system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-15 07:47:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/net/bluetooth
History
Pauli Virtanen a239110ee8 Bluetooth: hci_sync: always check if connection is alive before deleting 
In hci_abort_conn_sync it is possible that conn is deleted concurrently
by something else, also e.g. when waiting for hdev->lock.  This causes
double deletion of the conn, so UAF or conn_hash.list corruption.

Fix by having all code paths check that the connection is still in
conn_hash before deleting it, while holding hdev->lock which prevents
any races.

Log (when powering off while BAP streaming, occurs rarely):
=======================================================================
kernel BUG at lib/list_debug.c:56!
...
 ? __list_del_entry_valid (lib/list_debug.c:56)
 hci_conn_del (net/bluetooth/hci_conn.c:154) bluetooth
 hci_abort_conn_sync (net/bluetooth/hci_sync.c:5415) bluetooth
 ? __pfx_hci_abort_conn_sync+0x10/0x10 [bluetooth]
 ? lock_release+0x1d5/0x3c0
 ? hci_disconnect_all_sync.constprop.0+0xb2/0x230 [bluetooth]
 ? __pfx_lock_release+0x10/0x10
 ? __kmem_cache_free+0x14d/0x2e0
 hci_disconnect_all_sync.constprop.0+0xda/0x230 [bluetooth]
 ? __pfx_hci_disconnect_all_sync.constprop.0+0x10/0x10 [bluetooth]
 ? hci_clear_adv_sync+0x14f/0x170 [bluetooth]
 ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
 hci_set_powered_sync+0x293/0x450 [bluetooth]
=======================================================================

Fixes: 94d9ba9f98 ("Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2023-10-11 11:16:46 -07:00
..
bnep Bluetooth: Consolidate code around sk_alloc into a helper function 2023-08-11 11:36:50 -07:00
cmtp Merge branch 'signal-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2022-01-17 05:49:30 +02:00
hidp Bluetooth: Init sk_peer_* on bt_sock_alloc 2023-08-11 11:37:22 -07:00
rfcomm TTY/Serial driver changes for 6.6-rc1 2023-09-01 09:38:00 -07:00
6lowpan.c iov_iter work; most of that is about getting rid of 2022-12-12 18:29:54 -08:00
a2mp.c use less confusing names for iov_iter direction initializers 2022-11-25 13:01:55 -05:00
a2mp.h
af_bluetooth.c Bluetooth: af_bluetooth: Make BT_PKT_STATUS generic 2023-08-11 11:49:16 -07:00
amp.c
amp.h Bluetooth: Remove unused declaration amp_read_loc_info() 2023-08-11 11:52:13 -07:00
aosp.c Bluetooth: Fix null pointer deref on unexpected status event 2022-08-08 17:04:37 -07:00
aosp.h Bluetooth: aosp: Support AOSP Bluetooth Quality Report 2021-11-02 19:37:52 +01:00
coredump.c Bluetooth: Remove unnecessary NULL check before vfree() 2023-08-11 11:56:54 -07:00
ecdh_helper.c Bluetooth: Use crypto_wait_req 2023-02-13 18:34:48 +08:00
ecdh_helper.h
eir.c Bluetooth: hci_core: Fix missing instances using HCI_MAX_AD_LENGTH 2023-08-24 12:22:05 -07:00
eir.h Bluetooth: Add initial implementation of BIS connections 2022-07-22 17:13:56 -07:00
hci_codec.c Bluetooth: Fix support for Read Local Supported Codecs V2 2022-12-02 13:09:31 -08:00
hci_codec.h
hci_conn.c Bluetooth: Reject connection with the device which has same BD_ADDR 2023-10-11 11:16:24 -07:00
hci_core.c Bluetooth: hci_codec: Fix leaking content of local_codecs 2023-09-20 11:03:11 -07:00
hci_debugfs.c Bluetooth: hci_debugfs: Use kstrtobool() instead of strtobool() 2023-08-11 11:47:44 -07:00
hci_debugfs.h Bluetooth: hci_core: Move all debugfs handling to hci_debugfs.c 2021-09-22 16:17:13 +02:00
hci_event.c Bluetooth: Reject connection with the device which has same BD_ADDR 2023-10-11 11:16:24 -07:00
hci_request.c Bluetooth: hci_core: Make hci_is_le_conn_scanning public 2023-08-11 11:54:59 -07:00
hci_request.h Bluetooth: Delete unused hci_req_prepare_suspend() declaration 2023-09-20 10:55:29 -07:00
hci_sock.c Bluetooth: hci_sock: Forward credentials to monitor 2023-08-11 11:37:42 -07:00
hci_sync.c Bluetooth: hci_sync: always check if connection is alive before deleting 2023-10-11 11:16:46 -07:00
hci_sysfs.c Bluetooth: hci_sysfs: make bt_class a static const structure 2023-06-29 10:52:18 -07:00
iso.c Bluetooth: ISO: Fix handling of listen for unicast 2023-09-20 11:02:02 -07:00
Kconfig Bluetooth: Add CONFIG_BT_LE_L2CAP_ECRED 2022-12-12 14:19:24 -08:00
l2cap_core.c Bluetooth: L2CAP: Fix use-after-free 2023-06-29 10:48:35 -07:00
l2cap_sock.c Bluetooth: Init sk_peer_* on bt_sock_alloc 2023-08-11 11:37:22 -07:00
leds.c
leds.h
lib.c Bluetooth: Fix EALREADY and ELOOP cases in bt_status() 2022-12-12 14:19:24 -08:00
Makefile Bluetooth: Add support for hci devcoredump 2023-04-23 21:57:59 -07:00
mgmt.c Bluetooth: hci_core: Fix missing instances using HCI_MAX_AD_LENGTH 2023-08-24 12:22:05 -07:00
mgmt_config.c
mgmt_config.h
mgmt_util.c Bluetooth: Implement support for Mesh 2022-09-06 13:18:24 -07:00
mgmt_util.h Bluetooth: Fix a buffer overflow in mgmt_mesh_add() 2023-01-17 15:50:10 -08:00
msft.c Bluetooth: msft: Fix error code in msft_cancel_address_filter_sync() 2023-08-11 11:44:12 -07:00
msft.h Bluetooth: hci_sync: Refactor remove Adv Monitor 2022-07-21 17:14:55 -07:00
sco.c net: annotate data-races around sk->sk_lingertime 2023-08-21 07:41:57 +01:00
selftest.c
selftest.h
smp.c Bluetooth: L2CAP: Delay identity address updates 2023-04-23 21:48:44 -07:00
smp.h