Hi Desmond,
> In sco_conn_del, conn->sk is read while holding on to the
> sco_conn.lock to avoid races with a socket that could be released
> concurrently.
>
> However, in between unlocking sco_conn.lock and calling sock_hold,
> it's possible for the socket to be freed, which would cause a
> use-after-free write when sock_hold is finally called.
>
> To fix this, the reference count of the socket should be increased
> while the sco_conn.lock is still held.
>
> Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@xxxxxxxxx>
> ---
> net/bluetooth/sco.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> index b62c91c627e2..4a057f99b60a 100644
> --- a/net/bluetooth/sco.c
> +++ b/net/bluetooth/sco.c
> @@ -187,10 +187,11 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
> /* Kill socket */
> sco_conn_lock(conn);
> sk = conn->sk;
please add a comment here on why we are doing it.
> + if (sk)
> + sock_hold(sk);
> sco_conn_unlock(conn);
>
> if (sk) {
> - sock_hold(sk);
> lock_sock(sk);
> sco_sock_clear_timer(sk);
> sco_chan_del(sk, err);
Regards
Marcel
