Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails

jira VULN-7697
cve CVE-2021-34981
commit-author Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
commit 3cfdf8f

When cmtp_attach_device fails, cmtp_add_connection returns the error value
which leads to the caller to doing fput through sockfd_put. But
cmtp_session kthread, which is stopped in this path will also call fput,
leading to a potential refcount underflow or a use-after-free.

Add a refcount before we signal the kthread to stop. The kthread will try
to grab the cmtp_session_sem mutex before doing the fput, which is held
when get_file is called, so there should be no races there.

	Reported-by: Ryota Shiga
	Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
	Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
(cherry picked from commit 3cfdf8f)
	Signed-off-by: Pratham Patel <ppatel@ciq.com>

Author: thefossguy-ciq

net/bluetooth/cmtp/core.c

@@ -392,6 +392,11 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
 	if (!(session->flags & BIT(CMTP_LOOPBACK))) {
 		err = cmtp_attach_device(session);
 		if (err < 0) {
+			/* Caller will call fput in case of failure, and so
+			 * will cmtp_session kthread.
+			 */
+			get_file(session->sock->file);
+
 			atomic_inc(&session->terminate);
 			wake_up_process(session->task);
 			up_write(&cmtp_session_sem);