Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()

ignatk · kuba-moo · commit 7c4f78cdb8e7 · 2024-10-15T18:43:07.000-07:00
bt_sock_alloc() allocates the sk object and attaches it to the provided sock object. On error l2cap_sock_alloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-after-free in other code. Signed-off-by: Ignat Korchagin <ignat@cloudflare.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20241014153808.51894-3-ignat@cloudflare.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
@@ -1886,6 +1886,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
 	chan = l2cap_chan_create();
 	if (!chan) {
 		sk_free(sk);
+		sock->sk = NULL;
 		return NULL;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -1886,6 +1886,7 @@ static struct sock l2cap_sock_alloc(struct net net, struct socket *sock,`
`1886`	`1886`	`chan = l2cap_chan_create();`
`1887`	`1887`	`if (!chan) {`
`1888`	`1888`	`sk_free(sk);`
	`1889`	`+ sock->sk = NULL;`
`1889`	`1890`	`return NULL;`
`1890`	`1891`	`}`
`1891`	`1892`