Luiz Augusto von Dentz
3d1c16e920
Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync ...
This fixes the following error caused by hci_conn being freed while
hcy_acl_create_conn_sync is pending:
==================================================================
BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0xa7/0x2e0
Write of size 2 at addr ffff888002ae0036 by task kworker/u3:0/848
CPU: 0 PID: 848 Comm: kworker/u3:0 Not tainted 6.8.0-rc6-g2ab3e8d67fc1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x21/0x70
print_report+0xce/0x620
? preempt_count_sub+0x13/0xc0
? __virt_addr_valid+0x15f/0x310
? hci_acl_create_conn_sync+0xa7/0x2e0
kasan_report+0xdf/0x110
? hci_acl_create_conn_sync+0xa7/0x2e0
hci_acl_create_conn_sync+0xa7/0x2e0
? __pfx_hci_acl_create_conn_sync+0x10/0x10
? __pfx_lock_release+0x10/0x10
? __pfx_hci_acl_create_conn_sync+0x10/0x10
hci_cmd_sync_work+0x138/0x1c0
process_one_work+0x405/0x800
? __pfx_lock_acquire+0x10/0x10
? __pfx_process_one_work+0x10/0x10
worker_thread+0x37b/0x670
? __pfx_worker_thread+0x10/0x10
kthread+0x19b/0x1e0
? kthread+0xfe/0x1e0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2f/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 847:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
hci_conn_add+0xc6/0x970
hci_connect_acl+0x309/0x410
pair_device+0x4fb/0x710
hci_sock_sendmsg+0x933/0xef0
sock_write_iter+0x2c3/0x2d0
do_iter_readv_writev+0x21a/0x2e0
vfs_writev+0x21c/0x7b0
do_writev+0x14a/0x180
do_syscall_64+0x77/0x150
entry_SYSCALL_64_after_hwframe+0x6c/0x74
Freed by task 847:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0xfa/0x150
kfree+0xcb/0x250
device_release+0x58/0xf0
kobject_put+0xbb/0x160
hci_conn_del+0x281/0x570
hci_conn_hash_flush+0xfc/0x130
hci_dev_close_sync+0x336/0x960
hci_dev_close+0x10e/0x140
hci_sock_ioctl+0x14a/0x5c0
sock_ioctl+0x58a/0x5d0
__x64_sys_ioctl+0x480/0xf60
do_syscall_64+0x77/0x150
entry_SYSCALL_64_after_hwframe+0x6c/0x74
Fixes: 45340097ce6e ("Bluetooth: hci_conn: Only do ACL connections sequentially")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2024-03-08 11:06:14 -05:00
2024-03-06 17:26:24 -05:00
2022-01-17 05:49:30 +02:00
2023-08-11 11:37:22 -07:00
2024-02-28 09:42:26 -05:00
2024-03-06 17:24:07 -05:00
2024-03-06 17:26:25 -05:00
2022-08-08 17:04:37 -07:00
2021-11-02 19:37:52 +01:00
2023-08-11 11:56:54 -07:00
2023-02-13 18:34:48 +08:00
2021-04-27 17:05:53 -07:00
2024-03-08 10:22:17 -05:00
2022-07-22 17:13:56 -07:00
2022-12-02 13:09:31 -08:00
2021-09-07 14:09:18 -07:00
2024-03-06 17:26:20 -05:00
2024-03-06 17:26:58 -05:00
2023-12-22 13:00:36 -05:00
2021-09-22 16:17:13 +02:00
2024-03-06 17:27:14 -05:00
2024-03-06 17:22:38 -05:00
2023-09-20 10:55:29 -07:00
2024-03-06 17:22:38 -05:00
2024-03-08 11:06:14 -05:00
2023-10-23 11:05:11 -07:00
2024-03-07 11:58:17 -05:00
2024-03-06 17:22:39 -05:00
2024-03-06 17:22:41 -05:00
2024-03-06 17:22:41 -05:00
2019-06-19 17:09:55 +02:00
2019-06-19 17:09:55 +02:00
2023-12-22 12:54:55 -05:00
2024-03-06 17:22:39 -05:00
2021-06-26 07:12:42 +02:00
2020-06-18 13:11:03 +03:00
2022-09-06 13:18:24 -07:00
2023-01-17 15:50:10 -08:00
2024-03-08 10:22:17 -05:00
2024-03-06 17:26:23 -05:00
2022-07-21 17:14:55 -07:00
2024-03-06 17:22:41 -05:00
2021-03-13 00:04:03 +11:00
2023-12-15 11:53:09 -05:00
2021-06-26 07:12:37 +02:00
3d1c16e920