From nobody Thu Apr 2 22:23:01 2026 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6A8C3208D0 for ; Thu, 26 Mar 2026 12:49:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774529347; cv=none; b=kPQzWqM7S0Rtdrzyo4b9HyGXN4/2nZ5ij8DEdcA+hQXQAK70lz3NZZwy1JLANW/OlbQjKN/49STwpqlxnCccX0ENUJNB2pNjZWoi8n/8omUbDn6wSPAuD+Z/8R1DNjIGFVZnQXaiqQ1UalTFrCG65x4rTnZLOfbfFqCKYIIJhA0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774529347; c=relaxed/simple; bh=8has8JRxmDNwqbe5Rn9NFL/jk3QRhGwc9DpE42EKgJQ=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=OWm0wUbd0f8LyH93SdR9j6wFZocY3sGSu/vbvGP01lC8aGLz1axZU4b5hW2bXunWoPn2wWVkDUn+G7mtHhKjxNP7Q/XVNo3mY0PJY7K195kVusqHkU+7GZlTaMkWRiw9oVmuP2CUTKZmuel+38YY+2IHQCBXyYCAJ9ivIWVpTwA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=EcSBeYIW; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="EcSBeYIW" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2ab46931cf1so15460065ad.0 for ; Thu, 26 Mar 2026 05:49:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774529345; x=1775134145; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=LL5u+eySuwC4h9vk77ymZ7rOJb68kKa6ErC+eNN2nqE=; b=EcSBeYIWDjA1Wfk+xjsml0TI98YqjkxRuM7w45EFVH3H52/6QNbmNoxvzKxfH6o3t2 KHl3CbtrhKgGuKFjZT/4RXPL6rBhVLrjyQT8aiOZ2Ykd7Uf0GCmG/+efhyeFor8ypFJr eUydJETDDzFwOjY7YYU3Pn4fcReiX2vXA3ypwiqlugoZ8nDhwf74uJ9Ozo2J8h82ALAX S2czBBy5E6qT6eFdn+DvjtPfuVMrL+qgcVtahDLmDr0bZSfCSnbSoCbg5acIRlWUnYU5 qKy8qt2yULgsUq3W54wQ0jHLDLowpMzmHH5fwfTkd0jl7Z49sna179mEVg5Qq7cYYCfO 49qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774529345; x=1775134145; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=LL5u+eySuwC4h9vk77ymZ7rOJb68kKa6ErC+eNN2nqE=; b=KO+L4+XXhB35YBLeGk6wpM++BgskOLwdmIV4r7TT53HTe8XGVt7Z7XN/1hM1CWY7eZ +6nIhT7cd86iK1JEKbboYmB0p0ihaC9zUnAmENdELfgb4w8U8tRV8t99F8y+tBmWw27g UQeXV6y3Cvg+b/H9fJVMfEt9OOveKIFlwSA37wfgaqAbxsi+2xWrMhFGJ4F/f1kl1N60 RqPsI/58x90hXO/yeX6nPV0RtLOMSOWiKwkAxnw3WnPcQx3goWMSeWFz9c/kFPbwhsA/ Z9TuG5vZ47LdDTH6I+RB+CIMu4SBFTxaIKWrv4CzjHaXBB07LP6CU4K8L3KeauYpHiLo md5A== X-Forwarded-Encrypted: i=1; AJvYcCVOFREHawYj+PS3Um6B+sXsCH9XKWaDVwMnqRhgGvM+ZuOjEJXXLZXlNJojhhbraNVibJK2Uhu0FTaRjxU=@vger.kernel.org X-Gm-Message-State: AOJu0YzshbPrRlobGrJ8Xe3YHJwz9KQgm13D7eEkPXb+j+CI7zNoYkNV Q8MFUcfBkMtvYMs4YTs2BxCcCb/LKNXkDRKc1B/xBzxqax3DyppAz1T5 X-Gm-Gg: ATEYQzyL96AYP9Rhhv8gs2YRDNcjJmli6xMnIE+nZaQeTdfQOIgYHHpi4OwNHcqV7+x YR/pzaKqJ0UTNA6jv6Tn068bLT0Vr9oZJb4pN+pMrq4WcuIZ/yoQRiM1Noc/U5SAlGr6tRE61dQ dqPrCh51mWH8cPp53TOyaL/I+XqdsSes1VbbKj21OxBuzppfJ81o7PpK6Elrxxuw8fBO1faHmJr kiLesfPQQUUoq8mFdACoAlHVEHTZBsjoyLRQSQ7NqdSZ5ce/X7zIM/TCqA7rtYYoL53rHZrHMkD 0wu0wdr3NbyeSzC2+KOo6ucwnVl68zQZ00ycZj/iCuwtSKuy70nWsTnxVU2LmJwRKTlGgjfUeOC U2z4DPoBkMxZ00qEczyC1yBFfDEoXdY1nJHyqG3Ii+KKwraW8akFQffyVj8WLjCAAPUzxGafwd0 n/SxJxB/mQZJq9in2Nzn3wEeH4AjND X-Received: by 2002:a17:902:ce05:b0:2ae:4d6b:b2c7 with SMTP id d9443c01a7336-2b0c4857d4cmr14315585ad.9.1774529344624; Thu, 26 Mar 2026 05:49:04 -0700 (PDT) Received: from localhost ([111.228.63.84]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b0bc8be006sm29673155ad.60.2026.03.26.05.47.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Mar 2026 05:49:04 -0700 (PDT) From: Cen Zhang To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, Cen Zhang Subject: [PATCH] Bluetooth: SCO: fix race conditions in sco_sock_connect() Date: Thu, 26 Mar 2026 20:28:42 +0800 Message-Id: <20260326122842.13664-1-zzzccc427@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" sco_sock_connect() checks sk_state and sk_type without holding the socket lock, creating a TOCTOU race where two threads can both pass the state check and proceed to sco_connect() concurrently. This causes multiple issues: 1. Both threads create separate HCI and SCO connections 2. The second thread's sco_chan_add() overwrites sco_pi(sk)->conn, orphaning the first connection (memory/resource leak) 3. If the socket is closed between the state check and sco_connect()'s inner lock_sock(), the connect proceeds on a dead socket (UAF) Fix this by: - Moving lock_sock() before the sk_state/sk_type checks in sco_sock_connect() to serialize concurrent connect attempts - Fixing the sk_type !=3D SOCK_SEQPACKET check to actually return the error instead of just assigning it - Adding a state re-check in sco_connect() after lock_sock() to detect state changes during the lock gap - Adding sco_pi(sk)->conn check in sco_chan_add() to prevent double-attach of the socket to multiple connections - Adding hci_conn_drop() on sco_chan_add failure to prevent HCI connection leaks Fixes: 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking depende= ncy on sco_connect_cfm") Signed-off-by: Cen Zhang --- net/bluetooth/sco.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index e7db50165879..689788ad26a4 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -298,7 +298,7 @@ static int sco_chan_add(struct sco_conn *conn, struct s= ock *sk, int err =3D 0; =20 sco_conn_lock(conn); - if (conn->sk) + if (conn->sk || sco_pi(sk)->conn) err =3D -EBUSY; else __sco_chan_add(conn, sk, parent); @@ -353,9 +353,20 @@ static int sco_connect(struct sock *sk) =20 lock_sock(sk); =20 + /* Recheck state after reacquiring the socket lock, as another + * thread may have changed it (e.g., closed the socket). + */ + if (sk->sk_state !=3D BT_OPEN && sk->sk_state !=3D BT_BOUND) { + release_sock(sk); + hci_conn_drop(hcon); + err =3D -EBADFD; + goto unlock; + } + err =3D sco_chan_add(conn, sk, NULL); if (err) { release_sock(sk); + hci_conn_drop(hcon); goto unlock; } =20 @@ -652,13 +663,18 @@ static int sco_sock_connect(struct socket *sock, stru= ct sockaddr_unsized *addr, addr->sa_family !=3D AF_BLUETOOTH) return -EINVAL; =20 - if (sk->sk_state !=3D BT_OPEN && sk->sk_state !=3D BT_BOUND) + lock_sock(sk); + + if (sk->sk_state !=3D BT_OPEN && sk->sk_state !=3D BT_BOUND) { + release_sock(sk); return -EBADFD; + } =20 - if (sk->sk_type !=3D SOCK_SEQPACKET) - err =3D -EINVAL; + if (sk->sk_type !=3D SOCK_SEQPACKET) { + release_sock(sk); + return -EINVAL; + } =20 - lock_sock(sk); /* Set destination address and psm */ bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr); release_sock(sk); --=20 2.34.1