Bluetooth: Fix data-race on dst/src in connect paths

[PATCH v1 0/2] Bluetooth: Fix data-race on dst/src in connect paths

SeungJu Cheon posted 2 patches 1 week, 2 days ago

Download series mbox

net/bluetooth/iso.c | 51 ++++++++++++++++++++++++++++++++++-----------
net/bluetooth/sco.c | 11 +++++++---
2 files changed, 47 insertions(+), 15 deletions(-)

Expand all Fold all

[PATCH v1 0/2] Bluetooth: Fix data-race on dst/src in connect paths

Posted by SeungJu Cheon 1 week, 2 days ago

Two KCSAN-reported data races on socket address fields passed to
hci_get_route() without proper synchronization.

Patch 1/2 fixes ISO: iso_connect_bis(), iso_connect_cis(),
iso_listen_bis(), and iso_conn_big_sync() read iso_pi(sk)->dst/src
without lock_sock before calling hci_get_route().

Patch 2/2 fixes SCO: sco_connect() reads sco_pi(sk)->dst after
lock_sock has been released by the caller.

Both races were confirmed with KCSAN using VHCI-based reproducers.

SeungJu Cheon (2):
  Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls
  Bluetooth: SCO: Fix data-race on dst in sco_connect

 net/bluetooth/iso.c | 51 ++++++++++++++++++++++++++++++++++-----------
 net/bluetooth/sco.c | 11 +++++++---
 2 files changed, 47 insertions(+), 15 deletions(-)

-- 
2.52.0