summaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
authorDean Jenkins <Dean_Jenkins@mentor.com>2017-03-10 11:34:45 +0000
committerMarcel Holtmann <marcel@holtmann.org>2017-04-12 22:02:37 +0200
commite163376220169170f3945703a600083f1792aaf8 (patch)
tree34b3f419909496745a134784e442b117d2cd87df /net/bluetooth
parent459848564f5186bf033a5c1cc33c2cb3b284066e (diff)
downloadlinux-e163376220169170f3945703a600083f1792aaf8.tar.gz
linux-e163376220169170f3945703a600083f1792aaf8.tar.bz2
linux-e163376220169170f3945703a600083f1792aaf8.zip
Bluetooth: Handle bt_accept_enqueue() socket atomically
There is a small risk that bt_accept_unlink() runs concurrently with bt_accept_enqueue() on the same socket. This scenario could potentially lead to a NULL pointer dereference of the socket's parent member because the socket can be on the list but the socket's parent member is not yet updated by bt_accept_enqueue(). Therefore, add socket locking inside bt_accept_enqueue() so that the socket is added to the list AND the parent's socket address is set in the socket's parent member. The socket locking ensures that the socket is on the list with a valid non-NULL parent member. Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/af_bluetooth.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 69e1f7d362a8..a374fd27b5e1 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -159,8 +159,10 @@ void bt_accept_enqueue(struct sock *parent, struct sock *sk)
BT_DBG("parent %p, sk %p", parent, sk);
sock_hold(sk);
+ lock_sock(sk);
list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
bt_sk(sk)->parent = parent;
+ release_sock(sk);
parent->sk_ack_backlog++;
}
EXPORT_SYMBOL(bt_accept_enqueue);