diff options
| author | Thadeu Lima de Souza Cascardo <cascardo@canonical.com> | 2021-04-13 18:21:03 +0200 |
|---|---|---|
| committer | Marcel Holtmann <marcel@holtmann.org> | 2021-06-26 07:12:25 +0200 |
| commit | 3cfdf8fcaafa62a4123f92eb0f4a72650da3a479 (patch) | |
| tree | 13b754f68b1f05811bdc90ac841064c849d94104 /drivers/bluetooth/hci_qca.c | |
| parent | Bluetooth: btusb: fix memory leak (diff) | |
| download | linux-3cfdf8fcaafa62a4123f92eb0f4a72650da3a479.tar.xz linux-3cfdf8fcaafa62a4123f92eb0f4a72650da3a479.zip | |
Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails
When cmtp_attach_device fails, cmtp_add_connection returns the error value
which leads to the caller to doing fput through sockfd_put. But
cmtp_session kthread, which is stopped in this path will also call fput,
leading to a potential refcount underflow or a use-after-free.
Add a refcount before we signal the kthread to stop. The kthread will try
to grab the cmtp_session_sem mutex before doing the fput, which is held
when get_file is called, so there should be no races there.
Reported-by: Ryota Shiga
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'drivers/bluetooth/hci_qca.c')
0 files changed, 0 insertions, 0 deletions