/bluetooth/sco.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 43daf965a01e..f8e5e4c3420f 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -228,7 +228,7 @@ static int sco_chan_add(struct sco_conn *conn, struct sock *sk, int err = 0; sco_conn_lock(conn); - if (conn->sk) + if (conn->sk || sco_pi(sk)->conn) err = -EBUSY; else __sco_chan_add(conn, sk, parent); -- 2.44.0
