From 75e34f5cf69bd731d3b7375a786d4a15494fb8c6 Mon Sep 17 00:00:00 2001 From: Kuba Pawlak Date: Mon, 5 Oct 2015 18:44:15 +0200 Subject: [PATCH] Bluetooth: Fix crash on SCO disconnect When disconnecting audio from the phone's side, it may happen, that a thread handling HCI message 'disconnection complete' will get preempted in 'sco_conn_del' before calling 'sco_sock_kill', still holding a pointer to struct sock sk. Interrupting thread started in 'sco_sock_shutdown' will carry on releasing resources and will eventually release struct sock. When execution goes back to first thread it will call sco_sock_kill using now invalid pointer to already destroyed socket. Fix is to grab a reference to the socket a release it after calling 'sco_sock_kill'. [ 166.358213] BUG: unable to handle kernel paging request at 7541203a [ 166.365228] IP: [] bt_sock_unlink+0x1a/0x38 [bluetooth] [ 166.372068] *pdpt = 0000000024b19001 *pde = 0000000000000000 [ 166.378483] Oops: 0002 [#1] PREEMPT SMP [ 166.382871] Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) btintel(O) cdc_acm bluetooth(O) arc4 uinput hid_multitouch iwlmvm(O) usbhid hide [ 166.424233] Pid: 338, comm: kworker/u:2H Tainted: G O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1 [ 166.435112] EIP: 0060:[] EFLAGS: 00010206 CPU: 0 [ 166.441259] EIP is at bt_sock_unlink+0x1a/0x38 [bluetooth] [ 166.447382] EAX: 632e6563 EBX: e4bfc600 ECX: e466d4d3 EDX: 7541203a [ 166.454369] ESI: fb7278ac EDI: e4d52000 EBP: e4669e20 ESP: e4669e0c [ 166.461366] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 [ 166.467391] CR0: 8005003b CR2: 7541203a CR3: 24aba000 CR4: 001007f0 [ 166.474387] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 166.481375] DR6: ffff0ff0 DR7: 00000400 [ 166.485654] Process kworker/u:2H (pid: 338, ti=e4668000 task=e466e030 task.ti=e4668000) [ 166.494591] Stack: [ 166.496830] e4bfc600 e4bfc600 fb715c28 e4717ee0 e4d52000 e4669e3c fb715cf3 e4bfc634 [ 166.505518] 00000068 e4d52000 e4c32000 fb7277c0 e4669e6c fb6f2019 0000004a 00000216 [ 166.514205] e4660101 e4c32008 02000001 00000013 e4d52000 e4c32000 e3dc9240 00000005 [ 166.522891] Call Trace: [ 166.525654] [] ? sco_sock_kill+0x73/0x9a [bluetooth] [ 166.532295] [] ? sco_conn_del+0xa4/0xbf [bluetooth] [ 166.538836] [] ? hci_disconn_complete_evt.clone.55+0x1bd/0x205 [bluetooth] [ 166.547609] [] ? hci_event_packet+0x297/0x223c [bluetooth] [ 166.554805] [] ? dequeue_task+0xaf/0xb7 [ 166.560154] [] ? finish_task_switch+0x50/0x89 [ 166.566086] [] ? __schedule+0x638/0x6b8 [ 166.571460] [] ? hci_rx_work+0xb9/0x2b8 [bluetooth] [ 166.577975] [] ? process_one_work+0x157/0x21b [ 166.583933] [] ? hci_cmd_work+0xef/0xef [bluetooth] [ 166.590448] [] ? worker_thread+0x16e/0x20a [ 166.596088] [] ? manage_workers+0x1cf/0x1cf [ 166.601826] [] ? kthread+0x8d/0x92 [ 166.606691] [] ? ret_from_kernel_thread+0x1b/0x28 [ 166.613010] [] ? __init_kthread_worker+0x24/0x24 [ 166.619230] Code: 85 63 ff ff ff 31 db 8d 65 f4 89 d8 5b 5e 5f 5d c3 56 8d 70 04 53 89 f0 89 d3 e8 7e 17 c6 c5 8b 53 28 85 d2 74 1a 8b 43 24 85 c0 <89> 02 74 03 89 50 04 c7 43 28 00 00 00 [ 166.640501] EIP: [] bt_sock_unlink+0x1a/0x38 [bluetooth] SS:ESP 0068:e4669e0c [ 166.649474] CR2: 000000007541203a [ 166.653420] ---[ end trace 0181ff2c9e42d51e ]--- [ 166.658609] note: kworker/u:2H[338] exited with preempt_count 1 Signed-off-by: Kuba Pawlak Signed-off-by: Marcel Holtmann --- net/bluetooth/sco.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index f315c8d0e43b..e21c53b08da4 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -170,11 +170,13 @@ static void sco_conn_del(struct hci_conn *hcon, int err) sco_conn_unlock(conn); if (sk) { + sock_hold(sk); bh_lock_sock(sk); sco_sock_clear_timer(sk); sco_chan_del(sk, err); bh_unlock_sock(sk); sco_sock_kill(sk); + sock_put(sk); } hcon->sco_data = NULL; -- 2.20.1