From 27c24fda62b601d6f9ca5e992502578c4310876f Mon Sep 17 00:00:00 2001
From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Date: Tue, 10 Aug 2021 12:14:07 +0800
Subject: [PATCH] Bluetooth: switch to lock_sock in SCO
Git-commit: 27c24fda62b601d6f9ca5e992502578c4310876f
Patch-mainline: v5.15-rc1
References: CVE-2021-3640 bsc#1188172
Since sco_sock_timeout is now scheduled using delayed work, it is no
longer run in SOFTIRQ context. Hence bh_lock_sock is no longer
necessary in SCO to synchronise between user contexts and SOFTIRQ
processing.
As such, calls to bh_lock_sock should be replaced with lock_sock to
synchronize with other concurrent processes that use lock_sock.
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Acked-by: Takashi Iwai <tiwai@suse.de>
---
net/bluetooth/sco.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -92,10 +92,10 @@ static void sco_sock_timeout(struct work
BT_DBG("sock %p state %d", sk, sk->sk_state);
- bh_lock_sock(sk);
+ lock_sock(sk);
sk->sk_err = ETIMEDOUT;
sk->sk_state_change(sk);
- bh_unlock_sock(sk);
+ release_sock(sk);
sco_sock_kill(sk);
sock_put(sk);
@@ -192,10 +192,10 @@ static void sco_conn_del(struct hci_conn
if (sk) {
sock_hold(sk);
- bh_lock_sock(sk);
+ lock_sock(sk);
sco_sock_clear_timer(sk);
sco_chan_del(sk, err);
- bh_unlock_sock(sk);
+ release_sock(sk);
sco_sock_kill(sk);
sock_put(sk);
@@ -1047,10 +1047,10 @@ static void sco_conn_ready(struct sco_co
if (sk) {
sco_sock_clear_timer(sk);
- bh_lock_sock(sk);
+ lock_sock(sk);
sk->sk_state = BT_CONNECTED;
sk->sk_state_change(sk);
- bh_unlock_sock(sk);
+ release_sock(sk);
} else {
sco_conn_lock(conn);
@@ -1065,12 +1065,12 @@ static void sco_conn_ready(struct sco_co
return;
}
- bh_lock_sock(parent);
+ lock_sock(parent);
sk = sco_sock_alloc(sock_net(parent), NULL,
BTPROTO_SCO, GFP_ATOMIC, 0);
if (!sk) {
- bh_unlock_sock(parent);
+ release_sock(parent);
sco_conn_unlock(conn);
return;
}
@@ -1091,7 +1091,7 @@ static void sco_conn_ready(struct sco_co
/* Wake up parent */
parent->sk_data_ready(parent);
- bh_unlock_sock(parent);
+ release_sock(parent);
sco_conn_unlock(conn);
}