Bluetooth: Check rfcomm session and DLC exists on socket close

A race condition exists between near simultaneous asynchronous
DLC data channel disconnection requests from the host and remote device.
This causes the socket layer to request a socket shutdown at the same
time the rfcomm core is processing the disconnect request from the remote
device.

The socket layer retains a copy of a struct rfcomm_dlc d pointer.
The d pointer refers to a copy of a struct rfcomm_session.
When the socket layer thread performs a socket shutdown, the thread
may wait on a rfcomm lock in rfcomm_dlc_close(). This means that
whilst the thread waits, the rfcomm_session and/or rfcomm_dlc structures
pointed to by d maybe freed due to rfcomm core handling. Consequently,
when the rfcomm lock becomes available and the thread runs, a
malfunction could occur as a freed rfcomm_session structure and/or a
freed rfcomm_dlc structure will be erroneously accessed.

Therefore, after the rfcomm lock is acquired, check that the struct
rfcomm_session is still valid by searching the rfcomm session list.
If the session is valid then validate the d pointer by searching the
rfcomm session list of active DLCs for the rfcomm_dlc structure
pointed by d.

Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index d301fbbe20982a660417d874982c96a79c01de00..d9e97cf1792bc89366f9bb28fb5f722d8412aad8 100644 (file)
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -493,12 +493,34 @@ static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 
 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 {
-       int r;
+       int r = 0;
+       struct rfcomm_dlc *d_list;
+       struct rfcomm_session *s, *s_list;
+
+       BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
 
        rfcomm_lock();
 
-       r = __rfcomm_dlc_close(d, err);
+       s = d->session;
+       if (!s)
+               goto no_session;
+
+       /* after waiting on the mutex check the session still exists
+        * then check the dlc still exists
+        */
+       list_for_each_entry(s_list, &session_list, list) {
+               if (s_list == s) {
+                       list_for_each_entry(d_list, &s->dlcs, list) {
+                               if (d_list == d) {
+                                       r = __rfcomm_dlc_close(d, err);
+                                       break;
+                               }
+                       }
+                       break;
+               }
+       }
 
+no_session:
        rfcomm_unlock();
        return r;
 }