diff options
author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2024-02-20 13:10:47 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-05-02 16:35:35 +0200 |
commit | c4c9d6b6504aebfddeb0c6727cfa8ede301e94eb (patch) | |
tree | 89eb89733db238147d0182e2a79a71b0cfad9a19 | |
parent | f1e50e582a4c2cd7ef3f4f866f8a7eb1066e011b (diff) | |
download | linux-stable-c4c9d6b6504aebfddeb0c6727cfa8ede301e94eb.tar.gz linux-stable-c4c9d6b6504aebfddeb0c6727cfa8ede301e94eb.tar.bz2 linux-stable-c4c9d6b6504aebfddeb0c6727cfa8ede301e94eb.zip |
Bluetooth: hci_sync: Fix UAF on create_le_conn_complete
commit f7cbce60a38a6589f0dade720d4c2544959ecc0e upstream.
While waiting for hci_dev_lock the hci_conn object may be cleanup
causing the following trace:
BUG: KASAN: slab-use-after-free in hci_connect_le_scan_cleanup+0x29/0x350
Read of size 8 at addr ffff888001a50a30 by task kworker/u3:1/111
CPU: 0 PID: 111 Comm: kworker/u3:1 Not tainted
6.8.0-rc2-00701-g8179b15ab3fd-dirty #6418
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x21/0x70
print_report+0xce/0x620
? preempt_count_sub+0x13/0xc0
? __virt_addr_valid+0x15f/0x310
? hci_connect_le_scan_cleanup+0x29/0x350
kasan_report+0xdf/0x110
? hci_connect_le_scan_cleanup+0x29/0x350
hci_connect_le_scan_cleanup+0x29/0x350
create_le_conn_complete+0x25c/0x2c0
Fixes: 881559af5f5c ("Bluetooth: hci_sync: Attempt to dequeue connection attempt")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | net/bluetooth/hci_sync.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 02661d42bf56..48a276ebc473 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -6763,6 +6763,9 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) hci_dev_lock(hdev); + if (!hci_conn_valid(hdev, conn)) + goto done; + if (!err) { hci_connect_le_scan_cleanup(conn, 0x00); goto done; |